Cisco
Login
Search
Software Secure Workload
Activity Configure

Manage Policy Lifecycle in Secure Workload Create and Discover Policies Discover Policies Automatically Advanced Features of Automatic Policy Discovery Policy Discovery Flow Filters Configure, Edit, or Delete Exclusion Filters

Last updated: Jun 09, 2025

Configure, Edit, or Delete Exclusion Filters

Use this procedure to create a list of exclusion filters for a single workspace, or a list of default exclusion filters that are available to all workspaces.

Procedure

1

Do one of the following:

To

Do This

Configure exclusion filters for a specific workspace

Navigate to the workspace, then do one of the following:

  • Click Manage Policies, then click More button near the top right of the page and select Exclusion Filters.

  • From the automatic policy discovery configuration page, click the Exclusion filters link in the Advanced Configurations section.

  • Delete a discovered policy; you will see an option to create an exclusion filter.

Configure default exclusion filters that are available to any workspace

  1. Choose Defend > Segmentation,

  2. Click the caret at the right side of the page to expand the Tools menu, then choose Default Policy Discovery Config.

  3. Scroll to the bottom of the page.

  4. Click Default Exclusion Filters.
2

To create an exclusion filter, click Add Exclusion Filter.

3

Specify parameters for the flows to exclude from consideration during policy discovery:

You do not need to enter values for all of the fields. Any empty field is treated as a wildcard for matching flows.

Any conversation that matches all the fields of any exclusion filter is ignored for the purposes of policy creation and clustering.

Option

Description

Consumer

Matches conversations where the consumer address is a member of the selected scope, inventory filter, or (for workspace-specific exclusion filters only, cluster). You can specify any arbitrary address space by creating a new custom filter.

Provider

Matches conversations where the provider address is a member of the selected scope, inventory filter, or (for workspace-specific exclusion filters only, cluster). You can specify any arbitrary address space by creating a new custom filter.

Protocol

Matches conversations with specified protocol.

Port

Matches conversations with provider (server) port matching the specified port, or port range. Enter port ranges using a dash separator, for example, “100-200”
4

To edit or delete an exclusion filter, hover over the applicable row to see the Edit and Delete buttons.

5

If you are configuring default exclusion filters:

When the configured filters are ready to use, return to the Default Policy Discovery Config page, and click Save to make the changes available to individual workspaces.

What to do next


 

Exclusion filters are enabled by default in the workspace in which they are configured.

Default exclusion filters are enabled by default in all workspaces.

Both types of exclusion filters are enabled by default in the Default Policy Discovery Config.

Before discovering policies:

  • Enable or disable exclusion filters and default exclusion filters.

    • In each workspace

    • On the Default Policy Discovery Config page

    For instructions, see Enable or Disable Exclusion Filters.

  • Commit any scope changes, or the filters may not match (and therefore exclude) the expected flows. See Commit Changes.

Previous topic Enable or Disable Inclusion Flow Filters Next topic Enable or Disable Exclusion Filters