Cisco
Login
Search
Software Secure Workload
Activity Configure

Manage Policy Lifecycle in Secure Workload Address Policy Complexities When Consumer and Provider Are in Different Scopes: Policy Options (Advanced) Create Cross-Scope Policies Policy Requests Automate Handling of Cross-Scope Policy Requests Auto-pilot Rules

Last updated: Jun 09, 2025

Auto-pilot Rules

This feature is applicable only if you create cross-scope policies using the method described in (Advanced) Create Cross-Scope Policies.

Infrastructure applications that provide services to many other applications in a datacenter may receive a large number of policy requests from other applications.

You can reduce the volume of policy requests by creating auto-pilot rules to automatically accept or reject future matching policy requests.


 

Auto-pilot rules do not apply to existing policy requests. They affect only future policy requests.

Automatically accept or reject policy requests using Auto-Pilot Rules

Configure auto-pilot rules to automatically accept or reject policy requests between a specified consumer-provider pair, on specified ports. Auto-pilot rules can be broad (scope-to-scope), or apply only to a subset of workloads within each scope (as configured by inventory filters. You can use an inventory filter for the consumer, for the provider, or for each.)

  1. If you want your auto-pilot rule to apply to a subset of workloads within a scope rather than to the entire scope:

    Create an inventory filter in the relevant scope(s) to group the workloads. Be sure the Restrict Query to Ownership Scope option is selected in each inventory filter, to ensure that the filter only includes workloads that are members of the scope.

  2. Choose Defend > Segmentation.

  3. Click the primary workspace of the consumer scope for which you want to automatically accept or reject policy requests related to a specific provider.

  4. Click Manage Policies.

  5. Click Provided Services.

  6. If you are creating this rule for an inventory filter, perform the following steps for the desired inventory filter (inventory filters are identified by an orange icon.)

    Otherwise perform these steps for the scope (scopes are identified by a blue icon.)

    Make sure you are clicking in the correct place.

  7. Click No Auto-Pilot Rules or auto-pilot rules, whichever is displayed.

  8. Click New Auto-Pilot Rule.

  9. Configure the auto-pilot rule. Select the scope or inventory filter that represents the provider.

  10. Click OK.

Example Auto-Pilot Rule

In the example below, we create a new auto-pilot rule to reject TCP policy requests in port range 1-200 from any consumer contained in Tetration:Adhoc to the provider service Tetration

Creating/Updating Auto-pilot rules
Figure 1: Creating/Updating Auto-pilot rules

Then we create a new policy in the workspace for the FrontEnd App on TCP port 23. Since the policy is a match for the auto-pilot rule, it will be automatically rejected. The status and reason for policy rejection is indicated on the tooltip next to the rejected policy.

Policy automatically getting rejected by Auto-pilot rule
Figure 2: Policy automatically getting rejected by Auto-pilot rule

View a count of policies recently created by auto-pilot rules

To view the number of policies created in a workspace by auto-pilot rules since live policy analysis was last initiated (or re-initiated) for the workspace:

Navigate to the Provided Services page for the relevant primary workspace and look for the count of “Auto Created” policies.

Previous topic Automate Handling of Cross-Scope Policy Requests Next topic Auto Accept Policy Connectors