Cisco
Login
Search
Software Secure Workload
Activity Configure

Manage Policy Lifecycle in Secure Workload Create and Discover Policies Discover Policies Automatically Automatically Discover Policies

Last updated: Jun 09, 2025

Automatically Discover Policies

Use this procedure to generate suggested Allow policies based on existing traffic on your network.

You can rediscover policies at any time.

Before you begin

  • Gather flow data before you can effectively automatically discover policies.

    Typically, this means you have installed agents on the workloads in the scope, or have configured and gathered data using a cloud connector or external orchestrator.

    Flow summary data that is used by automatic policy discovery is computed every 6 hours. Thus, upon initial deployment of Secure Workload, automatic policy discovery is not possible until such data is available.

    More flow data generally produces more accurate results.

    Before you enforce a policy, you should gather enough data to include traffic that occurs only periodically (monthly, quarterly, annually, and so on.) For example, if an application generates a quarterly report that gathers information from sources that the application does not access at other times, ensure that the flow data includes at least one instance of that report-generation process.

  • Complete the steps up to this point in How to Automatically Discover Policies.

  • Meet the policy discovery-related Limits Related to Policies.

    If necessary, break larger scopes into smaller child scopes.

  • Commit any scope changes before discovering policies, or any configured exclusion filters may not match (exclude) flows as expected. See Commit Changes.


 

If you are rerunning policy discovery, see the important considerations first: Important: Before You Re-run Automatic Policy Discovery.

Procedure

1

Choose Defend > Segmentation.
2

In the scope tree or list of scopes in the pane on the left, scroll to or search for the scope for which you want to generate policies.
3

Click a workspace (primary or secondary) in the scope.
4

Click Manage Policies.
5

Click Automatically Discover Policies.
6

If you see an option to discover policies for a branch or an entire scope, choose an option.

If you don't see an option, only one option is possible for the scope for which you are discovering policies.

For more information, see Discover Policies for One Scope or for a Branch of the Scope Tree.
7

Choose the time range for the flow data that you want to include.

Experiment to find the right time range; you can generate policies as often as needed to get optimal results.

A shorter time range generates results faster, and may generate fewer results.

In general, a longer time range produces more accurate policies. However, if the scope definition has changed, do not include dates before the change is made.

Your time range should include traffic that occurs only periodically (monthly, quarterly, annually, and so on.) if applicable. For example, if an application generates a quarterly report that gathers information from sources that it does not access at other times, be sure that the time range includes at least one instance of that report-generation process.

To configure a time range beyond the last 30 days, select the custom range, and fill the required start and end times under the drop-down time selection widget.
8

(Optional) Specify advanced settings.

Generally, we suggest that you don't change advanced settings for initial discovery runs, then make changes only as needed to address specific issues.

For details, see Advanced Configurations for Automatic Policy Discovery.
9

Click Discover Policies. Generated policies appear on this page.

What to do next

Previous topic Verify the Workloads That Policy Discovery Will Apply To Next topic Stop Automatic Policy Discovery in Progress