Cisco Secure Workload User Guide SaaS, Release 3.10

Get Started with Cisco Secure Workload
- Introduction to Security Cloud Control
- Manage Secure Workload in Security Cloud Control
- Supported Web Browsers
- Quick Start Wizard
- Get Started with Segmentation and Microsegmentation
  - General Process for Implementing Microsegmentation
  - Set Up Microsegmentation for Workloads Running on Bare Metal or Virtual Machines
  - Set Up Microsegmentation for Cloud-Based Workloads
  - Set Up Microsegmentation for Kubernetes-Based Workloads
Deploy Software Agents on Workloads
- Deploy Software Agents
  - Supported Platforms and Requirements
  - Install Linux Agents for Deep Visibility and Enforcement
    - Requirements and Prerequisites to Install Linux Agents
    - Supported Methods to Install Linux Agents
      - Install Linux Agent using the Agent Image Installer Method
      - Install Linux Agent Using the Agent Script Installer Method
      - Agent Support for NVIDIA Bluefield Networking Platform
    - Verify Linux Agent Installation
  - Install Windows Agents for Deep Visibility and Enforcement
    - Requirements and Prerequisites for Installing Windows Agent
    - Supported Methods to Install Windows Agents
      - Install Windows Agent using the Agent Script Installer Method
      - Install Windows Agent using the Agent Image Installer Method
    - Verify Windows Agent Installation
    - Verify Windows Agent in the Configured Service User Context
    - Modify Service Account
    - Deploying Agents on a VDI Instance or VM Template (Windows)
      - Install the agent on a golden image in a VDI environment or VM template
      - Create a new VDI instance VM
    - Windows Agent Installer and Npcap—For Windows 2008 R2
    - Windows Agent Flow Captures: For All Windows OS Excluding Windows Server 2008 R2
  - Install AIX Agents for Deep Visibility and Enforcement
    - Requirements and Prerequisites for Installing AIX Agents
    - Install AIX Agent using the Agent Script Installer Method
    - Verify AIX Agent Installation
  - Install Kubernetes or OpenShift Agents for Deep Visibility and Enforcement
    - Kubernetes or OpenShift Overview
    - Requirements and Prerequisites
    - Install Kubernetes or OpenShift Agent using the Agent Script Installer Method
    - Deep Visibility and Enforcement with Istio Service Mesh
  - Install Solaris Agents for Deep Visibility and Enforcement
    - Requirements and Prerequisites for Installing Solaris Agents
    - Install Solaris Agent using the Agent Script Installer Method
    - Verify Solaris Agent Installation
  - (Manual Installations Only) Update the User Configuration File
  - Other Agent-Like Tools
  - Connectivity Information
- Security Exclusions
- Service Management of Agents
  - Service Management for RHEL, CentOS, OracleLinux-6.x, and Ubuntu-14
  - Service Management for RHEL, CentOS, OracleLinux-7.x and Later
  - Service Management for Windows Server or Windows VDI
  - Service Management for AIX
  - Service Management for Kubernetes Agent Installations
  - Service Management for Solaris
- Enforce Policies with Agents
  - Agent Enforcement on the Linux Platform
    - Linux iptables or ip6tables
    - Caveats
  - Agent Enforcement on the Windows Platform in WAF mode
    - Windows Firewall with Advanced Security
    - Secure Workload Rules and the Windows Firewall
    - Security Profiles
    - Effective Setting and Mixed-List Policies
    - Stateful Enforcement
    - Caveats
  - Agent Enforcement on the Windows Platform in WFP Mode
    - Windows Filtering Platform
    - Advantages of WFP over WAF
    - Agent Support for WFP
    - Agent WFP support and Windows Firewall
    - Effective Setting and Mixed-List Policies
    - Stateful Enforcement
    - Visibility of Configured WFP Filters
    - Disable Stealth Mode Filters in WFP Mode
    - Delete Configured WFP Filters
    - Known Limitations in WFP Mode
  - Configure Policies for Windows Attributes
  - Recommended Windows OS-Based Policy Configuration
    - Known limitations
    - Caveats
    - Verify and Troubleshoot Policies with Windows OS-Based Filtering Attributes
      - Policies Based on Application Name
      - Policies Based on Service Name
      - Policies Based on User Group or User Name
  - Enforcement of Kubernetes Pods on Windows Nodes
  - Agent Enforcement on AIX Platform
    - IPFilter
    - Caveats
    - Known Limitations
  - Agent Enforcement on Solaris 11.4 Platform
  - Agent Enforcement on the Solaris 10 Platform
  - Check Agent Status and Statistics
  - View Agent Details
- Configure Software Agents
  - Requirements and Prerequisites for Configuring Software Agents
    - User Roles and Access to Agent Configuration
  - Configure Software Agents
    - Create an Agent Configuration Profile
    - Creating an Agent Config Intent
- View Detailed Agent Status in the Workload Profile
- Rehoming of Agents
  - Enable Rehoming
  - Select Agents to Rehome
  - Disable Rehoming
- Generate Agent Token
- Disable Enforcement on Workload
- Host IP Address Change When Enforcement is Enabled
- Upgrade Software Agents
  - Upgrade Agents from UI
  - Upgrade Behaviour of Kubernetes/Openshift Agent
- Remove Software Agents
  - Remove Deep Visibility or Enforcement Linux Agent
  - Remove a Deep Visibility or Enforcement Windows Agent
  - Remove a Deep Visibility or Enforcement AIX Agent
  - Remove Universal Linux Agent
  - Remove Universal Windows Agent
  - Remove an Enforcement Kubernetes or OpenShift Agent
  - Remove a Deep Visibility Solaris Agent
- Data collected and exported by workload agents
  - Registration
  - Agent upgrade
  - Config server
    - Network Flow Information
    - Machine information
    - Agent statistics
- Enforcement Alerts
  - Enforcement UI Alerts Details
  - Enforcement Alert Details
    - Example of alert_details for an enforcement alert
- Sensor Alerts
  - Sensor UI Alerts Details
  - Sensor Alert Details
    - Example of alert_details for a sensor alert
- Frequently Asked Questions
  - General
  - Agent deployment
    - Linux
    - Windows
    - Kubernetes
  - Anomaly Types
    - Agent Inactivity
    - Upgrade Failure
    - Convert Failed
    - Convert Capability
    - Policy Out of Sync
    - Flow Export: Pcap Open
    - Flow Export: HTTPS Connectivity
  - Certificate Issues
    - Windows
  - Certificate Issues for NPCAP installer
  - Windows Host Rename
  - Check If Platform Is Currently Supported
    - Windows
    - Linux
    - AIX
  - Windows Installer Issues
  - Required Windows Services
  - Npcap Issues
    - Npcap will not upgrade (manually or via agent)
    - Npcap will not install
    - Verify if Npcap is fully installed
    - Network Connectivity issues during NPCAP installation or upgrade
    - NIC teaming compatibility issues with NPCAP
    - VDI instance VM does not report network flows
    - Network Performance with NPCAP
    - OS Performance and/or stability Issues
  - GPO Configurations
  - Agent To Cluster Communications
    - Types of connections
    - Checking the connection state
  - SSL Troubleshooting
    - Agent Communications Overview
    - Configuring IP traffic for Agent Communications
    - Troubleshooting SSL/TLS Connections
  - Agent operations
  - Agent Troubleshooting Tool
External Orchestrators in Secure Workload
- Navigate to the External Orchestrators Page
- List of External Orchestrators
- Create External Orchestrator
- Edit External Orchestrator
- Delete External Orchestrator
- Orchestrator generated labels
- Amazon Web Services
  - Prerequisites
  - Configuration fields
  - Workflow
  - Orchestrator generated labels
  - Instance-specific labels
  - Troubleshooting
- Kubernetes/OpenShift
  - Requirements and Prerequisites
  - Configuration Fields
  - Orchestrator Golden Rules
  - Workflow
  - Kubernetes Role-Based Access Control (RBAC) Resource Considerations
  - Orchestrator-generated labels
  - Troubleshooting
- VMware vCenter
  - Prerequisites
  - Configuration fields
  - Workflow
  - Orchestrator generated labels
  - Instance-specific labels
  - Caveats
  - Troubleshooting
- DNS
  - Prerequisites
  - Configuration fields
  - Workflow
  - Generated labels
  - Caveats
  - Troubleshooting
  - Behavior of Full/Delta polling for DNS Orchestrators
  - Unsupported Features
- Infoblox
  - Prerequisites
  - Configuration fields
  - Workflow
  - Orchestrator generated labels
  - Generated labels
  - Caveats
  - Troubleshooting
- F5 BIG-IP
  - Prerequisites
  - Configuration fields
  - Workflow
  - Orchestrator generated labels
  - Generated labels
  - Policy enforcement for F5 BIG-IP
  - Policy Enforcement for F5 Ingress Controller
  - Caveats
  - Troubleshooting
- Citrix Netscaler
  - Prerequisites
  - Configuration fields
  - Workflow
  - Orchestrator generated labels
  - Generated labels
  - Policy enforcement for Citrix Netscaler
  - Caveats
  - Troubleshooting
- TAXII
  - Prerequisites
  - Configuration fields
  - Workflow
  - Generated labels
  - Caveats
  - Troubleshooting
  - Behavior of Full polling for TAXII Orchestrators
Configure and Manage Connectors for Secure Workload
- What are Connectors
  - Connectors for Flow Ingestion
    - NetFlow Connector
      - What is NetFlow
      - Flow Ingestion to Secure Workload
      - Rate Limiting
      - Supported Information Elements
      - How to configure NetFlow on the Switch
      - How to Configure the Connector
      - Limits
    - F5 Connector
      - What is F5 BIG-IP IPFIX
      - Flow Ingestion to Secure Workload
      - How to configure IPFIX on F5 BIG-IP
      - How to Configure the Connector
      - Limits
    - NetScaler Connector
      - What is Citrix NetScaler AppFlow
      - Flow Ingestion to Secure Workload
      - How to configure AppFlow on NetScaler
      - How to Configure the Connector
      - Limits
    - Cisco Secure Firewall Connector
      - Flow Ingestion to Secure Workload
      - Handling NSEL Events
      - How to Configure NSEL on Secure Firewall ASA
      - How to Configure the Connector
      - Limits
    - Meraki Connector
      - What is NetFlow
      - Flow Ingestion to Secure Workload
      - Handling NetFlow Records
      - How to configure NetFlow on Meraki Firewall
      - How to Configure the Connector
      - Limits
    - ERSPAN Connector
      - What is ERSPAN
      - What are the SPAN Agents
      - What is the Ingest Appliance for ERSPAN
      - How to configure the source ERSPAN session
      - Supported ERSPAN formats
      - Performance considerations when configuring ERSPAN source
      - Security considerations
      - Troubleshooting
      - Limits
  - Connectors for Endpoints
    - AnyConnect Connector
      - What is AnyConnect NVM
      - How to configure AnyConnect NVM
      - Processing NVM records
      - Duplicate UDIDs in Windows Endpoints
      - Periodic Tasks
      - How to Configure the Connector
      - Limits
    - ISE Connector
      - How to Configure the Connector
      - ISE Instance Configuration
      - Processing ISE records
      - Periodic Tasks
      - Limits
  - Connectors for Inventory Enrichment
    - ServiceNow Connector
    - How to Configure the ServiceNow Connector
    - ServiceNow Instance Configuration
    - Processing ServiceNow records
    - Sync Interval Configuration
    - Explore Command to Delete the Labels
    - Finding VRF ID for a Tenant
    - Getting to Explore Command UI
    - Running the Commands
    - Frequently Asked Questions
    - Limitations of ServiceNow Connectors
  - Connector Alerts
    - Alert Configuration
    - Alert Type
      - Appliance/Connector down
      - Appliance/Connector system usage
      - Connector Configuration Error
    - Connector UI Alert Details
    - Alert Details
    - Example of Alert Details
  - Virtual Appliances for Connectors
    - Types of Virtual Appliances
      - Secure Workload Ingest
      - Secure Workload Edge
    - Deploying a Virtual Appliance
    - Decommissioning a Virtual Appliance
    - Monitoring a Virtual Appliance
    - Security Considerations
  - Configuration Management on Connectors and Virtual Appliances
    - Test and Apply
      - NTP Configuration
      - Log Configuration
      - Endpoint Configuration
      - Slack Notifier Configuration
      - PagerDuty Notifier Configuration
      - Kinesis Notifier Configuration
      - Email Notifier Configuration
      - Syslog Notifier Configuration
      - Syslog Severity Mapping Configuration
      - ISE Instance Configuration
    - Discovery
      - LDAP Configuration
    - Remove
- Connectors for Alert Notifications
  - Syslog Connector
    - Syslog Severity Mapping
    - Limits
  - Email Connector
    - Limits
  - Slack Connector
    - Limits
  - PagerDuty Connector
    - Limits
  - Kinesis Connector
    - Limits
- Webex and Discord Alert Connectors
  - Webex Connector
  - Configure Webex Connector
  - Limitations of Webex Connector
  - Discord Connector
  - Configure Discord Connector
  - Limitations of Discord Connectors
- Cloud Connectors
  - AWS Connector
    - Requirements and Prerequisites for AWS
    - (Optional) Configure cross AWS account access in AWS
    - Authentication Using Roles
    - AWS Connector Configuration Overview
    - Create a New AWS Connector
    - Edit a New AWS Connector
    - Deleting Connectors and Data
    - Best Practices When Enforcing Segmentation Policy for AWS Inventory
    - View AWS Inventory Labels, Details, and Enforcement Status
    - Troubleshoot AWS Connector Issues
    - Managed Kubernetes Services Running on AWS (EKS)
      - Requirements and Prerequisites for EKS
      - EKS Roles and Access Privileges
      - EKS specific RBAC considerations
      - Configure EKS Settings in the AWS Connector Wizard
      - Support for EKS Load Balancer
  - Azure Connector
    - Requirements and Prerequisites for Azure
    - Azure Connector Configuration Overview
    - Create an Azure Connector
    - Create a New Azure Connector
    - Edit an Azure Connector
    - Deleting Connectors and Data
    - Best Practices When Enforcing Segmentation Policy for Azure Inventory
    - View Azure Inventory Labels, Details, and Enforcement Status
    - Troubleshoot Azure Connector Issues
    - Managed Kubernetes Services Running on Azure (AKS)
      - Requirements and Prerequisites for AKS
      - Support for AKS Load Balancer
  - GCP Connector
    - Requirements and Prerequisites for GCP Connector
    - Configure Multiple Projects Access in GCP
    - GCP Connector Configuration Overview
    - Create a New GCP Connector
    - Create a GCP Connector
    - Edit a GCP Connector
    - Deleting Connectors and Data GCP
    - Best Practices When Enforcing Segmentation Policy for GCP Inventory
    - GKE Inventory Labels, Details, and Enforcement Status
    - Troubleshoot GCP Connector Issues
    - Managed Kubernetes Services Running on GCP (GKE)
      - Requirements and Prerequisites
- Secure Connector
  - Technical Details
  - Requirements for Secure Connector Client
  - Secure Connector Client Deployment
    - Proxy Support
    - Deployment Overview
    - Deploy the Secure Connector Client
      - Download Latest Secure Connector Client RPM
      - Generate Registration Token
      - Copy the Token and Start the Client
    - [Optional] Deploy Specific Version of Secure Connector Client
  - Secure Connector Client Status
  - Verify Secure Connector Client State
  - Secure Connector Alerts
  - Upgrade Secure Connector Client
  - Uninstall Secure Connector Client
  - Secure Connector Client Maintenance
    - Distribution of Secure Connector client software
    - Installation and Upgrade of Secure Connector Client software
    - Release Schedule of Secure Connector client software
    - Network Attack Surface of Secure Connector Client daemons
    - High Availability Best Practices for Secure Connector client
- Identity Connectors
- OpenLDAP Connector
  - Configure Identity Connector with OpenLDAP
  - Inventory
  - Event Log
  - Advanced Settings
- Active Directory
  - Configure Active Directory with Identity Connector
  - Active Directory Inventory
  - Event Log
  - Advanced Settings
- Microsoft Entra ID Connector
  - Configure Microsoft Entra ID
  - Microsoft Entra ID Inventory
  - Microsoft Entra ID Event Log
  - Advanced Settings
- Life Cycle Management of Connectors
  - Enable a Connector
  - Viewing Connector-Related Information
  - Deleting a Connector
  - Monitoring a Connector
- Troubleshooting
  - Allowed set of commands
    - Show Logs
    - Show Service Logs
    - Show Running Configuration
    - Show Service Running Configuration
    - Show System Commands
    - Show Docker Commands
    - Show Docker Instance Commands
    - Show Supervisor Commands
    - Show Supervisor Service Commands
    - Network Connectivity Commands
    - List Files
    - List Service Files
    - Packet Capture
    - Update Listening Ports of Connectors
    - Update Alert Notifier Connector Log Configuration
    - Collect Snapshot From Appliance
    - Collect Snapshot From Connector
    - Collect Controller Profile
    - Collect Connector Profile
    - Override connector alert interval for Appliance
    - Override connector alert interval for Connector
  - Hawkeye Dashboards
    - Appliance Controller Dashboard
    - Service Dashboard
    - AnyConnect Service Dashboard
    - Appliance and Service DIO Dashboard
  - General Troubleshooting Guidelines
    - Log Files
      - Debug Mode
- Cisco Secure Firewall Management Center
Manage Inventory for Secure Workload
- Workload Labels
  - Importance of Labels
  - Subnet-based Label Inheritance
  - Label Prefixes
    - Labels Generated by Cloud Connectors
    - Labels Related to Kubernetes Clusters
  - Importing Custom Labels
    - Guidelines for Uploading Label Files
    - Label Key Schema
    - Upload Custom Labels
    - Search Labels
    - Manually Assign or Edit Custom Labels
    - Download Labels
    - Change Labels
  - Disable Labels
  - Review Label Change Impact
  - Delete Labels
  - Bulk Delete Labels
  - View Labels Usage
  - Create a Process for Maintaining Labels
- Scopes and Inventory
  - Scopes
    - Scope Filter
    - Full Scope Queries
    - Providing Access to Scopes
    - Viewing Scope
    - Searching for flows referencing a scope
    - Creating a New Scope
    - Scope Overlap
    - Editing Scopes
      - Editing a scope query
      - Editing the parent of a scope
    - Delete a Scope
    - Reset the Scope Tree
    - Commit Changes
    - Change Log
    - Creating a New Tenant
  - Inventory
    - Searching Inventory
    - Suggest Child Scopes
    - Steps to perform scope suggestion
- Filters
  - Create an Inventory Filter
  - Bulk Delete Inventory Filters
  - Review Filter Change Impact
  - Create a Domain Filter
  - Restrict to Ownership Scope
- Review Scope/Filter Change Impact
  - Scope Query Change Impact Modal
    - Membership Changes
    - Dependencies
  - Filter Query Change Impact Modal
    - Membership Changes
    - Dependencies
- Inventory Profile
- Workload Profile
  - Labels and Scopes Tab
  - Agent Health Tab
  - Process List Tab
  - Process Snapshot Tab
  - Interfaces Tab
  - Software Packages Tab
  - Vulnerabilities Tab
  - Agent Configuration Tab
  - Agent Statistics Tab
  - Concrete Policies Tab
  - Container Policies Tab
  - Network Anomalies Tab
  - File Hashes Tab
- Software Packages
  - Packages Tab
  - Common Vulnerabilities and Exposures
  - Windows Packages and CVEs
  - Inventory Filters
- Vulnerability Data Visibility
  - Workload Profile Page
    - Packages Tab
    - Process List Tab
    - Process Snapshot Tab
    - Vulnerabilities Tab
  - Inventory Filters
    - CVE ID Based Filter
    - Common Vulnerability Scoring System Impact Score Based Filter
    - CVSS V2 Attributes Based Filters
    - CVSS V3 Attributes Based Filters
    - Cisco Security Risk Score-Based Filter
    - Cisco Security Risk Score Attributes-Based Filters
    - Malicious Inventory-Based Filter
- Service Profile
- Pod Profile
- Container Vulnerability Scanning
Manage Policy Lifecycle in Secure Workload
- Segmentation Policy Basics
- Use Workspaces to Manage Policies
  - Working with Policies: Navigating to the Workspaces Page
  - Create a Workspace
  - Primary and Secondary Workspaces
  - Rename a Workspace
  - View Workloads in a Scope
  - Deleting Workspaces
- About Policies
  - Policy Attributes
  - Policy Rank: Absolute, Default, and Catch-All
  - Policy Inheritance and the Scope Tree
  - About Consumer and Provider in Policies
  - Policy Example
- Create and Discover Policies
  - Best Practices for Creating Policies
  - Manually Create Policies
    - If the Add Policy Button Is Not Available
  - Policies for Specific Purposes
    - Create InfoSec Policies to Block Traffic from Outside Your Network
    - Create Policies to Address Immediate Threats
    - Create a Policy to Quarantine Vulnerable Workloads
  - Policy Templates
    - System-Defined Policy Templates
    - Create Custom Policy Templates
      - JSON Schema for Policy Templates
      - Template Sample
      - Template Import
    - Applying a Template
  - Discover Policies Automatically
    - Policy Discovery Details
    - How to Automatically Discover Policies
    - Discover Policies for One Scope or for a Branch of the Scope Tree
      - Discovering Policies for a Branch of the Scope Tree: Additional Information
    - Verify the Workloads That Policy Discovery Will Apply To
    - Automatically Discover Policies
    - Stop Automatic Policy Discovery in Progress
    - Advanced Features of Automatic Policy Discovery
      - External Dependencies
        
        Tips for Exploring External Dependencies
        
        Fine-Tune External Dependencies for a Workspace
      - Policy Discovery Flow Filters
        
        Configure, Edit, or Delete Inclusion Flow Filters
        
        Enable or Disable Inclusion Flow Filters
        
        Configure, Edit, or Delete Exclusion Filters
        
        Enable or Disable Exclusion Filters
      - Advanced Configurations for Automatic Policy Discovery
        
        Include Data From Load Balancers and Routers When Discovering Policies
        
        Cluster Granularity
        
        Port Generalization
        
        Policy Compression
        
        Hierarchical policy compression
        
        Clustering Algorithm (Input to Clustering)
        
        Auto accept outgoing policy connectors
        
        Auto Approve Generated Policies
        
        Ignore Flows Matching Exclusion Filters
        
        Enable service discovery on agent
        
        Carry over Approved Policies
        
        Skip clustering and only generate policies
        
        Enable redundant policy removal
      - Default Policy Discovery Config
        
        Default Exclusion Filters
      - Retrieving LoadBalancer Configurations for Advanced Policy Discovery Configuration
        
        Citrix Netscaler
        
        F5 BIG-IP
        
        HAProxy
        
        Normalized JSON
    - Approve Policies
      - Approved Policies
      - Troubleshoot Approved Policies
    - Iteratively Revise Policies
      - Re-running Automatic Policy Discovery
      - Important: Before You Re-run Automatic Policy Discovery
    - View, Compare, and Manage Discovered Policy Versions
    - Policy Discovery Kubernetes Support
  - Import/Export
    - Export a Workspace
    - Import
  - Platform-Specific Policies
    - Windows
      - Recommended Windows OS-Based Policy Configuration
      - Configure Policies for Windows Attributes
        
        Known limitations
        
        Caveats
        
        Verify and Troubleshoot Policies with Windows OS-Based Filtering Attributes
        
        Policies Based on Application Name
        
        Policies Based on Service Name
        
        Policies Based on User Group or User Name
    - Kubernetes and OpenShift
      - (Optional) Additional Policies for Kubernetes Workloads
        
        Policies for Kubernetes Nginx Ingress Controller Running in Host-network Mode
        
        Policies for Kubernetes Nginx/Haproxy Ingress controller running as Deployment/Daemonset
- Grouping Workloads: Clusters and Inventory Filters
  - Clusters
    - Cluster Confidence
    - View Clusters
    - Making Changes to Clusters
    - Convert a Cluster to an Inventory Filter
    - Creating or Deleting Clusters
    - Comparing Versions of Generated Clusters: Diff Views
    - Preventing Cluster Modification During Automatic Policy Discovery Reruns
    - Approving Clusters
- Address Policy Complexities
  - Policy Priorities
    - Policy Global Ordering and Conflict Resolution
    - Validate the Order and Priority of Policies
    - (Advanced) Change Policy Priorities
  - When Consumer and Provider Are in Different Scopes: Policy Options
    - (Advanced) Create Cross-Scope Policies
      - Policy Requests
        
        Viewing, Accepting, and Rejecting Policy Requests
        
        Automate Handling of Cross-Scope Policy Requests
        
        Auto-pilot Rules
        
        Auto Accept Policy Connectors
        
        Resolved Policy Requests
      - Provided Services
    - Troubleshoot Cross-Scope Policies
  - Effective Consumer or Effective Provider
- About Deleting Policies
- Review and Analyze Policies
  - Review Automatically Discovered Policies
    - Address Low-Confidence Policies
    - Troubleshoot Automatic Policy Discovery Results
  - Policy Visual Representation
  - Quick Analysis
  - Live Policy Analysis
    - Start Live Policy Analysis
    - Stop Live Policy Analysis
    - Policy Analysis Results: Understand the Basics
    - Example: Impact of Policies Analyzed in Other Scopes
      - Analysis without Policies
    - Policy Analysis Details
    - Suggested Steps for Investigating Flows
    - Run Policy Experiments to Test Current Policies Against Past Traffic
    - After Changing Policies, Analyze Latest Policies
    - Policy Label Flags
    - View, Compare, and Manage Analyzed Policy Versions
    - Activity Logs of Policy Analysis
- Enforce Policies
  - Check Agent Health and Readiness to Enforce
  - Enable Policy Enforcement
  - Policy Enforcement Wizard
  - Enforcement on Containers
  - Verify Enforcement Works as Expected
    - View Enforced Policies for a Specific Workload (Concrete Policies)
    - Verify That Enforcement Is Enabled for Agents
    - Verify That Enforced Policies Are Being Pushed to Agents
    - If There Are Too Many Policies for the Agent
- Modify Enforced Policies
  - Enforce New and Revised Policies
  - View, Compare, and Manage Enforced Policy Versions
  - Revert Enforced Policies to an Earlier Version
  - Disable Policy Enforcement
  - Enforcement History
- About Policy Versions (v* and p*)
  - Comparison of Policy Versions: Policy Diff
  - Activity Logs and Version History
  - Automatic Deletion of Old Policy Versions
- Conversations
  - Conversations Table View
    - Choosing Consumer or Provider
    - Conversation Filters
  - Explore Observations
    - Conversation Observation Hovered
    - Filtering
  - Top Consumers/Providers of Conversations
- Automated Load Balancer Config for Automatic Policy Discovery (F5 Only)
  - Terminology
  - Deployment
  - Clusters
  - Policies
  - Caveats
- Policies Publisher
  - Prerequisites
  - Getting Kafka Client Certificates
  - Protobuf Definition File
  - Data Model of Secure Workload Network Policy
  - Reference Implementation of Secure Workload Network Policies Client
Configure and Monitor Forensic Events
- Compatibility
- Forensics Signals
  - Privilege Escalation
  - User Log on
  - User Log on Failed
  - Shellcode
  - File Access
  - User Account
  - Unseen Command
  - Unseen Library
  - Raw Socket Creation
  - Binary Changed
  - Library Changed
  - Side Channel
  - Follow User Logon
  - Follow Process
- Forensic Configuration
  - Forensic Rules
    - Adding a Forensic Rule
    - Basic Forensic Rule Composition
    - Default Secure Workload Rules
    - Default MITRE ATT&CK Rules
    - Bulk Delete Forensic Rules
  - Forensic profiles
    - Add a Profile
    - Edit a Profile
    - Clone a Profile
    - Default Profile - Secure Workload Profile
    - Default Profile - MITRE ATT&CK Profile
    - Bulk Delete Forensic Profiles
- Forensic visualization
  - Accessing Forensic Page
  - Browsing Forensic Events
  - Inspecting a Forensic Event
- Fields Displayed in Forensic Events
  - Common Fields
  - Process Info
  - Privilege Escalation
  - User Logon
  - User Logon Failed
  - Shellcode
  - File Access
  - User Account
  - Unseen Command
  - Unseen Library
  - Raw Socket Creation
  - Library Changed
  - Side Channel
  - Follow User Logon
  - Follow Process
  - Network Anomaly
- Forensic Analysis - Searchable Fields
  - Miscellaneous Fields
- Search Terms in Forensic Analysis
  - Common Fields
  - Binary Changed
  - File Access
  - Follow Process
  - Follow User Logon
  - Ldap
  - Library Changed
  - Privilege Escalation
  - Process Info
  - Raw Socket
  - Shellcode
  - Side Channel
  - Unseen Command
  - Unseen Library
  - User Account
  - User Logon
  - User Logon Failed
- Forensics alerts
  - Accessing Forensic Alerts
  - Checking Alert Details
  - External Integration
- Forensics Score
  - Where to See Forensic Score
  - How the Forensic Score is Calculated
  - How to Improve Forensic Score
  - Caveats
- PCR-Based Network Anomaly Detection
  - Forensic Rules for Network Anomaly Events
    - Rule Attributes
    - Rule Actions
  - Where to See Network Anomaly Events
  - Rule Severities and Network Anomaly Scores
  - PCR Data and Network Anomaly Events Retention
  - Network Anomaly Latency
  - Caveats
- Process Hash Anomaly Detection
  - How to Enable Process Hash Feature
  - Where to See Process Hash Score
  - How the Process Hash Score is Calculated
  - How to Improve Process Hash Score
  - Threat Info Details
  - Caveats
Network Flows-Traffic Visibility
- Network Traffic Flows
- Corpus Selector
- Columns and Filters
- Filtered Time series
- Top N Charts
- Observations List
  - Flow Details
- Explore Observations
- Client-Server Classification
  - Sensor Type Recommendation
  - Identifying Producers (aka Servers) and Consumers (aka Clients) for a flow
- Conversation Mode
- Visibility in Proxied Flows
- Visibility of Well-Known Malicious IPv4 Addresses
Configure Alerts
- Alert Types and Publishers
- Create Alerts
- Alert Configuration Modal
  - Summary Alerts
  - Snooze and Mute Alerts
  - Summarization Versus Snoozing
  - Secure Workload Alerts Notifier (TAN)
  - Configure Notifiers
  - Choose Alert Publishers
  - External Syslog Tunneling Moves to TAN
  - Connection Chart
  - View Alerts Trigger Rules
    - Alerts Trigger Rules Details
- Generate Test Alerts
- Current Alerts
- Alert Details
  - Common Alert Structure
  - General Alert Format by Notifier
    - Kafka (DataTaps)
    - Email
    - PagerDuty
    - Syslog
    - Slack
    - Kinesis
Monitor Configurations in Secure Workload
- Agent Monitoring
- Agent Monitoring Type
- Agent Status and Statistics
- Enforcement Status
- Enforcement Status for Cloud Connectors
- Pause Policy Updates
View Security Dashboard
- View the Security Dashboard
- Security Score
- Security Score Categories
- High-Level View
- Scope Level Score Details
  - Overall Score
  - Daily Time Series
  - Score Breakdown
- Score Details
  - Vulnerability Security Score
  - Process Hash Score
  - Attack Surface Score
  - Forensics Score
  - Network Anomaly Score
  - Segmentation Compliance Score
View Vulnerability Dashboard
- Vulnerability Dashboard
- CVEs Tab
- Packages Tab
- Workloads Tab
- Pods Tab
View Reporting Dashboard
- Reporting Dashboard
  - Schedule Email Reports
- Summary Reports
  - Summary Reports of Segmentation, Workload, Traffic Flow and Security
  - Operation Summary for Workload, Telemetry and Segmentation
  - Summary Reports for Security Compliance
Setup System Configurations in Secure Workload
- Create Users and Assign Roles
  - Add a User
  - Add a User when SMTP is Disabled
  - Edit User Details or Roles
  - Deactivating a User Account
  - Reactivating a User Account
  - Change Log – Users
- Roles
  - Abilities and Capabilities
  - Menu Access by Role
  - Create a Role
  - Edit a Role
- Change Log
- Collection Rules
  - Rules
  - Priority
- Session Configuration
- Idle Session
- Preferences
  - Change Your Landing Page Preference
  - Change a Password
  - Recover Password
- Scopes
Secure Workload OpenAPIs
- OpenAPI Authentication
  - Generate API Key and Secret
- Workspaces and Security Policies
  - Workspaces
    - Workspace Object
    - List Applications
    - Retrieve a Single Workspace
    - Create a Workspace
    - Import a New Version
    - Validate a Set of Policies
    - Delete a Workspace
    - Update a Workspace
    - Retrieve Workspace Details
    - List Workspace Versions
    - Delete Workspace Version
    - Compare Workspace versions
    - Analyze latest policies
    - Disable policy analysis on a single workspace
    - Enforce a single workspace
    - Disable enforcement for a single workspace
    - Initiate Automatic Policy Discovery
    - Get Status of a Policy Discovery Run
  - Policies
    - Policy object
    - Get Policies
    - Get Specific Policy
    - Search for a Specific Policy With Policy Identifier
    - Create a Policy
    - Update a Policy
    - Adding Service Ports to a Policy
    - Updating Service Ports of a Policy
    - Deleting Service Ports of a Policy
    - Deleting a Policy
    - Deleting a Policy with Identifier
    - Policy Quick Analysis
    - Policy Statistics
    - Unused Policies
  - Policy Templates
    - Get Policy Templates
    - Get Specific Policy Template
    - Create a Policy Template
    - Update a Policy Template
    - Deleting a Policy Template
    - Download a Policy Template
  - Clusters
    - Cluster object
    - Get Clusters
    - Get Specific Cluster
    - Create a Cluster
    - Update a Cluster
    - Deleting a Cluster
  - Conversations
    - Search Conversations in a Policy Discovery Run
    - Top N Conversations in a Policy Discovery Run
    - Supported Dimensions
    - Supported metrics
  - Exclusion Filters
    - Exclusion Filter object
    - Get Exclusion Filters
    - Get Specific Exclusion Filter
    - Create an Exclusion Filter
    - Update an Exclusion Filter
    - Deleting an Exclusion Filter
  - Default Exclusion Filters
    - Default Exclusion Filter object
    - Get Default Exclusion Filters
    - Get Specific Default Exclusion Filter
    - Create a Default Exclusion Filter
    - Update a Default Exclusion Filter
    - Deleting a Default Exclusion Filter
  - Live Analysis
    - Flow dimensions available in Live Analysis
    - Flow metrics available in Live Analysis
    - Download flows available through Live Analysis
- Scopes
  - Scope object
  - Get scopes
  - Create a scope
  - Get specific scope
  - Update a scope
  - Delete a specific scope
  - Get scopes in policy priority order
  - Update the policy order
  - Commit scope query changes
  - Submit a group suggestion request
  - Get group suggestion status
- Configure Alerts
  - Alert Object
  - Get Alerts
  - Create an Alert
  - Get Specific Alert
  - Update an Alert
  - Delete Specific Alert
- Roles
  - Role object
  - Get roles
  - Create a role
  - Get specific role
  - Update a role
  - Give a role access to scope
  - Delete specific role
- Users
  - User object
  - Get users
  - Create a new user account
  - Get specific user
  - Update a user
  - Enable/reactivate a deactivated user
  - Add role to the user account
  - Remove role from the user account
  - Delete specific user
- Inventory filters
  - Inventory Filter Object
  - Get inventory filters
  - Create an inventory filter
  - Validate an inventory filter query
  - Get specific inventory filter
  - Update specific inventory filter
  - Delete a specific inventory filter
- Flow Search
  - Query for Flow Dimensions
  - Query for Flow Metrics
  - Query for Flows
    - Filters
    - Primitive Filter Types
    - Logical Filter Types
  - TopN Query for Flows
  - Flow Count
- Inventory
  - Query for inventory dimensions
  - Inventory search
  - Inventory Statistics
  - Inventory count
  - Inventory vulnerability
  - Retrieve Malicious IP Addresses
- Workload
  - Workload details
  - Workload Statistics
  - Installed Software Packages
  - Workload Vulnerabilities
  - Aggregated Workload Vulnerability Summary
  - Workload Long Running Processes
  - Workload Process Snapshot Summary
  - Workload Process Snapshot
  - JSON Object Definitions
- Default Policy Generation Config
  - Policy Generation Config object
  - Get the Default Policy Generation Config
  - Set the Default Policy Generation Config
- Forensics Intent
  - Forensic intent object
  - Listing a forensic intents
  - Retrieving a Single Forensic Intent
  - Creating a Forensic Intent
  - Update a Forensic Intent
  - Delete a Forensic Intent
- Forensics Intent Orders
  - Forensic Intent Order Object
  - Retrieve the Current Forensic Intent Order
  - Creating a Forensic Intent Order
- Forensics Profiles
  - Forensic Profile Object
  - Listing Forensic Profiles
  - Retrieving a Single Forensic Profile
  - Creating a Forensic Profile
  - Update a Forensic Profile
  - Delete a Forensic Profile
- Forensics Rules
  - Forensic Rule Object
  - Listing a Forensic Rules
  - Retrieving a Single Forensic Rule
  - Creating a Forensic Rule
  - Update a Forensic Rule
  - Delete a Forensic Rule
- Enforcement
  - Agent Network Policy Config
  - Concrete Policy Statistics
  - JSON Object Definitions
- Client Server configuration
  - Host Config
  - Port Config
- Software Agents
  - Agent APIs
  - Software agent configuration using Intents
  - Interface Config Intents
  - VRF configuration for agents behind NAT
- Secure Workload software download
  - API to get supported platforms
  - API to get supported software version
  - API to create installer ID
  - API to download Secure Workload software
- Secure Workload Agents Upgrade
  - API to upgrade an agent to specific version
- User Uploaded Filehashes
  - User Filehash Upload
  - User Filehash Delete
  - User Filehash Download
- User-Defined Labels
  - Scope-Dependent APIs
  - Scope-Independent APIs
  - Scope-Independent Labels
- Virtual Routing and Forwarding
  - VRF Object
  - Get VRFs
  - Create a VRF
  - Get Specific VRF
  - Update a VRF
  - Delete Specific VRF
- Orchestrators
  - Orchestrator Object
  - Ingress Controller
  - Pod Selector
  - Controller Config
  - Infoblox Config
  - Get Orchestrators
  - Create Orchestrators
  - Get Specific Orchestrator
  - Update an Orchestrator
  - Delete Specific Orchestrator
- Orchestrator Golden Rules
  - Orchestrator Golden Rules Object
  - Get Orchestrator Golden Rules
  - Create or Update Golden Rules
- FMC Orchestrator Domains
  - Orchestrator FMC Domains Object
  - Get FMC Domains
  - Update FMC Domain Configuration for FMC External Orchestrator
- RBAC (Role-Based Access Control) Considerations
- High Availability and Failover Considerations
- Kubernetes RBAC Resource Considerations
- Service Health
  - Get Service Health
- Secure Connector
  - Get Status
  - Get Token
  - Rotate Certificates
- Kubernetes Vulnerability Scanning
  - Get Kubernetes Registries used for Pod Vulnerability Scanning
  - Add Credentials to Kubernetes Registry
  - Get Kubernetes Pod Scanners
  - Edit Scanner Filter Query and Action
- Policy Enforcement Status for External Orchestrators
  - Get Policy Enforcement Status for All External Orchestrators
  - Get Policy Enforcement Status for an External Orchestrator
- Download Certificates for Managed Data Taps and Datasinks
  - Get List of Managed Data Taps for a Given VRF ID.
  - Download Managed Data Tap Certificates for a Given MDT ID
  - Get List of DataSinks for a Given VRF ID
  - Download DataSink Certificates for a Given DataSink ID
- Change Logs
  - Change Log Object
  - Search
- Non-Routable Endpoints
  - Non-Routable Endpoint Object
  - GET Non-Routable Endpoints
  - Create a Non-Routable Endpoint
  - GET Specific Non-Routable Endpoints with Name
  - GET Specific Non-Routable Endpoints with ID
  - Update Specific Non-Routable Endpoint Name
  - Delete Specific Non-Routable Endpoint with Name
  - Delete Specific Non-Routable Endpoint with ID
- Config and Command Schemas for External Appliances and Connectors
  - Config Groups APIs
    - API to Get the Schema of Config
    - API to Get the Schema of Troubleshooting Commands
  - External Appliances
    - External Appliances APIs
      - API to Get List of Appliances
      - API to Create an Appliance
      - API to Delete an Appliance
      - API to Get an Appliance by ID
      - API to Rename an Appliance
      - API to Get the Configs on Config Type
      - API to Add a New Config to External Appliance
      - API to Delete a Config
      - API to Get the Config
      - API to Get Appliance Schema
      - API to List Troubleshooting Commands Available for an Appliance
      - API to List Troubleshooting Commands
      - API to Create a Troubleshooting Command
      - API to Delete a Troubleshooting Command
      - API to Return a Troubleshooting Command
      - API to Download the Output of the Appliance Command as a File
  - Connectors
    - Connectors APIs
      - API to Get All Types of Connectors
      - API to Delete a Connector
      - API to Get a Connector by ID
      - API to Rename a Connector
      - API to Get the Connector Info with Details
      - API to Get Connectors
      - API to Create a Connector
      - API to Get the Configs on Connector Config Type
      - API to Add a New Config to Connector
      - API to Delete a Config
      - API to Get the Config
      - API to List Troubleshooting Commands Available for Connector
      - API to List Troubleshooting Commands
      - API to Create a Troubleshooting Command
      - API to Delete a Troubleshooting Command
      - API to Return a Troubleshooting Command
      - API to Download the Output of the Connector Command as a File
Configuration Limits in Secure Workload
- Cloud Connectors
- Connectors
- Label Limits
- Limits Related to Policies
- Additional Features
- Data-In or Data-Out

Software Secure Workload

Activity Configure

Deploy Software Agents on Workloads Configure Software Agents Configure Software Agents Create an Agent Configuration Profile

Last updated: Jun 09, 2025

Create an Agent Configuration Profile

Before you begin

See Requirements and Prerequisites for Configuring Software Agents.

Procedure

In the navigation pane, choose Manage > Workloads > Agents.

Click the Configure tab.

Click the Create Profile button.

Enter a name for the profile and choose the scope where the profile is available.

Enter the appropriate values in the fields listed in the following table.

Table 1. Creating Software Agent Configuration Profile Field Descriptions

Field

Description

Enforcement

Enforcement

Enable - Enable policy enforcement on the agent. After you enable enforcement, the agent enforces the most recently received policy set. Disable (Default) - The agent does not enforce a policy.

If you enable, disable and re-enable policy enforcement on the agent, it clears the firewall state and sets the catch-all default action to ALLOW.

Windows Enforcement Mode

On Windows workloads, agents can enforce network policies using:

WFP - Windows Filtering Platform (by directly programming WFP filters in the Windows Filter Engine).

See Agent Enforcement on the Windows Platform in WFP Mode.
WAF (Default) - Windows Advanced Firewall.

See Agent Enforcement on the Windows Platform in WAF Mode.

Preserve Rules

Enable - Preserves existing firewall rules on the agent.

Disable (Default) - Clears existing firewall rules before applying enforcement policy rules from Secure Workload.

Behaviour of the Preserve Rules attribute is platform-specific. You can view the details of the attributes in the Preserve Rules section in each platform.

Allow Broadcast

Enable (Default) - Adds rules to the firewall to allow ingress and egress broadcast traffic on workload.

Disable - Does not add any rules. The broadcast traffic drops if the default policy on the agent is DENY.

Allow Multicast

Enable (Default) - Adds rules to the firewall to allow ingress and egress multicast traffic on workload.

Disable - Does not add any rules. The Multicast traffic drops if the default policy on the agent is DENY.

Allow Link Local Addresses

Enable (Default) - Adds rules to the firewall to allow link local addresses traffic on workload.

Disable - Does not add any rules. The Multicast traffic drops if the default policy on the agent is DENY.

CPU Quota Mode

Adjusted (Default) - The CPU limit adjusts according to the number of CPUs on the system. For example, if there are 10 CPUs, set the CPU limit to 3%, the agents use only a total of 30% (measured by top).

Top - The CPU limit value matches the top view on average. For example, if you set the CPU limit to 3% and there are 10 CPUs in the system, the CPU usage is 3%. It is a fairly restrictive mode, use it only when necessary.

Disable - Disable the CPU limit feature. The agent uses CPU resources that used in the operating system.

For more information, see Secure Workload Data Sheet.

CPU Quota Limit (%)

Specify the actual limit in percentage of the system processing power.

Memory Quota Limit (MB)

Specify the memory limit (in MB) for processes. If the process hits this limit, it restarts.

Flow Visibility

Flow Analysis Fidelity

Conversations (Default) - Enable conversation mode on all agents.

Detailed - Enable detailed mode on all agents.

Deep Packet Inspection

Enable (Default) - Enable the agent to obtain information about TLS, SSH, proxy connections, and domain names from the payload of a few specific network packets.

Disable - Disable the agent from collecting the above information.

Data Plane

Enable (Default) - Enable the agent to send reports to the cluster.

Disable - Disable the agent’s reports.

Auto-Upgrade

Enable (Default) - Automatically upgrade the agent when a new package is available.

Disable - Do not automatically upgrade the agent.

PID/User Lookup

Enable - Process ID (PID) and User Lookup in agents.

Set the Flow Analysis Fidelity option to detailed mode for PID and User Lookup. When you enable this feature, the agent associates network flows with running processes and users in the workload. During the process, note that some flows that might not be associated with any process even after you enable the configuration.

Disable (Default) - Do not enable process ID and User Lookup in agents.

User Lookup is not supported on Windows Server 2008 R2.

Service Protection

Enable - When enabled, the agent ensures it prevents server admin users from disabling the windows agent service, restarting the Windows agent service or uninstalling the Windows agent. However, after disabling Service Protection, you can continue to stop or restart agent services, and uninstall the agent.

To temporarily disable the Service Protection from the hosts, see Generate Agent Token section.

Enabling Service Protection does not affect Secure Workload Admin initiated actions including:

Manual upgrade of an agent (triggered from the UI on the Agent > Upgrade page) will still work even if Service Protection is enabled.
Auto upgrade of an agent (triggered from the agent config profile) will still work even if Service Protection is enabled.
Secure Workload Admins can still delete agents from the UI even if Service Protection is enabled. This operation does not delete the agents from the hosts themselves.

However, installer scripts initiated actions such as agent upgrade/uninstall/reinstall will be blocked since those are triggered by server admin users.

Disable(Default)-The Service Protection is disabled by default on the agent.

This feature is available only for Windows agent.

CPU Quota Mode

Adjusted (Default) - Adjust the CPU limit according to the number of CPUs on the system. For example, if there are 10 CPUs in the system, set the CPU limit to 3%.

Choose this mode to allow the agent to use a total of 30% (measured by top).

Top- The CPU limit value matches the top view on average. For example, set the CPU limit to 3% for the 10 CPUs in the system, the CPU usage is only 3%. It is a fairly restrictive mode and uses it only when necessary.

Disable - Disable the CPU limit feature. The agent uses CPU resources that are used in the operating system.

CPU Quota Limit (%)

Specify the actual limit in percentage of the system processing power that the agent can use.

Memory Quota Limit (MB)

Specify the memory limit in MB that the process allows to use. If the process hits this limit, the process restarts.

Cleanup period (days)

Enable - Enable automated cleanup on the agent. Enter the number of days after which remove the inactive agent.

Disable (Default) - Do not enable automated cleanup on the agent.

Flows Disk Quota (MB)

Enter the maximum size limit (in MB) for storing the flow data.

If the Flows Disk Quota field is:

0: The agents do not store offline flows locally.
Blank: Enable the Flows Time Window field. After you enter the duration in the Flows Time Window, the Flows Disk Quota field automatically sets the value to16 GB.

You can either choose the Flows Disk Quota or the Flows Time Window option for flow log buffering in case of connectivity break between the agent and the cluster.

For example, if you have set the Flows Time Window as one hour and the agent is unable to communicate with the cluster, the agent stores flow data for the last hour. Any flow data locally stored on the workload beyond the last hour is overridden by newer logs.

Specify in MB the total size limit of stored flow data.

Flows Time Window (Hours)

Specify in hours how long the agent must capture and store flows locally.

Choose either Flows Disk Quota or Flows Time Window; it's either size-based or time-based rotation. On choosing Flows Time Window, set the Flows Disk Quota to 16 GB. Setting Flows Disk Quota to 0 disables this feature.

The flow data is rotated when it reaches either size limit or time limit.

This field is displayed only when there is no value that is entered in the Flows Disk Quota field.

Enter the duration, in hours, for the agents to capture the flows and store them locally.

After the connectivity to the agents is restored, the agents send the live flow data.
While sending the live flow data, the agents also initiates to upload the buffered telemetry data. The telemetry data is sent in small packets at regular intervals.
Depending on the size of the buffered telemetry data and transmission transfer speed, it takes multiple intervals to send all the buffered data.
The agents progressively deletes the locally stored flow data.

Remove the outdated flow data that is stored locally after it reaches the configured size or time limit.

Flow Rules

Flow rules optimizes network telemetry by reducing the volume of data reported to the cluster. It address issues like running out of flow traffic retention space or dealing with unnecessary policy generation due to certain types of traffic.

By default, this option is hidden if no flow rules are present.

Enter the following field details for the flow rules.

IP Family: Select either IPv4 or IPv6.
Source CIDR: Enter the destination address in CIDR notation.
Source Ports: Enter comma-separated source port number or 'any'.
Destination CIDR: Enter the destination address in CIDR notation.
Destination Ports: Enter comma-separated source port number or 'any'.
Protocol: Select a protocol from TCP, UDP, or ICMP.
Action
- Ignore: The agent does not process any flows matching these rules and does not report them to the cluster.
- Aggregate: The agent makes matching traffic flows conversational.
Manage: Click the add button to create more flow rules.

Package Visibility, Process Visibility and Forensics

Package Visibility

Enable ̶ Enable collecting and reporting of the installed software packages found on the workload. This is required for discovering and presenting the vulnerabilities (CVEs) attached to this workload.

Disable (Default) - Disable Package Visibility on the agent.

Process Visibility

Enable ̶ Enable the tracking of long running processes. This is required for discovering and presenting the list of Long Lived Processes on the workload with their CPU and memory consumption trend and process file hash. Additionally, to construct the Process Snapshot graph and to allow linking the process with the package and therefore presenting if a process is associated to a CVEs on the Process Snapshot graph.

Disable (Default) ̶ Disable Process Visibility.

Forensics

Enable ̶ Enables forensics on the agent. Agent will listen to and acquire a rich set of real-time events from the operating system. This is necessary for detecting if any event of a programmed forensic rule has been detected. This also allows the agent to detect and report short-lived processes. This in turn leads to a richer and more comprehensive Process Snapshot graph, and to be able to populate the process command line in more captured network flows.

Meltdown Exploit Detection

Enable ̶ Enable Forensics and Meltdown exploit detection on the agent. For more information, see Side Channel in the Compatibility.

Disable (Default) ̶ Disable Meltdown exploit detection on the agent.

CPU Quota Mode

Adjusted (Default) ̶ Adjust the CPU limit according to the number of CPUs on the system. For example, set the CPU limit to 3% with 10 CPUs in the system. Choose this mode to use a total of 30% (measured by top).

Top ̶ The CPU limit value matches the top view on average. For example, set the CPU limit to 3% with 10 CPUs in the system, the CPU usage remains at 3%. Use this restrictive mode only if necessary.

Disable ̶ Disable the CPU limit feature, the agent uses CPU resources permissible by the operating system.

CPU Quota Limit (%)

Specify the actual limit, in percentage, of the system processing power the agent can use.

Memory Quota Limit (MB)

Specify the memory limit (in MB). If the storage limit goes beyond the specified limit, the process restarts.

Click Save

What to do next

Associate the created profile with an agent configuration intent. For more information, see Create an Agent Configuration Intent.

Previous topic Configure Software Agents Next topic Creating an Agent Config Intent