First Published: November 26, 2025

Introduction to Cisco Secure Workload, Release 4.0.1.1

The Cisco Secure Workload platform is designed to secure your applications by creating micro perimeters at the workload level across your entire infrastructure consistently, whether these are deployed on bare-metal servers, virtual machines, or containers. The micro perimeter is available across your on-premises and multicloud environments using firewall and segmentation, compliance and vulnerability tracking, behavior-based anomaly detection, and workload isolation. The platform uses advanced analytics and algorithmic approaches to offer these capabilities.

This document describes the features, bug fixes, and behavior changes, if any, for the Cisco Secure Workload software Release 4.0.1.1.


Note

Agents upgrade to this version will fail, unless cluster and agents are running at least 3.10.6.3 version.

Release Information

Release Version: 4.0.1.1

Published Date: November 26, 2025

New Software Features in Cisco Secure Workload, Release 4.0.1.1

Feature Name

Description

Operational Simplicity

Cisco Application Centric Infrastructure (ACI) and Cisco Secure Workload Integration

The Application Centric Infrastructure (ACI) and Secure Workload integration is a data center security and automation solution that does the following:

  • Combines ACI’s network fabric provisioning with Secure Workload’s policy-driven segmentation.

  • Provides AI-driven visibility and centralized policy management.

  • Supports both agent-based and agentless enforcement for consistent and scalable workload provisioning.

This integration streamlines application workload provisioning with simplified segmentation and centralized monitoring, extending the value of the existing ACI infrastructure and linking with Cisco’s broader security ecosystem. For more information, see ACI Integration with Secure Workload.

SMTP Authentication in Secure Workload

Secure Workload now supports configuration of SMTP using Microsoft Modern Authentication (OAuth) in addition to the basic SMTP authentication. This enhancement offers improved security through industry-standard OAuth 2.0 when connecting to Microsoft SMTP servers. For more information, see SMTP Server Configuration for Cluster and Site Configuration.

Cisco Secure Workload Software Appliance

Cisco Secure Workload is now available as a software appliance that can be deployed in customer-managed data centers using VMware vSphere. The software appliance delivers the same functionality and features as the hardware appliance and supports 20,000 or 40,000 agent license scale options. Customers can deploy the software appliance on any vSphere cluster, leveraging existing virtualization infrastructure for installation and lifecycle management. This new deployment model provides greater flexibility for on-premises environments while maintaining full feature parity with the hardware appliance. For more information, see Secure Workload Software Appliance Deployment Guide.

Enhancing User Experience

Enhanced UI for Secure Workload Landing page

The application landing page has been redesigned to make it easier to locate and manage applications, especially in environments with a large number of applications.

The new page highlights key features, such as Policy Statistics and Policy Conditions while offering a cleaner and more intuitive interface.

Key updates:

  • List View: Displays workspaces, scopes, last (ADM) run timestamps, and application status (draft, analyzed, or enforced). It also features the top two AI-suggested tasks per workspace for faster insights.

  • Tree View: Provides a modern look with a horizontal layout and improved spacing of the scope tree.

  • Additional Options: Users can easily switch between the new and earlier landing pages using the toggle button, allowing a seamless transition experience.

Dark Mode option

With the new Dark Mode option, users can toggle between the Dark and Light modes by using the User Preferences page that is available on the user login menu.

Platform Enhancements

Agents-only patch upgrade

You can now apply agents-only patches to clusters. These patches support updated agent package versions without affecting other cluster components or causing downtime to cluster services.

Key benefits:

  • Apply agent update independent of complete cluster upgrades.

  • No service interruption or cluster downtime.

  • Simplified and faster patching process for agent updates.

Revoke Agent Packages

The ability to revoke agent packages in Cisco Secure Workload allows administrators to block the installation or upgrade of specific agent versions or packages having critical issues for certain operating systems. This revocation is precise to the affected package and reversible, enabling administrators to temporarily prevent deployment or automatic upgrades to problematic agent versions, as needed. This feature helps maintain system stability and security by controlling agent versions in the environment.

Key points:

  • Administrators can revoke specific agent packages to prevent their installation or upgrade.

  • The revocation is reversible, allowing flexibility to block or unblock agent versions.

  • This capability is useful for managing critical issues related to particular agent versions or OS platforms.

This concise control over agent package deployment enhances operational security and stability in Secure Workload environments. For more information, see Revoke Agent Packages.

Service Protection for AIX and Linux Agents

The service protection feature is now supported in Secure Workload agents running on AIX and Linux. When enabled in the Agent Configuration Profile, this feature prevents system administrators from disabling or stopping the csw-agent service or uninstalling the tet-sensor package using standard methods. If necessary, the protection can be temporarily lifted from a workload by using a Time-based One Time Password (TOTP) provided by the Secure Workload administrator, allowing controlled management of agent services while maintaining security. For more information, see Agent Config Profile.

Cluster Certificate

The Secure Workload SaaS platform uses a new set of Cisco-provided certificates for its agent-facing services. This update enhances security by ensuring trusted TLS negotiations between agents and the SaaS cluster. The certificates are publicly trustable, which means all TLS connections initiated by agents to the Secure Workload SaaS cluster will be secured with certificates trusted by public certificate authorities. The new certificates will only validate Fully Qualified Domain Name (FQDN) endpoints under the root domain secureworkload.cisco.com. As a result of this change, the downloaded agent installer scripts will no longer function after the publicly trustable certificates feature is enabled, which requires updated scripts compatible with the new certificate infrastructure. This update enhances security by ensuring trusted TLS negotiations between agents and the SaaS cluster.

Binary and User-based Enforcement on Linux

Linux agents running on Version EL7.1+ and equivalent distributions now support binary and user-based policy enforcement.

This enhancement allows policies to match and enforce rules based on the specific binary oruser-initiated outgoing flows, in addition to existing network-based parameters.

Key benefits

  • Granular control over outbound traffic by user or process.

  • Enhanced security and visibility for Linux workloads.

  • Seamless integration with existing policy models.

Supplement RPM

A new RPM package, tetration_os_supplement_k9, has been introduced to provide supplementary fixes for each major release. When deploying a 4.0 cluster or upgrading an existing cluster to 4.0, upload this RPM in the Setup page along with the other required RPMs.

Enhancements in Cisco Secure Workload, Release 4.0.1.1

  • All AIX, Linux, and Solaris agent packages are now GPG‑signed by a centralized Cisco signing authority. As a result, the GPG tool (or an equivalent) is required for installing Version 4.0.1.1 agents, and to upgrade existing agents to 4.0.1.1. This requirement applies to agents running on Debian, Ubuntu, AIX, and Solaris.

  • Linux agents will now apply segmentation policies directly using nftables on hosts with nftables package Version 1.0.0 or later.

  • Secure Workload agents support Fedora versions 32 through 37.

Changes in Behavior in Cisco Secure Workload Release, 4.0.1.1

After the agent is installed on the workload, unzip is no longer necessary for subsequent agent upgrades.

Resolved and Open Issues

The resolved and open issues for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about issues and vulnerabilities in this product and other Cisco hardware and software products.

Note: You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, register for an account.

For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Resolved Issues

Identifier

Headline
CSCvf63373 Sensor: signed with public trusted CA to meet STIG requirement
CSCwo89435 Agent Enforcement Health shows 'Policy out of Sync'
CSCwp19084 Firewall rules not programmed on hosts post On-Prem to SaaS migration
CSCwq10185 FMC connector creation failing when using FMC HA
CSCwq83014 CSW : Access policy is lost on FTD failover
CSCwr46882 AIX CSW Agent does not add existing users of config file when creating /etc/security/audit/config.tet
CSCwr57676 Agent reports flow export stopped anomaly when using proxy
CSCwr61435 TetSen.exe Crash on CSW Windows Agent Related to dns_cache Feature
CSCwr78143 Agent fails to save/delete offline flows after upgrade to 3.10.4.8

Open Issues

Identifier

Headline
CSCwf43558 Services failures after upgrade with orchestrator dns name not resolvable.
CSCwh45794 ADM port and pid mapping is missing for some ports.
CSCwk80972 CollectorSSLCheck and collector services failing
CSCwm30965 Increased DNS Queries to metadata.google.internal from On-Prem Cluster Going to External DNS Server
CSCwm40398 Multiple packages have been flagged with CVE 2022-1471 in RHEL8.9 system
CSCwm80745 Cisco Vulnerabilities Workloads Multiple selections across pages does not work in the UI
CSCwn15340 Failure in applying manual threat intelligence updates
CSCwn61888 RHEL OS CVEs Inconsistencies report.
CSCwn73226 User uploaded SSL certs for UI are not honored during upgrade
CSCwn75424 Azure agentless enforcement out-of-band change not being detected
CSCwn86124 Windows Agent - Missed Packets graph not being populated
CSCwn90706 Vulnerabilities page shows a backend service error
CSCwn99675 Installation of threat intelligence datasets rpms is failing
CSCwo11089 Customers would see temporary spikes in escaped flows when running policy analysis.
CSCwo53910 Commissioning of replaced baremetals is failing on postinstall playbook
CSCwo66813 Upgrade failing with VMMGR_CREATE_VMS_FAILURE
CSCwp15933 AI Policy Discovery feature under certain workspace the process fails to complete throws an exception
CSCwp28822 Incorrect workload license usage
CSCwp36145 Quick Policy Analysis for Analysed flows provides incorrect policy mapping
CSCwp46016 Global Visulaization dashboard does not display results on using filters
CSCwp67461 ENH: Add Minimum Supported TLS Version (1.2) in CSW SaaS User Guide and Implement OpenSSL Version Pre-Check in Agent Installation Script
CSCwp95305 Windows Enforcement Agent Does Not Support Multiple Executables Per ANY Policy Rule
CSCwp97029 CSW 3.9.1.x : False positive scenario of flow rejection for permitted policies
CSCwq00489 Enforcement not pushed to FMC access control policies
CSCwq02029 Ingest or virtual appliance remaining in pending registration state
CSCwq19946 At times, Quick Policy Analysis fails to provide outcome
CSCwq20873 Intermittent incomplete results using Quick Hypothetical Flow Analysis
CSCwr89903 Memory limiting on Windows TetSen.exe process may not work
CSCwr89957 TetSen.exe consumes too much memory
CSCwr97565 ACI In line documentation points to the wrong location
CSCws02884 PDF Download and PDF send in Reporting page is slow
CSCws07592 Excessive Lag in Flow Analyitcs Pipeline can cause HDFS to enter SafeMode
CSCws12498 Agent installer script fails on Debian/Ubuntu in 4.0.1.1
CSCws12561 CSW: Delayed Policy Push for Short-Lived Pods

CSCws20720

Disk Usage critical on longevity

Contact Cisco Technical Assistance Center

If you cannot resolve an issue using the online resources listed above, contact Cisco TAC: