Cisco Tetration Release Notes
Release 3.5.1.1
This release has been deprecated and is no longer available.
For information, see https://www.cisco.com/c/en/us/td/docs/security/workload_security/tetration-analytics/sw/advisory/Software-Advisory-Notice-CSCvx74789.html.
This document describes the features, caveats, and limitations for the Cisco Tetration software, release 3.5.1.1.
The Cisco Tetration platform is designed to provide comprehensive workload security by establishing a micro perimeter for every workload across your on-premises and multicloud environment using firewalling and segmentation, compliance and vulnerability tracking, behavior-based anomaly detection and workload isolation. The platform uses an advanced analytics and algorithmic approach to offer these capabilities. The platform provides a ready-to-use solution supporting the following capabilities:
● Automatically generated microsegmentation policies resulting from comprehensive analysis of application communication patterns and dependencies
● Dynamic label-based policy definition with a hierarchical policy model to deliver comprehensive controls across multiple user groups with role-based access control
● Consistent policy enforcement at scale through distributed control of native operating system firewalls and infrastructure elements like ADCs (application delivery controllers) and physical or virtual firewalls
● Near real-time compliance monitoring of all communications to identify and alert against policy violation or potential compromise
● Workload behavior baselining and proactive anomaly detection
● Common vulnerability detection with dynamic mitigation and threat-based workload isolation
To support the analysis and various use cases within the Cisco Tetration platform, consistent telemetry is required from across the environment. Rich Cisco Tetration telemetry is collected using software agents and other methods to support both existing and new installations in data center infrastructures. This release supports the following agent types:
■ Software agents installed on virtual machine and bare-metal servers
■ Daemonsets running on container host operating systems
■ ERSPAN agents that can generate Cisco Tetration telemetry from copied packets
■ Telemetry ingestion from ADCs (Application Delivery Controllers) – F5 and Citrix
■ NetFlow agents that can generate Cisco Tetration telemetry based on NetFlow v9 or IPFIX records
In addition, this release supports ingesting endpoint device posture, context and telemetry through integrations with
■ Cisco AnyConnect installed on endpoint devices such as laptops, desktops, and smartphones
■ Cisco ISE (Identity Services Engine)
Software agents also act as the policy enforcement point for application segmentation. Using this approach, the Cisco Tetration platform enables consistent microsegmentation across public, private, and on-premises deployments. Agents enforce the policy using native operating system capabilities, thereby eliminating the need for the agent to be in the data path and providing a fail-safe option. Additional product documentation is listed in the “Related Documentation” section.
These Release Notes are sometimes updated with new information about restrictions and caveats. See the following website for the most recent version of this document:
The following table shows the online change history for this document.
Date |
Description |
February 26th, 2021 March 4, 2021 March 21, 2021 |
Release 3.5.1.1 became available. Removed erroneous “Beta” mention for AIX support. Added open caveats and known behavior issues related to licensing and to enabling of Windows Advanced Firewall. Corrected Windows Server 2008 versions supported for software agent. |
April 8, 2021 |
This release has been deprecated and is no longer available. |
Contents
This document includes the following sections:
■ Caveats
This section lists the new and changed features in this release and includes the following topics:
■ Integration with Cisco Firepower Management Center (FMC) – With this integration, customers can realize the benefits of defense-in-depth security and consistent segmentation of application workloads across their environment.
o Cisco FMC can be added as a security policy enforcement point through external orchestrator page by providing the right API connection information and credentials
o Note: Standalone FTDs are not supported with this feature
■ Support microsegmentation of container workloads deployed in an Amazon Web Services (AWS) Elastic Kubernetes Services (EKS) cluster.
o The AWS EKS option can be selected while adding Kubernetes as an external orchestrator. The administrator must provide the AWS IAM credentials and user role binding details.
■ Microsegmentation support for container workloads deployed through Red Hat OpenShift 4.x is now available. OpenShift 4.x leverages CRI-O as the default container runtime for Kubernetes. CRI-O is supported, and no additional changes in the existing enforcement workflow are required for running in such environments. Worker node operating systems can be either RHEL or CentOS versions that are officially supported by OpenShift 4.x.
o This release supports up to Red Hat Openshift version 4.6
o This release does not support Red Hat CoreOS as worker node operating system
■ For on-premises deployments only: Support for third party threat intelligence information through industry standard STIX/TAXII protocol.
o Add TAXII source type, TAXII Vendor, TAXII Poll URL, Collections, and Poll Days information.
o In the security Dashboard and workload profile file hashes tab: Show hash verdict details from STIX source.
■ Policy designer canvas has been added in addition to the existing tabular view option. This designer canvas replaces the “App view” option in the ADM workspace.
o App view option is still available for workspaces that have the application views created and saved before the upgrade to this release.
■ A new enforcement option using Windows Filtering Platform (WFP) for Windows server workloads. Administrators can enable this option through agent config page
o Config option “Windows Enforcement Mode” available under Enforcement category provides the option for user to select “WFP” (Enable Windows Filtering Platform for enforcement on Windows agents) or “WAF” (Enable Windows Advanced Firewall for enforcement on Windows agents). “WAF” mode is selected by default.
■ A new flow telemetry collection option when using software agents is added in this release.
o Config option “Flow Analysis Fidelity” under Flow Visibility category provides the option for user to select either “Conversations” (Summarized flow telemetry mode on all agents) or “Detailed” (Full flow telemetry mode on all agents). “Detailed” is selected by default.
■ Software agent support added for Amazon Linux 2 to support all workload protection capabilities
■ AIX deep visibility and enforcement agent is now generally available for all customers in this release:
o OS versions: 7.1, 7.2 (PPC)
o In order to use enforcement, ipfilter package version 5.3.0.7 must be installed and operating on the workload
o No other active AIX or third-party firewall should be enabled. Do not use native AIX firewall commands (genfilt, chfilt, rmfilt, mkfilt, expfilt, impfilt)
■ The following new capabilities are available when installing a software agent installation
o Option to change the default install directory and specify a custom install directory
§ Not available for Ubuntu and AIX.
o Option to change the default logfile directory and specify a custom logfile directory location
o Use an existing unprivileged user instead of the install script creating a new user
§ For Linux - installer script will test this user for Sudo capability
§ For Windows – MSI installer provides the option to specify an existing service user. This could be an AD managed service account.
■ User Session Configuration – User Idle Session Timeout is the interval to timeout when there is no user activity. This duration can be configured per on-premises appliance under Company > User Session Configuration. This duration can be per tenant (TaaS) under Organization > User Session Configuration.
■ Cisco Tetration SaaS supports identity federation for authentication of tenant users through their organization’s authentication system using SAML 2.0.
■ For Ubuntu, software agents now use a native .deb package. This is only supported with the installation script and will install at a new fixed location, /opt/cisco/tetration.
o Using the classic packaged installation is not recommended, since it requires rpm support.
o Using it requires running rpm installing as root, not using sudo.
■ Tetration UI Connector workflow is now enabled for ERSPAN appliances. It allows and guides the administrator in generating the appliance’s ISO configuration disk.
■ ERSPAN virtual appliance ISO configuration file generation is integrated with ingest appliance connector workflow in the Tetration UI. It provides the configuration wizard and workflow for administrator to generate this file.
■ Enhancements to vulnerability information provided in the Tetration platform:
o Reduce CVE false positives for Ubuntu OS and Windows .Net package
o Report vulnerabilities for Windows operating systems
o Provide exploit information for known CVEs
o Open API support to fetch CVE information
■ Enforcement status filtered by scope - The enforcement status page now supports filtering status data by root or child scope. This allows tenant owners to filter the status data by any sub scope that is part of their tenant root scope.
■ Workspace level details for enforcement status – Details of the enforcement status for the workspace’s current scope is available as a tab through the application workspace page.
■ Enforcement impact analysis - The four-step policy enforcement wizard allows users to view and select policy changes to enforce (or roll back), inspect workloads with enforcement agent that could be impacted by policy changes, confirm that desired policies from ancestor workspaces are enforced and review the summary before enabling/updating policy enforcement.
■ Pausing enforcement policy update globally: Pausing policy update will prevent firewall rule updates in all enforcement points. This control is on the enforcement status page. This feature is reserved for site admin and customer support.
o Note: This is a global configuration regardless which scope the current user is in.
■ OpenAPI API Key Warnings - When authentication and authorization with LDAP is enabled, Tetration UI now includes a warning on the individual user’s API Key page and the user details page in the user wizard. This warning indicates that when LDAP authorization is enabled, the preferred approach is to have a user on ‘Local Authentication’ to ensure uninterrupted access to OpenAPI API endpoints.
■ For physical Tetration hardware clusters, the CIMC externalization process has been simplified. Once CIMC externalization is enabled, access to the CIMC WebUI can be obtained by expanding a specific baremetal node in the cluster status page and clicking on the CIMC IP address. In addition, the CIMC externalization feature now allows the externalization to be renewed.
■ For physical clusters the cluster switch interfaces are now monitored. If any critical interfaces are found to not be in an up state the Service Status page will show the ClusterSwitches service as unhealthy. In addition, if the service remains unhealthy for 80% of an hour, a platform alert will be raised.
These are changes in behavior for this release:
■ Software Agents List – table data downloaded as csv now has updated columns that are more readable as opposed to a set of keys returned from the software agent model.
■ UI enhancements to Agent Config Page to reflect feature support per Tetration sub-Agent binary. Renamed “Visibility” to “Flow Visibility” and “Forensics” to “Process Visibility and Forensics”.
■ Renamed “Tags” and “Annotations” to “Labels” for all features in Tetration.
■ Removed all Visit History related features: tabs/components/routes/functionality.
■ Ubuntu based virtual machines in Tetration-V ESXi clusters have had their root disk sizes increased from 8 Gigabytes to 12 Gigabytes.
This section contains lists of open and resolved caveats, as well as known behaviors.
The following table lists the open caveats in this release. Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.
Description |
|
kubernetes daemonset agent uninstall requires jq utility |
|
(Static Enforcement) Pausing enforcement policy update is not supported in the federation setup in the current release. |
|
Kubernetes traffic from the host network to cluster ip services escapes Tetration policies. |
|
Apply existing (pre 3.5) license if licensing info is not correctly displayed upon upgrade to 3.5 |
|
Enforcement Agent upgrade enables Windows Advanced Firewall |
Resolved Caveats
The following table lists the resolved caveats in this release. Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.
Table 3 Resolved Caveats
Bug ID |
Description
|
User guide not consistent with scope and tenant related UI behavior |
|
Upgrade bash to fix https://access.redhat.com/errata/RHSA-2020:1113 |
|
|
Add note to user guide that user IDs must be lower case. |
Node and disk decommission fail when a predictive drive failure error is present |
|
|
/local/tetration/log/tet-ldap-loader log requires timestamps in AnyConnect VM |
Attack Surface table is confusing to users expecting to see only open and unused ports that contribute to a lower score. |
|
Flow output for policy analysis distinguishes between inbound and outbound policies. Allows the user to determine if the catch-all policies was applied on the consumer or provider side. |
|
|
User guide documentation for Dashboard Metrics |
To overcome this behavior:
■ Option-1: For upgrade scenarios, disable Auto Upgrade in Agent Config before upgrading to Tetration 3.5.1.1. Leave enforcement agents on the existing version until a fix is ready.
■ Option 2: Create GPO (domain or local) to explicitly disable all Firewall profiles before upgrading to Tetration 3.5.1.1. GPO setting takes precedence over the agent setting.
■ For on-premises customers upgrading from 3.4.1.x:
The license file is not automatically recognized by the platform after upgrade to 3.5.1.1. To resolve this issue, upload the previously issued license key file again. There is no need to request a new license key file and there is no impact to any existing functionalities.
■ The External Orchestrator TAXII type supports TAXII feeds with STIX 1.x and ingests only IP and hash indicators. The Tetration platform ingests up to 100K of the most recent IP indicators per TAXII feed, and up to 500K of the most recent hash indicators for all TAXII feeds.
■ Cisco FMC integration deploys Tetration policies to an FMC prefilter policy with the allow action “FASTPATH”, which prevents further packet inspection by the access control policy with which the prefilter policy is associated. This approach ensures that the allowed traffic as defined in Tetration policies is not blocked by any access control policy rule or its default action that would otherwise block the traffic.
■ Depending on the number of Tetration policies and also the resource configuration of the FMC and assigned FTDs, the policy deployment via the External Orchestrator for FMC may take a few minutes to complete.
■ The conversation feature should not be turned on in a scope where “Universal Visibility Agents” exists. Currently, inter-operability between “Universal Visibility Agents” and conversation enabled agents are not supported.
Compatibility Information
The software agents in the 3.5.1.1 release support the following operating systems (virtual machines and bare-metal servers) for micro segmentation (deep visibility and enforcement):
■ Linux:
● Amazon Linux 2
● CentOS-6.x: 6.1 to 6.10
● CentOS-7.x: 7.0 to 7.9
● CentOS-8.x: 8.0 to 8.3
● Red Hat Enterprise Linux-6.x: 6.1 to 6.10
● Red Hat Enterprise Linux-7.x: 7.0 to 7.9
● Red Hat Enterprise Linux-8.x: 8.0 to 8.3
● Oracle Linux Server-6.x: 6.1 to 6.10
● Oracle Linux Server-7x: 7.0 to 7.9
● Oracle Linux Server-8.x: 8.0 to 8.3
● SUSE Linux-11.x: 11.2, 11.3, and 11.4
● SUSE Linux-12.x: 12.0, 12.1, 12.2,12.3, 12.4
● SUSE Linux-15.x: 15.0, 15.1
● Ubuntu-14.04
● Ubuntu-16.04
● Ubuntu-18.04
● Ubuntu-20.04
■ Windows Server (64-bit):
● Windows Server 2008R2 Datacenter
● Windows Server 2008R2 Enterprise
● Windows Server 2008R2 Essentials
● Windows Server 2008R2 Standard
● Windows Server 2012 Datacenter
● Windows Server 2012 Enterprise
● Windows Server 2012 Essentials
● Windows Server 2012 Standard
● Windows Server 2012R2 Datacenter
● Windows Server 2012R2 Enterprise
● Windows Server 2012R2 Essentials
● Windows Server 2012R2 Standard
● Windows Server 2016 Standard
● Windows Server 2016 Essentials
● Windows Server 2016 Datacenter
● Windows Server 2019 Standard
● Windows Server 2019 Essentials
● Windows Server 2019 Datacenter
■ Windows VDI desktop Client:
● Microsoft Windows 8
● Microsoft Windows 8 Pro
● Microsoft Windows 8 Enterprise
● Microsoft Windows 8.1
● Microsoft Windows 8.1 Pro
● Microsoft Windows 8.1 Enterprise
● Microsoft Windows 10
● Microsoft Windows 10 Pro
● Microsoft Windows 10 Enterprise
● Microsoft Windows 10 Enterprise 2016 LTSB
■ IBM AIX operating system:
● AIX version 7.1
● AIX version 7.2
■ Container host OS version for policy enforcement:
● Red Hat Enterprise Linux Release 7.1, 7.2, 7.3, 7.4, 7.7
● CentOS Release 7.1, 7.2, 7.3, 7.4, 7.7
● Ubuntu-16.04
The 3.5.1.1 release supports the following operating systems for visibility use cases only:
■ Windows VDI desktop Client:
● Microsoft Windows 7
● Microsoft Windows 7 Pro
● Microsoft Windows 7 Enterprise
The 3.5.1.1 release supports the following operating systems for the universal visibility agent:
■ Windows Server (32-bit and 64-bit)
■ Solaris 11 on x86 (64-bit)
■ AIX 5.3 (PPC)
■ Linux
● Red Hat Enterprise Linux 4.0 (32-bit and 64-bit)
● CentOS 4.0 (32-bit and 64-bit)
● Red Hat Enterprise Linux 5.0 (32-bit and 64-bit)
● CentOS 5.0 (32-bit and 64-bit)
The 3.5.1.1 release no longer supports the full visibility agent for the following operating systems:
■ Red Hat Enterprise Linux Release 5.x
■ CentOS Release 5.x
The 3.5.1.1 release supports the following Cisco Nexus 9000 series switches in NX-OS and Cisco Application Centric Infrastructure (ACI) mode:
Table 4 Supported Cisco Nexus 9000 Series Switches in NX-OS and ACI Mode
Product line |
Platform |
Minimum Software release |
Cisco Nexus 9300 platform switches (NX-OS mode) |
Cisco Nexus 93180YC-EX, 93108TC-EX, and 93180LC-EX |
Cisco NX-OS Release 9.2.1 and later |
Cisco Nexus 93180YC-FX, 93108TC-FX, and 9348GC-FXP |
Cisco NX-OS Release 9.2.1 and later |
|
Cisco Nexus 9336C-FX2 |
Cisco NX-OS Release 9.2.1 and later |
|
Cisco Nexus 9300 platform switches (ACI mode) |
Cisco Nexus 93180YC-EX, 93108TC-EX, and 93180LC-EX |
Cisco ACI Release 3.1(1i) and later |
Cisco Nexus 93180YC-FX, 93108TC-FX |
Cisco ACI Release 3.1(1i) and later |
|
Cisco Nexus 9348GC-FXP |
Cisco ACI Release 3.1(1i) and later |
|
Cisco Nexus 9336C-FX2 |
Cisco ACI Release 3.2 and later |
|
Cisco Nexus 9500 series switches with N9K-X9736C-FX linecards only |
Cisco ACI Release 3.1(1i) and later |
This section lists usage guidelines for the Cisco Tetration Analytics software.
■ You must use the Google Chrome browser version 40.0.0 or later to access the web-based user interface.
■ After setting up your DNS, browse to the URL of your Cisco Tetration Analytics cluster: https://<cluster.domain>
■ When using the commission / decommission feature for Tetration virtual appliance environments, please observe the following usage guidelines:
● This feature is meant to be used with the assistance of TAC and can cause unrecoverable damage if used incorrectly. No two VMs should ever be decommissioned at the same time, without explicit approval from TAC. The following combinations of VMs must never be decommissioned concurrently:
▪ More than one orchestrator
▪ More than one datanode
▪ More than one namenode (namenode or secondaryNamenode)
▪ More than one resourceManager
▪ More than one happobat
▪ More than one mongodb (mongodb or mongoArbiter)
● Only one decommission/commission process can be executed at a time. Do not overlap the decommission/commission of different VMs at the same time.
● Please always contact TAC prior to using the esx_commission snapshot endpoint
The following tables provide the scalability limits for Cisco Tetration (39-RU), Cisco Tetration-M (8-RU), and Cisco
Tetration Cloud:
Table 5 Scalability Limits for Cisco Tetration (39-RU)
Configurable Option |
Scale |
Number of workloads |
Up to 25,000 (VM or Baremetal) |
Flow features per second |
Up to 2 Million |
Number of hardware agent enabled Cisco Nexus 9000 series switches |
Up to 100 |
Note: Supported scale will always be based on whichever parameter reaches the limit first
Table 6 Scalability Limits for Cisco Tetration-M (8-RU)
Configurable Option |
Scale |
Number of workloads |
Up to 5,000 (VM or Baremetal) |
Flow features per second |
Up to 500,000 |
Number of hardware agent enabled Cisco Nexus 9000 series switches |
Up to 100 |
Note: Supported scale will always be based on whichever parameter reaches the limit first
Table 7 Scalability Limits for Cisco Tetration Virtual (VMWare ESXi)
Configurable Option |
Scale |
Number of workloads |
Up to 1,000 (VM or bare-metal) |
Flow features per second |
Up to 70,000 |
Number of hardware agent enabled Cisco Nexus 9000 series switches |
Not supported |
Note: Supported scale will always be based on whichever parameter reaches the limit first.
The Cisco Tetration Analytics documentation can be accessed from the following websites:
Tetration Analytics Platform Datasheet: http://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html
General Documentation: https://www.cisco.com/c/en/us/support/security/tetration/series.html#~tab-documents
The documentation includes installation information and release notes.
Table 8 Installation Documentation
Document |
Description |
Cisco Tetration Analytics Cluster |
Describes the physical configuration, site preparation, and cabling of a single- and dual-rack installation for Cisco Tetration (39-RU) platform and Cisco Tetration-M (8-RU). |
Cisco Tetration Virtual Deployment Guide |
Describes the deployment of Tetration virtual appliances.
|
Documentation Link: NOTE: As a best practice, it’s always recommended to patch a cluster to the latest available patch version before performing a major version upgrade. |
|
Latest Threat Data Sources |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2021 Cisco Systems, Inc. All rights reserved.