Cisco
Login
Search
Software Secure Workload
Activity Configure

Manage Policy Lifecycle in Secure Workload Review and Analyze Policies Live Policy Analysis Policy Analysis Details

Last updated: Jun 09, 2025

Policy Analysis Details

Flow Disposition

In policy live analysis, to decide on whether a flow is Permitted, Escaped, or Rejected, we have to first determine the Disposition of the flow from the network perspective. Each flow will receive an ALLOWED, DROPPED or PENDING disposition, based on the signals and observations given by Secure Workload agents. There are a number of scenarios based on the agent configurations along the path of the flow and the flow types.

First, regardless of flow types, if any agent along the path of a flow reports that the flow is DROPPED, the flow will receive a DROPPED disposition.

When there is no DROP reported by any agents along the path of the flow, we consider the case of bidirectional flows and unidirectional flows separately. When bidirectional flows are observed, we look at flows in pairs (forward and reverse) based on their source, destination ports and protocol, and timings. The same cannot be done for unidirectional flows.

For bidirectional flows, if there are agents installed and data plane enabled on both ends, a forward flow will receive an ALLOWED disposition if both the source and the destination agent report that the flow is observed. Otherwise, the forward flow will get a PENDING disposition. If an agent is installed on either the source or the destination workload, but not both, then the forward flow will received an ALLOWED disposition if and only if the agent observes subsequent reverse flow within a 60second window. Otherwise a PENDING status will be assigned to the forward flow. The disposition of the reverse part of the bidirectional flow follows the same logic except that now the source and the destination are reversed. For example, if only one side has an agent, whether a reverse flow disposition is PENDING or ALLOWED depends on the observation and timing of its subsequent forward flow based on the same logic.

Note that we assume firewalls implement silent drop. If a reject message is sent on the same flow (for example, rejecting a TCP SYN with RST + ACK), a reverse flow will be detected, and the previous forward flow will be marked as ALLOWED. However if the reject message is sent on a different flow (for example, rejecting a TCP SYN with an ICMP message), the forward flow will remain as PENDING.

For a unidirectional flow, the flow will be considered DROPPED if it is reported as DROPPED by any agent as in the case of bidirectional flows. However, since there is no matching reverse flow, the flow will have PENDING disposition status if both agents observe the flow.

Violation Types

The flow dispositions are checked against the policies being analyzed to determine the final violation types.

A flow’s violation type will be

  • Permitted, if its disposition is ALLOWED or PENDING, and its deciding policy action is ALLOW,

  • Escaped, if its disposition is ALLOWED, and its deciding policy action is DENY,

  • Rejected, if its disposition is DROPPED or PENDING, and its deciding policy action is DENY,

A DROPPED status is assigned only to flows whose relevant agents explicitly report their DROPPED status. When there is no explicit report of dropping for agents, the flow receives PENDING status.

When disposition is PENDING:

  • and policy action is DENY, then violation type is set to Rejected.

  • and policy action is ALLOW, then violation type is set to Permitted.

For a bidirectional flow, if the policy violation types of forward and reverse part of the flow agree, only a single type is shown in the policy analysis or enforcement analysis page. Otherwise, forward and reverse are shown separately, such as PERMITTED:REJECTED.

Example scenarios:

  • Packets are dropped at the source-side enforcement.

    • In this case, the source side Secure Workload egress agent will report that the flow is DROPPED.

  • Packets leave the source.

    • If there is only an agent on the source side, the flow will be reported as ALLOWED by the egress agent if a reverse packet is also observed by the agent within 60 seconds.

    • If there is a visibility-only agent on both the source and the destination side, the flow will be given a DROPPED disposition status, if and only if the ingress agent reports that the flow is DROPPED. Otherwise, the flow will be reported as ALLOWED.

    • Flow packets are received at the destination, but no reverse traffic.

      If there is no destination side agent, the flow will receive a PENDING status. Otherwise, it will be assigned ALLOWED status.

Previous topic Analysis without Policies Next topic Suggested Steps for Investigating Flows