First Published: May 8, 2025

Introduction to Cisco Secure Workload SaaS, Release 3.10.3.19

This document describes the features, bug fixes, and behavior changes, if any, for the Cisco Secure Workload software patch Release 3.10.3.19. This patch is associated with the Cisco Secure Workload software major Release 3.10.1.1. For more information, see Cisco Secure Workload Release Notes, SaaS Release 3.10.1.1.

Release Information

Release Version: 3.10.3.19

Published Date: May 08, 2025

New Software Features in Cisco Secure Workload, Release 3.10.3.19

Feature Name

Description

Operation Simplicity​

Workload Enforcement in Azure Connectors

This feature introduces the ability to monitor user login events within the Microsoft Entra ID (formerly Azure Active Directory) domain. A new configuration option enables sign-in logs during the setup of an Identity Connector for Microsoft Entra ID. By activating this feature, users benefit from the improved accuracy of user identity details in the inventory from the near real-time ingestion of IP address-to-user mappings.

This enhancement streamlines workflows with precise and timely user identity data, enabling more effective monitoring and troubleshooting of login activities.

For more information, see Microsoft Entra ID Connector.

User Identity Reporting for Windows Workloads

This feature enables the software agents to report logged-in user details for Windows workloads, providing clusters with accurate IP address-to-user mappings. Administrators can activate this feature through Report Users in the Agent Configuration Profile setting. After installing the agent on an Active Directory (AD) server and configuring the CswAgent service to run under a domain administrator Service Logon Account, it will report IP address-to-user mappings for all machines that have joined the domain even if the agent is not installed on those specific machines.

This capability enhances visibility into user activity across the network, streamlining workflows for monitoring, troubleshooting, and ensuring compliance.

For more information, see Agent Config Profile.

Azure One-Click Setup for Connector Onboarding

Azure One-Click is a helper script that is designed to simplify the setup of required applications and roles for connector onboarding. The script can be executed interactively or run using default values. For more information, see https://github.com/CiscoDevNet/secure-workload-connectors/tree/main/azure/iam.

Backup and Restore Network Security Groups (NSG) using the Azure Connector

Azure connector now includes the capability to back up the security groups in Azure that are affected during segmentation. Backup of security groups happen automatically when the segmentation button is enabled. You can restore them after the segmentation button is disabled. Also only the network security groups that are modified by Cisco Secure Workload will be restored to their original state when segmentation was enabled for that virtual network.

Note

 

Connectors that had segmentation enabled on them before the upgrade did not have backups in our database and therefore these connectors will not have the data that is restored when segmentation is disabled on them.

This feature is currently available only for the Azure connector. For more information, see Backup and Restore Network Security Groups using the Azure Connector.

Selective Workload Enforcement with Azure Connectors

Azure connectors now provide the capability to selectively enforce specific workloads or a group of workloads instead of the entire virtual network. To select workloads, users must configure a config intent with the intended profile and inventory filter in the cloud workloads page. This filter defines the workloads for which Secure Workload will manage or apply the network security groups. To ensure selective policy enforcement:

  • Enable the segmentation option for all virtual networks containing the workloads.

  • Define the corresponding intents in the cloud workloads page.

  • Disable segmentation at the VNet level that will deactivate all segmentation, regardless of the defined configuration intents.

During upgrade, any Azure connectors with VNet with enforcement enabled will automatically be migrated to the new workflow by the creation of a VPC-wide inventory filter and agentless config intent that runs on enforcement for the vPC. Therefore, after migration, enforcement will continue to be configured for the VPCs as before.

Note

 

This feature is currently available only for the Azure connector.

Azure connectors need additional permissions “Microsoft.Network/applicationSecurityGroups/*”for the user configured.

For more information, see Selective Workload Enforcement using the Azure Connector.

Enhanced User Experience

Japanese Localization for Cisco Secure Workload UI

The Cisco Secure Workload application now supports Japanese localization, improving accessibility for Japanese users. When a browser's default language is set to Japanese, the web UI and context-sensitive help are automatically displayed in Japanese.

AI Engine for Policy Optimization

The AI engine in Secure Workload now introduces automated scanning of flows within primary workspaces to generate policy suggestions. This feature addresses the challenge of maintaining up-to-date workload policies:

  • Proactively identifies gaps by continuously analyzing flows to detect potential gaps or areas for improvement in segmentation policies, ensuring alignment with security best practices.

  • By automating the policy suggestion process, users can save significant time and effort that would otherwise be spent on manual reviews and updates.

  • The AI engine enhances a security posture that ensures workload policies remain current, reducing vulnerabilities and improving the overall security framework.

For more information, see AI Policy Statistics.

Enhancements in Cisco Secure Workload, Release 3.10.3.19

  • The Infoblox Network Record Exclusion feature now enables you to selectively prevent specific subnet records from being imported from Infoblox's external orchestrators. By defining exclusion patterns, you can filter out irrelevant network records, ensuring that only pertinent data is ingested.

  • You can now configure traffic alerts for rejected flows in the Alert Configuration page by configuring alert with Alert Condition set to Flow Status is Rejected.


    Note

    An individual alert is generated for each flow record that meets the specified condition with a maximum of 100 alerts that are allowed per minute for each tenant. This restriction does not apply to alerts configured for malicious flows.

  • The IANA TLS Cipher Suites recommendations, which the cluster uses to evaluate the TLS ciphers alerts, have been updated to the version published on 02/01/2025.

  • Starting with Cisco Secure Workload, Release 3.10.3.19, the Azure connector has transitioned to support VNet flow logs in alignment with Microsoft Azure's updated policies. By migrating to VNet flow logs, users can ensure uninterrupted flow log ingestion and policy enforcement capabilities within their Azure environments. This migration ensures that the Azure connector remains compliant with Azure's requirements and continues to provide seamless integration for flow log ingestion.

  • The API for Live Analysis has been enhanced to include the endpoint /live_enforcement_analysis/{application_id}, and therefore enabling category filtering based on enforced policies.

  • The SecOps Read ability can now be configured with specific capabilities and assigned to a role. Users assigned to this role have access exclusively to investigative menu items, including Flows, Alerts, Vulnerabilities, and Forensic Analysis. This enhancement addresses the need for granular access control, ensuring that users with investigative responsibilities can focus solely on relevant data without unnecessary access to other system areas.


    Note

    The SecOps Read ability is a subset of the Read permission.

  • Secure Workload agents now include support for the following platforms:

    • CentOS Stream 9: Supported on x86_64, ppc64_le, and s390x architectures.

    • Windows 11 arm64: Validated for running the Cisco Secure Workload Agent as an x86_64 application.

Resolved and Open Issues

The resolved and open issues for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about issues and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, register for an account.

For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQs.

Resolved Issues

The following table lists the resolved issues in this release. Click an ID to access the Cisco’s Bug Search Tool and see additional information about that bug.

Identifier

Headline

CSCwn53844

Compliance alerts for multicast/broadcast flows not seen in Segmentation Workspace - Policy Analysis or Enforcement

CSCwn64751

TetSen.exe process is listening on high UDP ports on Windows workloads

CSCwo18976

CSW Agent Windows Power-Shell installation script calls a function that should be revised.

CSCwo40563

CSW 3.10.1.1 : Enforcer does not start with corrupted enforcer.cfg

CSCwo61121

AIX CSW Agent incorrectly alters format of /etc/security/audit/config file when forensics is enabled

CSCwo33486

AgentTroubleshootingTool.ps1 script will fail when C:\Windows\System32 is not the first env variable

CSCwj79970

Workload's Profile does not reflect updated Flow Disk quota value

CSCwo37150

Linux agent doesn't honor flow disk quota limit set in config

CSCwo01170

CSW exporting Data information truncated in CSV Format.

CSCwo58676

Last Check-In timestamp mismatch with latest activity in Change Logs

CSCwo51294

User Defined Label Uploads fail

CSCwo86368

PERMITTED:REJECTED Flows in Policy Analysis for Windows workloads

CSCwo74842

FMC Connector virtual patching page shows an error message when a child scope has been selected

CSCwo89435

Agent Enforcement Health shows 'Policy out of Sync'

CSCwo96204

CSW Agents running on RHEL 9.4 and 9.5 may crash when PID/User Lookup is enabled
CSCwo74464 Empty page on preview results when creating FMC connector virtual patching rule
CSCwo06872 ADM : Child scopes show redundant enforcement policies

Open Issues

The following table lists the open issues in this release. Click an ID to access the Cisco’s Bug Search Tool and see additional information about that bug.

Identifier

Headline
CSCwf43558 Services failures after upgrade with orchestrator dns name not resolvable.
CSCwh45794 ADM port and pid mapping is missing for some ports.
CSCwm40398 Multiple packages have been flagged with CVE 2022-1471 in RHEL8.9 system
CSCwm80745 Cisco Vulnerabilities Workloads Multiple selections across pages does not work in the UI
CSCwn61888 RHEL OS CVEs Inconsistencies report.
CSCwn75424 Azure agentless enforcement out-of-band change not being detected
CSCwn86124 Windows Agent - Missed Packets graph not being populated
CSCwn90706 Vulnerabilities page shows a backend service error
CSCwn96080 Issue with pre-populated rule at priority 90 or higher leading to duplication.
CSCwo11089 Customers would see temporary spikes in escaped flows when running policy analysis.
CSCwo13249 CSW 3.10.1.1 : Compliance Report - View Forensics Button doesn't work
CSCwo31391 [AIX] Information missing on workload profile page.
CSCwo54227 Blue Indicator line shift- UI Behaviour
CSCwo62365 The tetpyclient doesn't work correctly with setuptools version 78.0.0 (Latest release)
CSCwo81563 Kubernetes/Containers Vulnerabilities Are not being reported
CSCwo89435 Agent Enforcement Health shows 'Policy out of Sync'
CSCwo01704 EKS and VPC resources ignored if names are duplicated.

CSCwo95565

Schedule PDF in Japenses is not working as expected

Contact Cisco Technical Assistance Centers

If you cannot resolve an issue using the online resources listed above, contact Cisco TAC: