First Published: August 17, 2022

Introduction

The Cisco Secure Workload platform, formerly branded as Cisco Tetration, is designed to provide comprehensive workload security by establishing a micro perimeter around every workload across your on-premises and multi-cloud environment using firewalling and segmentation, compliance and vulnerability tracking, behavior-based anomaly detection, and workload isolation. The platform uses an advanced analytics and algorithmic approach to offer these capabilities.

This solution supports the following capabilities:

  • Automatically generated micro-segmentation policies resulting from comprehensive analysis of application communication patterns and dependencies

  • Dynamic label-based policy definition with a hierarchical policy model to deliver comprehensive controls across multiple user groups with role-based access control

  • Consistent policy enforcement at scale through distributed control of native operating system firewalls and infrastructure elements like ADCs (Application Delivery Controllers) and physical or virtual firewalls

  • Near real-time compliance monitoring of all communications to identify and alert against policy violation or potential compromise

  • Workload behavior baselining and proactive anomaly detection

  • Common vulnerability detection with dynamic mitigation and threat-based workload isolation

To support the analysis and various use cases within the Cisco Secure Workload platform, consistent telemetry (flow data) is required from across the environment. Cisco Secure Workload collects rich telemetry using software agents and other methods to support both existing and new installations in data center infrastructures.

This release supports the following telemetry sources:

  • Secure Workload agents installed on virtual machine and bare-metal servers

  • DaemonSets running on container host operating systems

  • ERSPAN connectors that can generate Cisco Secure Workload telemetry from mirrored packets

  • Telemetry ingestion from Application Delivery Controllers (ADCs) – F5 and Citrix

  • NetFlow connectors that can generate Cisco Secure Workload telemetry based on NetFlow v9 or IPFIX records

  • ASA connector for collection of NetFlow Secure Event Logging (NSEL) telemetry

  • AWS connector for flow telemetry data generated using VPC flow log configurations

  • Azure connector for flow telemetry data generated using NSG flow log configurations

In addition, this release also supports ingesting endpoint device posture, context and telemetry through integrations with-

  • Cisco AnyConnect installed on endpoint devices such as laptops, desktops, and smartphones

  • Cisco Identity Services Engine (ISE)

Secure Workload agents also act as a policy enforcement point for application segmentation. Using this approach, the Cisco Secure Workload platform enables consistent micro-segmentation across public, private, and on-premises deployments. Agents enforce policy using native operating system capabilities, thereby eliminating the need for the agent to be in the data path and providing a fail-safe option. Additional product documentation is listed in the Related Documentation section.

New and Changed Information

This section lists the new and enhanced features, and known behaviors in this release.

Compatibility Information

  • Agent packages for Windows 8.1 have been removed as OS is no longer supported.

For detailed compatibility information, please refer to Platform Information on Cisco.com.

Known Behaviors

Secure Workload UI displays incorrect AWS connector workflow, when a new connector is enabled right after creation of a new root scope. (CSCvz43857)

AWS inventory profile page displays enforcement enabled as disabled, even when segmentation is enabled on connector.

ISE Connector fails to connect to pxGrid endpoints that have SSL Certificates with no SANs.

If any ISE connectors are configured, verify that their TLS certificates have SAN (subjectAltName) extension sections. After the upgrade, the ISE connector will not connect to ISE endpoints that present legacy CN-only TLS certificates.

Do not proceed with the upgrade till the ISE pxGrid TLS certificates are regenerated with SAN extensions.

Important Notes

This section lists some important notes for the Cisco Secure Workload software:

  • You must use the Google Chrome browser version 90.0.0 or later to access the web-based user interface.

  • After setting up your DNS, browse to the URL of your Cisco Secure Workload cluster: https://<cluster.domain>

  • When using the commission / decommission feature for Cisco Secure Workload virtual appliance environments, please observe the following usage guidelines:

    • This feature is meant to be used with the assistance of TAC and can cause unrecoverable damage if used incorrectly. No two VMs should ever be decommissioned at the same time, without explicit approval from TAC. The following combinations of VMs must never be decommissioned concurrently:

      • More than one orchestrator

      • More than one datanode

      • More than one namenode (namenode or secondaryNamenode)

      • More than one resourceManager

      • More than one happobat

      • More than one mongodb (mongodb or mongoArbiter)

      • Only one decommission/commission process can be executed at a time. Do not overlap the decommission/commission of different VMs at the same time.


Note

Always contact TAC prior to using the esx_commission snapshot endpoint.

New Software, New Hardware and Deprecated Features

New Software Features

Feature Name

Description

Agent & ​Agentless​ Microsegmentation

Support for Azure Connector Discovery Workflow

Secure Workload, 3.7 supports Azure and Azure Kubernetes Services (AKS) using a Cloud Connector.

You can now create Azure cloud connectors and enable metadata ingestion to ingest labels and flow data from Azure-based workloads and enforce policies through network security groups (NSGs), without the need to install agents on each workload.

You can also use the Azure connector to obtain labels from Kubernetes workloads running on AKS.

This feature is Beta.

For complete information, see the Azure Connector section in the Secure Workload online help or user guide.

Support for Managed Kubernetes Services-GKE

Secure Workload, 3.7 now supports managed Kubernetes Services using the Google Cloud Platform (GCP) connector.

GCP connectors support flow visibility for containers deployed and managed through Google Kubernetes Engine (GKE), and is helpful in gathering metadata for nodes, services, and pods from all the selected Kubernetes clusters.

For more information on how you can use a GCP connector, see the Managed Kubernetes Services Running on GCP (GKE) section in the Secure Workload online help or user guide.

FQDN/DNS Domain Name Based Flow Visibility

From Secure Workload, 3.7 release, a new option has been introduced under the Flow Search page to view the FQDN/DNS domain names associated with the consumer and provider.

The table filter under the Filter Search page is now configurable to display the domain names, which you can filter based on the IP addresses. The Flow Search table is now configurable to display consumer and provider domain names associated with the IP addresses.

For more information on how you can configure the table filter, see the Secure Workload online help or user guide.

Support for Kubernetes Service Object type Load balancer for Public Cloud

In this release, the Kubernetes load balancer service for public cloud platforms has been introduced to gather metadata from the workloads.

On the Services tab of the Workloads Inventory page, you can now view lists of the load balancers along with other Kubernetes services that were otherwise discovered only through external orchestrators.

For more information on this, see the Secure Workload online help or user guide.

New Menu Item

In Secure Workload, 3.7, the Secure Connector client metrics have been moved out of the external orchestrators page.

With this change, you can view additional client metrics on the Secure Connector page with just a click on the status row. These metrics are tabulated under the General, Interface, and Routes columns, which helps us to find relevant information for troubleshooting errors.

For more information, see the Secure Connector section in the Secure Workload online help or user guide.

KVM-based Virtual Appliances (edge and ingest)

In Secure Workload, 3.6 and earlier releases, there were provisions to download OVA templates for ESXi hosts. From Secure Workload, 3.7 and onwards, you can download QCOW2 images to deploy Secure Workload virtual appliances (Ingest and Edge) for KVM-based environments.

For more information, see the Virtual Appliances for Connectors section in the Secure Workload online help or user guide.

Agent Deployment Hardening

In Secure Workload, 3.7 release, the installer script has been enhanced to let you limit the usage of the script. This gives you more control on how you can use the script.

From this release, you can now actually choose the duration of using the installer script from a set of available options.

For more information on how you can do that, see the Install the Agent section in the Secure Workload online help or user guide.

Improved ​User Experience​

Improved Help Menu

In Secure Workload, 3.7 release, the Help menu on the UI has been significantly enhanced for users to get to the information they are looking for.

The help menu now has several helpful links, such as Page-level (context-sensitive) help, easy access to the documentation set/videos; find out What's New for a particular release, quick access to the Software download page, the platform information, supported operating systems and requirements, and a host of other information that is now just a click away.

Data backup and restore of Orchestrator and Connector Configurations

In this release, the data backup and restore feature is enhanced to include configurations of external orchestrators and connectors.

With this enhancement, you can now copy data and configurations of the Secure Workload cluster to another off-site storage, which would also have these configurations of the external orchestrators and connectors. In the event of an outage or any mishap, the backed-up data in these storages can easily be used to restore a new system.

For information on the enhancement, see the Secure Workload online help or user guide.

New Quick Start wizard

If you do not currently have any scopes defined, from this release, we have a new wizard that can guide you through creating the first branch of your scope tree, a first step toward discovering and enforcing policies for an application you choose.

The wizard explains the power of labels, scopes, and the hierarchical scope tree, and shows how these concepts are all related.

For more information, see the Secure Workload Quick Start Guide.

Improved Workspace for Policy Management

The Workspace that you see when working with policies for each scope has now been redesigned to better help you achieve your segmentation goals.

Among the changes: “ADM” has been renamed to “Automatically Discover Policies” to better reflect what this powerful feature actually does.

For more information on the improved Workspace, see Secure Workload online help or user guide.

Label impact analysis

In Secure Workload, 3.7, the user-defined labels has now been enhanced to display the usages of the custom labels.

On the User Uploaded Labels page, you can now view the usages of the inventory, scopes, or filters using these custom labels. In case you need to edit any of these custom labels, it is important to view the usages because any changes would directly impact the scopes, filters, and policies using these custom labels.

For more information on these usages, see the Secure Workload online help or user guide.

Automated Clean-up of Stale Agent Records

In many a production deployment, there could be several instances where stale agent records get accumulated on the Virtual Machines, and this eventually adds to the growing database of agent status alerts.

Starting Secure Workload, release 3.7, the process of cleaning up inactive agents on the VMs is automated, therefore, doing away with the tedious manual task of removing inactive agents after a specified period of time.

For more information on how to enable automated cleanup on the agent within a specified time period, see the Creating an Agent Config Profile section in the Secure Workload online help or user guide.

IPv6 Support (Dual-stack mode)

For information on the requirements and limitations of the IPv6 support, see the Cisco Secure Workload Upgrade Guide on cisco.com.

Support for Microsoft Edge Browser

Microsoft Edge browser support is introduced in this release.

Integration & ​Ecosystem​

Secure Firewall Management Center Integration

With Secure Workload, 3.7 release, you can now manage the scale load for Cisco Secure Workload (CSW) better with the integration of Secure Firewall Management Center (FMC) .

CSW can scale up several thousands of IP addresses, at times, it can go as high as 1.5M on high-end appliances; and the mappings of dynamic objects where the numbers can reach up to 300k. However, it was still unclear how the integration would behave with thousands of mappings per dynamic objects. Additionally, there was a "request limit" placed on the FMC to avoid integrations that are too aggressive, this limit did not allow more than 120 requests per minute from a single IP.

For more information on how this scale load is managed, see the Secure Firewall Management Center and Secure Workload Integration guide.

Secure Firewall Management Center Rule Order Management

In Secure Workload, 3.7, support has been provided for configuring the order of Secure Workload rules in the Secure Firewall Management Center (FMC) from the external orchestrator page of Cisco Secure Workload (CSW).

With this enhancement, you can now specify the order in which the Secure Workload rules would be listed - above or below the pre-existing access control rules in the FMC. Additionally, you can also enable the option to use catch-rules from Secure Workload instead of access control policy's default action in FMC. These features are now configured in the Secure Workload external orchestrator page.

For more information, see the Secure Workload and Firewall Management Center integration guide.

New Hardware Features

There are no new hardware features in this release.

Deprecated Features

Table 1. Deprecated Features in Secure Workload Release 3.7.1.5

Feature

Feature Description

Deprecating the Neighbourhood Application

In Secure Workload release 3.7.1.5, these features are no longer supported:

  • Performance monitoring

  • Lookout

  • Hardware Agent Config and Hardware Agent Download

  • Dashboard Flows, Dashboard Views and Dashboard Custom

  • Universal visibility agents type from software agents

Enhancements

  • Software Agents now supports SUSE Linux Enterprise Server 12 and 15 on ppc64le architecture.

  • Software Agents now supports Redhat Enterprise Server 7 and 8 on ppc64le architecture.

  • Software Agents now support Ubuntu 22.04 on x86_64 architecture

  • Software Agents now support Red Hat Enterprise Server 9 on x86_64 and s390x architectures

  • A new option for vanilla Kubernetes/OpenShift external orchestrators is introducced to include label metadata for improved ADM clustering. With this enhancement, the Role-Based Access Control (RBAC) privileges requirement have changed.

    To view further details about the new RBAC privileges required, see the Cisco Secure Workload Upgrade Guide.

  • Users can now download the latest Secure Connector Client RPM from the Secure Connector page.

  • Users can now also generate the single-use registration token from the Secure Connector page.

  • Users can now selectively disable Process and Package visibility in Agent Config Profile under Process and Forensic visibility section.

  • In FMC, dynamic objects name is now human readable:

    • Improvement in FMC Rule Order Management

    • Users can choose ‘High/Top’ or 'Low/Bottom' priority to push Absolute policies to Mandatory section.

    • Users can now choose ‘High/Top’ or 'Low/Bottom' priority to push Default policies to Default section.

  • Users can now choose from the options - CSW catch-all or ignore CSW catch-all.

  • Users can now set an expiration for the Software Agents Installer Script.

  • Users can now set a time period in Agent Config Profile after which inactive agents will be automatically removed.

  • Users can now choose a specific Consumer/Provider Inventory under Quick Analysis if more than one item matches with the entered IP Address.

  • Users can now prevent new Software Agents from registering and from auto-upgrading globally with the cluster through Settings in the Cluster Configuration page.

  • SPAN Agents can now process IPv6 ERSPAN packets

  • The Segmentation workspace has been enhanced with more navigation options, such as workspace and version selection, organized by Scope Tree and states with combined Absolute and Default Policies table.

  • Users can now use KVM based (qcow2 format) appliances (ingest and edge).

  • The Azure Connector now supports multiple subscriptions.

  • Upgrading to the 3.7 release will upgrade the firmware on the cluster leaf and spine switches to NX-OS and EPLD version 9.3(8).

  • The Inventory Upload page has been modified, users can now see the top 5 values and all the Usages of Labels.

  • The Hadoop cluster in the 3.7 release has been upgraded to version 3.2.2.

  • All virtual machines internal to the Secure Workload cluster are now using CentOS version 7.9.

  • The Cisco Integrated Management Controller (CIMC) Host Upgrade Utility (HUU) for the M5 hardware bundled with the 3.7 release has been updated to version 4.1(3f).

  • All Connector appliances created with the 3.7 OVA support IPv6 address configuration and connecting to a CSW cluster running in dual stack mode.

  • The External Orchestrators–Vcenter/Infoblox/DNS now support IPv6 addresses and DNS names resolving to IPv6 addresses in their hosts list.

Changes in Behavior

  • Universal Agents are no longer supported by Cisco Secure Workload.

  • Hardware Sensors are no longer supported by Cisco Secure Workload.

  • Cisco Secure Workload Agents no longer support SUSE Linux Enterprise Server 11.

  • GCM-based ciphers are now supported for data exchange between Cisco Secure Workload cluster and external S3 servers.

  • The default enforcement mode in Agent Config Profile for Windows agents is now WFP.

  • The eviction time for external authentication and TaaS is increased from 6 hours to 9 hours.

Verified Scalability Limits

The following tables provide the scalability limits for Cisco Secure Workload (39-RU), Cisco Secure Workload M (8-RU), and Cisco Secure Workload Cloud:

Table 2. Scalability Limits for Cisco Secure Workload (39-RU)

Configurable Option

Scale

Number of workloads

Up to 25,000 (VM or bare-metal).

Up to 50,000 (2x) when all the sensors are in conversation mode.

Flow features per second

Up to 2 million.
Table 3. Scalability Limits for Cisco Secure Workload M (8-RU)

Configurable Option

Scale

Number of workloads

Up to 5,000 (VM or bare-metal).

Up to 10,000 (2x) when all the sensors are in conversation mode.

Flow features per second

Up to 500,000.
Table 4. Scalability Limits for Cisco Secure Workload Virtual (VMWare ESXi)

Configurable Option

Scale

Number of workloads

Up to 1,000 (VM or bare-metal).

Flow features per second

Up to 70,000.

Note

Supported scale is based on whichever parameter reaches the limit first.

Resolved and Open Bugs

The resolved and open bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about issues and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.

For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Resolved Issues

The following table lists the resolved issues in this release. Click the Bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.

Table 5. Resolved Issues

Bug ID

Description

CSCwc17237

Disabling network visibility also disables process/package visibility

CSCwf78123

[Linux] Continuous Policy deviation/Correction on newer platforms when iptables-legacy present.

CSCwc23159

RHEL 8.x enforcement agents don't display in Upgrade tab

CSCwc53834

Stopping namenode service may cause false policy updates to be pushed to workloads

CSCwc32016

Netflow sensor dropping received netflow data.

CSCwa44839

Evaluate / Rectify vulnerabilities on Tetration N9K switches

CSCwc37463

Scope membership shows 0 members when using RegEx queries.

CSCvz66166

Downloading agent logs from a workload profile page is not available in a federation.

CSCwb94169

Error when changing kafka FQDNs on standby cluster.

CSCwc59065

Enforcement Agent may restart when processing a policy with specific IPv6 ranges.

Open Issues

The following table lists the open issues in this release. Click an ID to access Cisco’s Bug Search Tool to see additional information about that bug.

Identifier

Headline

CSCwb80213

vNIC is hung up on a baremetal server, requires reboot of server to recover.

CSCwf78123

[Linux] Continuous Policy deviation/Correction on newer platforms when iptables-legacy present.

CSCwb39541

Change error message on Investigate Traffic queries that are timing out.

CSCwc47484

Agent List Not Listed Correctly in Software Agents Agent List Page.

CSCvz98522

Enforcement Compliance Alerts are not possible in a Federation.

CSCwb91717

Data for SW Status Upgrade chart for software agents in pending status is missing.

CSCwc47484

Agent List Not Listed Correctly in Software Agents Agent List Page

CSCwc63711

Missing permissions for Azure segmentation.

Related Documentation

Document

Description

Cisco Secure Workload Cluster Deployment Guide

Describes the physical configuration, site preparation, and cabling of a single- and dual-rack installation for Cisco Secure Workload (39-RU) platform and Cisco Secure Workload M (8-RU).

Cisco Tetration (Secure Workload) M5 Cluster Hardware Deployment Guide

Cisco Secure Workload Virtual Deployment Guide

Describes the deployment of Cisco Secure Workload virtual appliances (formerly known as Tetration-V).

Cisco Secure Workload Virtual (Tetration-V) Deployment Guide

Cisco Secure Workload Platform Datasheet

Cisco Secure Workload Platform Datasheet

Secure Workload Documentation

Secure Workload Documentation

Latest Threat Data Sources

Cisco Secure Workload

Contact Cisco

If you cannot resolve an issue using the online resources listed above, contact Cisco TAC: