AI Policy Suggestions in Secure Workload

Cisco Secure Workload uses an AI engine that constantly scans, analyzes traffic flows for workspaces. The AI engine also has the capability to optimize the workspaces by suggesting policies that are simple and easy to use for the workspaces without running AI Policy Discovery to discover policies.

Based on the available policy filters and Role-Based Access Control (RBAC), the AI engine suggests draft policies and priority levels for enforcement on the workspaces.

AI Policy Suggestions for Workspaces

The Secure Workload AI engine helps to maintain workspaces in an optimal state by reducing configuration errors and ensures security compliance with consistent and continuous classification of workloads. The AI engine also has the capability to replace existing policies for the workspaces if any policy has not been selected for enforcement for a considerable amount of time.

Prerequisites for AI Policy Suggestions

  • Ensure that the workspace is the primary workspace, not the secondary workspace, for the AI engine to suggest policies for workspaces.

  • Set the policy enforcement to Catch All-Deny.

Limitations for AI Policy Suggestions

  • Note that AI Policy Suggestions consider the Advanced Policy discovery configurations that were created earlier when suggesting policies for a workspaces.

  • AI Policy Suggestions can be turned off per Variable Refrigerant Flow (VRF) if required.

How to View and Use AI Suggested Policies

The AI Policy Suggestions feature in Secure Workload offers the following key functionalities:

Procedure

  Command or Action Purpose

Step 1

Ensure the workspace that is selected for scanning is primary and either the Grouped or Ungrouped policies are selected.

Note that for Ungrouped policies, you would need to add the suggested policies individually.

Step 2

Use the toggle to enable Show AI Suggested Policy for the AI engine to scan workspaces, flows and inventory, and automatically suggest policies for those workspaces.

Figure 1. AI Suggested Policies for workspaces

Note

 

The AI engine scans the flows every six hours, aggregates the data and accordingly suggest policies for workspaces; the suggested policies are indicated by the 'magic wand' icon under the AI tab.

Step 3

Select the AI suggested policies you want to add to the 'draft workspace' and click Add Selected Policies. The AI engine adds new policies to newly created workspaces, replaces existing policies with the suggested policies, and replaces existing policies that have been idle for a certain period of time.

Figure 2. AI Suggested Policies

Step 4

The AI engine will replace unselected suggestions with new ones if the AI engine suggests better policies.

Troubleshooting

This section lists some potential issues that you could possibly face while using the AI engine:

  • Ques: Why should I check if workspace is primary? •

  • Ans: In-order for the AI engine to suggest policies, the workspace must be primary.

  • Ques: Why should I check the advanced policy configuration?

  • Ans: AI Policy Suggestions feature will use the previous Advanced Policy discovery configuration when suggesting policies, so check the advanced policy configuration if any change in behavior is required.

  • Ques: Can I turn off the AI Policy suggestions?

  • Ans: Yes, the AI Policy suggestions can be turned off per VRF if required.

  • Ques: Why am I unable to see the policies for the workspace?

    Ans: Check if the policies are published. For the AI engine to scan the policies, the policies must to be published.

  • Ques: How often are policy statistics updated?

    Ans: Policy statistics are updated every six hours. Note that this is not configurable by users.

  • Ques: Can I enforce the policy suggestions immediately after I get the suggestions?

    Ans: Policy conditions are suggestions and you must verify the suggestions before taking any action on them.

  • Ques: How will policy suggestions work with the available policy conditions of Broad, Overshadowed or No Traffic?

    Ans: With the AI Policy Suggestions functionality, the finest policy is suggested with the available filters. For example, if all the filters are broad in nature, the resultant policy will also be broad in nature.

  • Ques: What should I do if the results are not as expected?

    Ans: Check AI Policy Settings if any of the results are not as expected, revert to the defaults for optimal usage.

  • Ques: Will there be any customer facing documentation about the models being used here? Are there any details available where the AI related services are being used?

    Ans: We are not using any Large Language Models (LLMs). All the results are from the decision tree and data processing. AI-related services are server processes running inside a Secure Workload cluster on a VM, which is not a yarn job.