Cisco
Login
Search
Software Secure Workload
Activity Configure

Manage Policy Lifecycle in Secure Workload Enforce Policies Check Agent Health and Readiness to Enforce

Last updated: Jun 09, 2025

Check Agent Health and Readiness to Enforce

Agent health checks are done before or after enforcing policy. Permissions may be required to modify agent or connector capability; see the requirements and prerequisites in the relevant chapters.

You do not need to perform these checks for any workloads on which you do not intend to enforce policies.

Verify

More Information

Agents are installed on all workloads in the scope that are associated with the enforced workspace

Click Defend > Segmentation and navigate to the relevant scope and workspace. Click Matching Inventories, then click IP Addresses.

IP addresses on this tab generally do not have agents that are installed, and agents generally must be installed to enforce policy.

Exceptions: Enforcement occurs for the following types of inventory that appears on the IP Addresses tab:

  • Cloud-based inventory on which policy is enforced using a cloud connector. (Installing agents on individual workloads is optional.)

  • Kubernetes addresses appear in the IP Addresses list if agents are installed on individual workload pods; Kubernetes inventory with installed agents appears on the Pods tab.

The installed agent version is current and supported

For an overview of installed agent versions, click Manage > Agents, then click Distribution and look at the Agent Software Version Distribution chart.

For details, click Manage > Agents, then click Agents List.

Installed agents have enforcement capability

Click Manage > Agents, then click Convert to Enforcement Agent.

In the Filter box, enter Agent Type = Deep Visibility

Convert any agents that must enforce policy.

Enforcement is enabled for all agents

(This requirement is distinct from ensuring that agents have enforcement capability and from enabling enforcement in the workspace.)

Important! Depending on your deployment, this may need to be done before or after you enforce the workspace.

See that the Verify Enforcement is Enabled for Agents section.

Enforcement is enabled for nonagent enforcement mechanisms

Important!!! Do not enable enforcement on cloud connectors without agents until AFTER you enforce policy on the workspace.

External orchestrators that support enforcement must also be enabled before they can enforce.

The Preserve Rules setting in the Agent Config Profile is appropriate for the workload platform

  • For Kubernetes/OpenShift, see Enforcement on Containers section.

  • For other platforms, see information for each platform in Software Agents section.

Tip: Search this document for "Preserve Rules" to find useful information.

(After the workspace is enforced) All agents have received the applicable policies for the workload

See the Verify Enforced Policies are being pushed to Agents section.

Agents are healthy

In addition to the sources above, the following locations have information about agent health:

  • Click Manage > Agents, then click Monitor.

    Look at the information under Enforcement Agents. For details, see theAgent Monitoring section.

  • Click Manage > Agents, then click Distribution.

    Choose the agent type from the top of the page.

    For information about this page, see the Agent Status and Statistics.

  • Click Organize > Scopes and Inventory, filter to find a specific workload of interest, and click the IP address.

    The Workload Profile page opens in a separate browser window including an Agent Health panel.

    For details, see Workload Profile section.
Previous topic Enforce Policies Next topic Enable Policy Enforcement