Cisco Secure Workload Release Notes
Release 3.6.1.5
This document describes the features, caveats, and limitations for Cisco Secure Workload software, release 3.6.1.5.
The Cisco Secure Workload platform, formerly branded as Cisco Tetration, is designed to provide comprehensive workload security by establishing a micro perimeter around every workload across your on-premises and multi-cloud environment using firewalling and segmentation, compliance and vulnerability tracking, behavior-based anomaly detection, and workload isolation. The platform uses an advanced analytics and algorithmic approach to offer these capabilities. This solution supports the following capabilities:
● Automatically generated micro-segmentation policies resulting from comprehensive analysis of application communication patterns and dependencies
● Dynamic label-based policy definition with a hierarchical policy model to deliver comprehensive controls across multiple user groups with role-based access control
● Consistent policy enforcement at scale through distributed control of native operating system firewalls and infrastructure elements like ADCs (Application Delivery Controllers) and physical or virtual firewalls
● Near real-time compliance monitoring of all communications to identify and alert against policy violation or potential compromise
● Workload behavior baselining and proactive anomaly detection
● Common vulnerability detection with dynamic mitigation and threat-based workload isolation
To support the analysis and various use cases within the Cisco Secure Workload platform, consistent telemetry (flow data) is required from across the environment. Cisco Secure Workload collects rich telemetry using software agents and other methods to support both existing and new installations in data center infrastructures. This release supports the following telemetry sources:
■ Secure Workload agents installed on virtual machine and bare-metal servers
■ DaemonSets running on container host operating systems
■ ERSPAN connectors that can generate Cisco Secure Workload telemetry from mirrored packets
■ Telemetry ingestion from ADCs (Application Delivery Controllers) – F5 and Citrix
■ NetFlow connectors that can generate Cisco Secure Workload telemetry based on NetFlow v9 or IPFIX records
■ ASA connector for collection of NSEL (NetFlow Secure Event Logging) telemetry
■ AWS connector for flow telemetry data generated using VPC flow log configurations
In addition, this release supports ingesting endpoint device posture, context and telemetry through integrations with
■ Cisco AnyConnect installed on endpoint devices such as laptops, desktops, and smartphones
■ Cisco ISE (Identity Services Engine)
Secure Workload agents also act as a policy enforcement point for application segmentation. Using this approach, the Cisco Secure Workload platform enables consistent micro-segmentation across public, private, and on-premises deployments. Agents enforce policy using native operating system capabilities, thereby eliminating the need for the agent to be in the data path and providing a fail-safe option. Additional product documentation is listed in the “Related Documentation” section.
These Release Notes are sometimes updated with new information about restrictions and caveats. See the following website for the most recent version of this document:
The following table shows the online change history for this document.
Date |
Description |
October 29th, 2021 |
Release 3.6.1.5 became available. |
November 5, 2021 |
End-of-support policy for software versions has been released CIMC upgrade guidance information has changed IPv6 information in the Usage Guidelines section has been moved to the Secure Workload Upgrade Guide and the M5 and M4 hardware deployment guides |
November 12, 2021 |
Changed agent types supported by Conversation mode Flow Analysis Fidelity functionality |
November 16, 2021 |
Added CSCwa23206 to open caveats list |
November 17, 2021 |
Added CSCwa19256 to open caveats list |
May 16, 2022 |
Added CSCwb83818, CSCwb80090, and CSCwb86649 to the open caveats list. |
Contents
This document includes the following sections:
■ Caveats
This section lists the new and changed features in this release and includes the following topics:
§ A new cloud connector for AWS (Beta feature) adds support for ingesting flow telemetry, cloud workload tag/label ingest for both EC2 instances and EKS pod/service workloads and policy enforcement using AWS security groups (for EC2 workloads only) without the need to install software agents on the cloud hosts. This new cloud connector streamlines the management of the connection by consolidating the functionality previously provided through various means and does so without requiring an external appliance. Note: Agent software is still needed to provide pod-level flow telemetry data and pod-level policy enforcement.
§ Migrated Amazon Web Services (AWS) Elastic Kubernetes Services (EKS) micro-segmentation features from External Orchestrator to the AWS Connector.
§ Added Azure AKS External Orchestrator support. This feature can be selected while adding Kubernetes as an external orchestrator. The administrator must provide the Azure tenant ID and client credentials.
§ Micro-segmentation support for container workloads deployed through Red Hat OpenShift 4.x is now available. OpenShift 4.x leverages CRI-O as the default container runtime for Kubernetes. CRI-O is supported, and no additional changes in the existing enforcement workflow are required for running in such environments. Worker node operating systems can be either RHEL or CentOS versions that are officially supported by OpenShift 4.x.
o This release supports up to Red Hat OpenShift version 4.6
o This release adds support to Red Hat CoreOS as worker node operating system.
§ Policy Templates have been added to help you get started with common configurations.
§ Cisco Secure Workload physical hardware clusters can now be configured with IPv6 for external network connectivity during deploy or upgrade to version 3.6.1.5. For limitations, requirements, and instructions, please see the Upgrade Guide or the Hardware Deployment Guide as applicable.
§ We now support integration with PIV/CAC identity verification
§ Added support for service/application/user-based policy enforcement for Windows Workloads
§ Support for policy discovery based on Kubernetes pod and service flows. Note: Support is restricted to scope-to-scope policy generation.
§ Software Agents on Kubernetes hosts will now report pods’ traffic when Docker is used as CRI
§ Software Agents Health page now shows anomalies for agents’ memory and CPU usage levels and agent running state
§ On the Alerts Configuration page, alerts for agents’ memory and CPU usage can now be configured
§ Conversation mode Flow Analysis Fidelity will now report 4-tuple conversations, by disregarding the client’s L4 port, whenever the conversation’s initiator can be determined.
Enhancements
§ The ServiceNow connector now supports integration with ServiceNow scripted REST API’s. In the configuration workflow, you can choose to integrate with a table or a scripted REST API.
§ The included Cisco Integrated Management Controller (CIMC) versions have been updated. M4 CIMC has been updated to 4.1(2b) and M5 CIMC has been updated to 4.1(3b). Upgrading the Secure Workload cluster to 3.6 does not automatically upgrade CIMC firmware on bare metal nodes. Upgrading CIMC firmware is optional and may take up to 4 hours per bare metal host. This process should be performed only when recommended by Cisco TAC.
§ The Secure Workload integration with Firepower Management Center (Beta feature) allows policy enforcement using the firewall. In this release, the integration uses access control policies using dynamic objects instead of prefilter policies, so changes in network inventory do not require deploy, resulting in fewer deployments and faster response to inventory changes.
For details including supported versions and requirements, see the Cisco Secure Workload and Firepower Management Center Integration Guide at https://www.cisco.com/c/en/us/support/security/tetration/products-installation-and-configuration-guides-list.html.
If you configured FMC integration in release 3.5, see important caveats before upgrading, in the Cisco Secure Workload Upgrade Guide at https://www.cisco.com/c/en/us/support/security/tetration/products-installation-guides-list.html.
§ Conversation mode Flow Analysis Fidelity will now also apply to AIX agents.
§ External Orchestrators
o New external orchestrators for AWS or Kubernetes EKS can no longer be created. Instead, create AWS cloud connectors. For more information, see the “New Software Features” section above.
o Instances of external orchestrators for AWS or Kubernetes EKS that were created before upgrade to 3.6.1.5 are still functional, but they cannot be modified. If changes are required, you must create a new AWS cloud connector instead which ingests information from the same set of cloud assets and then delete the old AWS or EKS external orchestrator configuration. See the “New Software Features” section above for more information.
§ Connectors
o Support for Data Export connector (Alpha feature) has been removed from this release. If you have a Data Export connector configured, it is recommended to disable/remove it before upgrading to this release.
o The new AWS Cloud connector replaces the existing AWS Flow Ingestion connector feature. Any configured AWS Flow ingestion connectors will be deleted upon upgrade. Use an AWS Cloud connector to ingest metadata from AWS.
§ UI
o Secure Workload has gone through a major re-branding and UI simplification in 3.6.1.5. Please see the user guide for screenshots and new workflows.
o The left menu is now the primary point of navigation as pages were moved from the top navigation bar to the left menu. The following are key changes:
1. All Segmentation related features such as ADM, Enforcement Status and Enforcement Templates are moved under the Defend top-level menu
2. All analytics data exploration related to Flows, Processes and Vulnerabilities are moved under Investigate top-level menu
3. All integrations related to External Orchestrators, Agents and Connectors are moved under Manage top-level menu
4. All appliance related configuration and troubleshooting features are moved to Platform and Troubleshooting top-level menus, respectively.
§ Cluster Features
o The lookout feature was deprecated in 3.5 and remains in this state. In 3.6, you will no longer be able to turn on lookout features. However, if you currently use lookout, you will still be able to see your existing setup.
o In order to simplify this product, the UserApps feature has been removed. The page for managing the feature no longer appears in the UI.
§ Agents
o WFP enforcement mode is no longer beta. The Windows Filtering Platform (WFP) allows the Enforcement Agent to directly apply network filters without the need for Windows Advanced Firewall (WAF).
o Universal Agents have now been marked for deprecation; they will no longer be supported or made available for installation in the next major release. If you use universal agents, please plan to replace them with deep visibility agents.
o Hardware Agents have now been marked for deprecation; they will no longer be supported or made available for installation in the next major release. If you use hardware sensors, please plan to migrate to NetFlow or ERSPAN virtual appliance.
§ Virtual Appliances
o ERSPAN virtual appliances must now be deployed using the Secure Workload Data Ingest OVA. The ERSPAN OVA is no longer published. No changes are needed for existing ERSPAN virtual appliances deployed with an older ERSPAN OVA.
o We have released our EOL end-of-support policy for Secure Workload software versions. See https://www.cisco.com/c/en/us/support/security/tetration/tsd-products-support-maintain-and-operate-technotes-list.html.
Caveats
This section contains lists of open and resolved caveats, as well as known behaviors.
The following table lists the open caveats in this release. Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.
Description |
|
|
Enforcement Agent stats for CPU overhead metric on workload profile page are reported incorrectly |
Conversation Mode: Short lived non TCP flows in conversation mode can have client server flipped |
|
Conversation Mode: 39RU cluster may not support 50k sensors when enforcement is enabled. |
|
FMC-CSW orchestrator: CSW pushes ipv6 hop by hop if protocol is set to any |
|
|
AWS Flow Logs: Policies Analysis with AWS Flow logs doesn’t work. |
ADM generates polices with provider port set as 0 in conversation mode |
|
ADM generates policies for un-established TCP flows when agents are in conversation mode |
|
3.6(1.5) agent installation script cannot install 3.5(1.x) agent packages on Windows host |
|
After reconfiguring listening port of ingest connector, the connector gets in inactive state |
|
Upgrade to 3.6.1.5 failed with site_enable_strong_ciphers_sensor_vip undefined |
|
Enforcement agent depends on Windows Firewall Service when enforcement mode is WFP |
|
Clock Drift Observed on Windows Server 2008 R2 with Cisco Secure Workload Agent |
|
ERSPAN sensor running in server with 40Gbps links, only receives 100Kpps |
Resolved Caveats
The following table lists the resolved caveats in this release. Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.
Table 3 Resolved Caveats
Bug ID |
Description
|
|
ISE Integration causing stale annotations for EAP chaining and IP address change cases |
ERSPAN agents not upgrading after 3.5.x |
|
ERSPAN appliance reflecting as "PENDING REGISTRATION" |
|
Linux Enforcement agent fails to program firewall rules due to issue with iptables version 1.8.4 |
|
Inbound WFP filters can block subsequent ports in some policies in older Windows releases |
|
Enforcement agent keeps re-deploying firewall rules intermittently to Windows Systems |
|
ENH: Add an alert for CPU quota exceeded in Enforcement Alert types. |
|
CVEs are detected post latest data pack installation |
|
Tetration agent upgrade may fail npcap installation on Windows |
|
Windows Agent Install: error: Older version of Tetration agent cannot be removed |
|
NET Vulnerabilities wrongly queried, eventually causing the FP in Tetration for Server 2008 R2 |
|
Agent installer scripts from LDAP/ AD accounts with auto role mapping fail after user is logged out. |
|
Old LDAP attribute is still visible in Flow Search After deleting from Ldap conf for the anyconnect |
■ Before upgrading to 3.6.1.5 on a cluster with "Strong SSL Ciphers for Agent Connections" enabled, please contact TAC. (See CSCwa19256.)
■ Conversations setting for the Flow Analysis Fidelity configuration in Agent Config Profile is not supported for Universal Visibility Agents
■ Secure workload UI displays incorrect AWS connector workflow, when a new connector is enabled right after creation of a new rootscope. (CSCvz43857)
■ Policy Stream Data Tap is no longer in Alpha even through there’s an Alpha label displayed in the Data Taps Admin Page
■ Data Export tap is no longer supported in 3.6 even though the Data Taps Admin still shows the feature.
■ Cross-Account (VPC and S3 buckets belonging to different accounts) collection of flow logs is not supported in this release.
■ AWS inventory profile page displays enforcement enabled as disabled, even when segmentation is enabled on connector.
Compatibility Information
The software agents in the 3.6.1.5 release support the following operating systems (virtual machines and bare-metal servers) for micro-segmentation (deep visibility and enforcement). A per-version list is always accessible via the Platform Info page.
■ Linux:
● Amazon Linux 2
● CentOS-6.x: 6.1 to 6.10
● CentOS-7.x: 7.0 to 7.9
● CentOS-8.x: 8.0 to 8.4
● Red Hat Enterprise Linux-6.x: 6.1 to 6.10
● Red Hat Enterprise Linux-7.x: 7.0 to 7.9
● Red Hat Enterprise Linux-8.x: 8.0 to 8.4
● Oracle Linux Server-6.x: 6.1 to 6.10
● Oracle Linux Server-7x: 7.0 to 7.9
● Oracle Linux Server-8.x: 8.0 to 8.4
● SUSE Linux-11.x: 11.2 to 11.4
● SUSE Linux-12.x: 12.0 to 12.5
● SUSE Linux-15.x: 15.0 to 15.2
● Ubuntu-14.04
● Ubuntu-16.04
● Ubuntu-18.04
● Ubuntu-20.04
■ Linux on IBM Z:
● Red Hat Enterprise Linux-7.x: 7.3 to 7.9
● Red Hat Enterprise Linux-8.x: 8.2 to 8.4
● SUSE Linux-11.x: 11.4
● SUSE Linux-12.x: 12.4, 12.5
● SUSE Linux-15.x: 15.0 to 15.2
■ Windows Server (64-bit):
● Windows Server 2008R2 Datacenter
● Windows Server 2008R2 Enterprise
● Windows Server 2008R2 Essentials
● Windows Server 2008R2 Standard
● Windows Server 2012 Datacenter
● Windows Server 2012 Enterprise
● Windows Server 2012 Essentials
● Windows Server 2012 Standard
● Windows Server 2012R2 Datacenter
● Windows Server 2012R2 Enterprise
● Windows Server 2012R2 Essentials
● Windows Server 2012R2 Standard
● Windows Server 2016 Standard
● Windows Server 2016 Essentials
● Windows Server 2016 Datacenter
● Windows Server 2019 Standard
● Windows Server 2019 Essentials
● Windows Server 2019 Datacenter
■ Windows VDI desktop Client:
● Microsoft Windows 8.1
● Microsoft Windows 8.1 Pro
● Microsoft Windows 8.1 Enterprise
● Microsoft Windows 10
● Microsoft Windows 10 Pro
● Microsoft Windows 10 Enterprise
● Microsoft Windows 10 Enterprise 2016 LTSB
■ IBM AIX operating system:
● AIX version 7.1
● AIX version 7.2
■ Container host OS version for policy enforcement:
● Red Hat Enterprise Linux Release 7.1 to 7.9
● CentOS Release 7.1 to 7.9
● Ubuntu-16.04
● Red Hat Enterprise Linux Core OS Release 4.5
The 3.6.1.5 release supports the following operating systems for deep visibility use cases only:
■ Windows VDI desktop Client:
● Microsoft Windows 7
● Microsoft Windows 7 Pro
● Microsoft Windows 7 Enterprise
The 3.6.1.5 release supports the following operating systems for the universal visibility agent:
■ Windows Server (32-bit and 64-bit where deep visibility agent is not available)
■ AIX 6.1 (PPC)
The 3.6.1.5 release no longer supports the following operating systems for any software agent:
■ Red Hat Enterprise Linux Release 5.x
■ CentOS Release 5.x
■ AIX 5.3 (PPC)
■ Microsoft Windows 8
The 3.6.1.5 release deprecates supports the following Cisco Nexus 9000 series switches in NX-OS and Cisco Application Centric Infrastructure (ACI) mode. If you are using HW sensors, please plan a migration to NetFlow as an alternative source:
Table 4 Previously Supported Cisco Nexus 9000 Series Switches in NX-OS and ACI Mode (deprecated in 3.6.1.5, see changes in behavior section)
Product line |
Platform |
Minimum Software release |
Cisco Nexus 9300 platform switches (NX-OS mode) |
Cisco Nexus 93180YC-EX, 93108TC-EX, and 93180LC-EX |
Cisco NX-OS Release 9.2.1 and later |
Cisco Nexus 93180YC-FX, 93108TC-FX, and 9348GC-FXP |
Cisco NX-OS Release 9.2.1 and later |
|
Cisco Nexus 9336C-FX2 |
Cisco NX-OS Release 9.2.1 and later |
|
Cisco Nexus 9300 platform switches (ACI mode) |
Cisco Nexus 93180YC-EX, 93108TC-EX, and 93180LC-EX |
Cisco ACI Release 3.1(1i) and later |
Cisco Nexus 93180YC-FX, 93108TC-FX |
Cisco ACI Release 3.1(1i) and later |
|
Cisco Nexus 9348GC-FXP |
Cisco ACI Release 3.1(1i) and later |
|
Cisco Nexus 9336C-FX2 |
Cisco ACI Release 3.2 and later |
|
Cisco Nexus 9500 series switches with N9K-X9736C-FX linecards only |
Cisco ACI Release 3.1(1i) and later |
This section lists usage guidelines for the Cisco Secure Workload software.
§ You must use the Google Chrome browser version 90.0.0 or later to access the web-based user interface.
§ After setting up your DNS, browse to the URL of your Cisco Secure Workload cluster: https://<cluster.domain>
§ When using the commission / decommission feature for Cisco Secure Workload virtual appliance environments, please observe the following usage guidelines:
● This feature is meant to be used with the assistance of TAC and can cause unrecoverable damage if used incorrectly. No two VMs should ever be decommissioned at the same time, without explicit approval from TAC. The following combinations of VMs must never be decommissioned concurrently:
▪ More than one orchestrator
▪ More than one datanode
▪ More than one namenode (namenode or secondaryNamenode)
▪ More than one resourceManager
▪ More than one happobat
▪ More than one mongodb (mongodb or mongoArbiter)
● Only one decommission/commission process can be executed at a time. Do not overlap the decommission/commission of different VMs at the same time.
● Please always contact TAC prior to using the esx_commission snapshot endpoint
Verified Scalability Limits
The following tables provide the scalability limits for Cisco Secure Workload (39-RU), Cisco Secure Workload M (8-RU), and Cisco Secure Workload Cloud:
Table 5 Scalability Limits for Cisco Secure Workload (39-RU)
Configurable Option |
Scale |
Number of workloads |
Up to 25,000 (VM or bare-metal) Up to 50,000 (2x) when all the sensors are in conversation mode. |
Flow features per second |
Up to 2 million |
Number of hardware agent enabled Cisco Nexus 9000 series switches |
Up to 100 (deprecated) |
Note: Supported scale will always be based on whichever parameter reaches the limit first
Table 6 Scalability Limits for Cisco Secure Workload M (8-RU)
Configurable Option |
Scale |
Number of workloads |
Up to 5,000 (VM or bare-metal) Up to 10,000 (2x) when all the sensors are in conversation mode. |
Flow features per second |
Up to 500,000 |
Number of hardware agent enabled Cisco Nexus 9000 series switches |
Up to 100 (deprecated) |
Note: Supported scale will always be based on whichever parameter reaches the limit first
Table 7 Scalability Limits for Cisco Secure Workload Virtual (VMWare ESXi)
Configurable Option |
Scale |
Number of workloads |
Up to 1,000 (VM or bare-metal) |
Flow features per second |
Up to 70,000 |
Number of hardware agent enabled Cisco Nexus 9000 series switches |
Not supported |
Note: Supported scale will always be based on whichever parameter reaches the limit first.
The Cisco Secure Workload documentation can be accessed from the following websites:
Cisco Secure Workload Platform Datasheet: http://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html
Secure Workload Documentation: https://www.cisco.com/c/en/us/support/security/tetration/series.html#~tab-documents
Table 8 Installation Documentation
Document |
Description |
Cisco Secure Workload Cluster |
Describes the physical configuration, site preparation, and cabling of a single- and dual-rack installation for Cisco Secure Workload (39-RU) platform and Cisco Secure Workload M (8-RU). |
Cisco Secure Workload Virtual Deployment Guide |
Describes the deployment of Cisco Secure Workload virtual appliances (formerly known as Tetration-V.) |
Document Link: NOTE: As a best practice, it’s always recommended to patch a cluster to the latest available patch version before performing a major version upgrade. |
|
Latest Threat Data Sources |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2021-2022 Cisco Systems, Inc. All rights reserved.