Www.cisco.com



Cisco Tetration Release NotesRelease 3.5.1.1This release has been deprecated and is no longer available. For information, see document describes the features, caveats, and limitations for the Cisco Tetration software, release 3.5.1.1. The Cisco Tetration platform is designed to provide comprehensive workload security by establishing a micro perimeter for every workload across your on-premises and multicloud environment using firewalling and segmentation, compliance and vulnerability tracking, behavior-based anomaly detection and workload isolation. The platform uses an advanced analytics and algorithmic approach to offer these capabilities. The platform provides a ready-to-use solution supporting the following capabilities:Automatically generated microsegmentation policies resulting from comprehensive analysis of application communication patterns and dependenciesDynamic label-based policy definition with a hierarchical policy model to deliver comprehensive controls across multiple user groups with role-based access controlConsistent policy enforcement at scale through distributed control of native operating system firewalls and infrastructure elements like ADCs (application delivery controllers) and physical or virtual firewallsNear real-time compliance monitoring of all communications to identify and alert against policy violation or potential compromiseWorkload behavior baselining and proactive anomaly detectionCommon vulnerability detection with dynamic mitigation and threat-based workload isolationTo support the analysis and various use cases within the Cisco Tetration platform, consistent telemetry is required from across the environment. Rich Cisco Tetration telemetry is collected using software agents and other methods to support both existing and new installations in data center infrastructures. This release supports the following agent types:Software agents installed on virtual machine and bare-metal serversDaemonsets running on container host operating systemsERSPAN agents that can generate Cisco Tetration telemetry from copied packetsTelemetry ingestion from ADCs (Application Delivery Controllers) – F5 and Citrix NetFlow agents that can generate Cisco Tetration telemetry based on NetFlow v9 or IPFIX recordsIn addition, this release supports ingesting endpoint device posture, context and telemetry through integrations withCisco AnyConnect installed on endpoint devices such as laptops, desktops, and smartphonesCisco ISE (Identity Services Engine) Software agents also act as the policy enforcement point for application segmentation. Using this approach, the Cisco Tetration platform enables consistent microsegmentation across public, private, and on-premises deployments. Agents enforce the policy using native operating system capabilities, thereby eliminating the need for the agent to be in the data path and providing a fail-safe option. Additional product documentation is listed in the “Related Documentation” section.These Release Notes are sometimes updated with new information about restrictions and caveats. See the following website for the most recent version of this document: following table shows the online change history for this document.Table 1 Online History ChangeDateDescriptionFebruary 26th, 2021March 4, 2021March 21, 2021Release 3.5.1.1 became available.Removed erroneous “Beta” mention for AIX support.Added open caveats and known behavior issues related to licensing and to enabling of Windows Advanced Firewall. Corrected Windows Server 2008 versions supported for software agent.April 8, 2021This release has been deprecated and is no longer available.ContentsThis document includes the following sections:New and Changed InformationCaveatsCompatibility InformationUsage GuidelinesVerified Scalability LimitsRelated DocumentationNew and Changed InformationThis section lists the new and changed features in this release and includes the following topics:New Software FeaturesEnhancements HYPERLINK \l "Behavior_Changes" Changes in Behavior New Software FeaturesIntegration with Cisco Firepower Management Center (FMC) – With this integration, customers can realize the benefits of defense-in-depth security and consistent segmentation of application workloads across their environment. Cisco FMC can be added as a security policy enforcement point through external orchestrator page by providing the right API connection information and credentialsNote: Standalone FTDs are not supported with this featureSupport microsegmentation of container workloads deployed in an Amazon Web Services (AWS) Elastic Kubernetes Services (EKS) cluster. The AWS EKS option can be selected while adding Kubernetes as an external orchestrator. The administrator must provide the AWS IAM credentials and user role binding details.Microsegmentation support for container workloads deployed through Red Hat OpenShift 4.x is now available. OpenShift 4.x leverages CRI-O as the default container runtime for Kubernetes. CRI-O is supported, and no additional changes in the existing enforcement workflow are required for running in such environments. Worker node operating systems can be either RHEL or CentOS versions that are officially supported by OpenShift 4.x.This release supports up to Red Hat Openshift version 4.6This release does not support Red Hat CoreOS as worker node operating systemFor on-premises deployments only: Support for third party threat intelligence information through industry standard STIX/TAXII protocol. Add TAXII source type, TAXII Vendor, TAXII Poll URL, Collections, and Poll Days information.In the security Dashboard and workload profile file hashes tab: Show hash verdict details from STIX source.Policy designer canvas has been added in addition to the existing tabular view option. This designer canvas replaces the “App view” option in the ADM workspace.App view option is still available for workspaces that have the application views created and saved before the upgrade to this release.A new enforcement option using Windows Filtering Platform (WFP) for Windows server workloads. Administrators can enable this option through agent config page Config option “Windows Enforcement Mode” available under Enforcement category provides the option for user to select “WFP” (Enable Windows Filtering Platform for enforcement on Windows agents) or “WAF” (Enable Windows Advanced Firewall for enforcement on Windows agents). “WAF” mode is selected by default.A new flow telemetry collection option when using software agents is added in this release. Config option “Flow Analysis Fidelity” under Flow Visibility category provides the option for user to select either “Conversations” (Summarized flow telemetry mode on all agents) or “Detailed” (Full flow telemetry mode on all agents). “Detailed” is selected by default.Software agent support added for Amazon Linux 2 to support all workload protection capabilitiesAIX deep visibility and enforcement agent is now generally available for all customers in this release:OS versions: 7.1, 7.2 (PPC)In order to use enforcement, ipfilter package version 5.3.0.7 must be installed and operating on the workloadNo other active AIX or third-party firewall should be enabled. Do not use native AIX firewall commands (genfilt, chfilt, rmfilt, mkfilt, expfilt, impfilt) The following new capabilities are available when installing a software agent installationOption to change the default install directory and specify a custom install directory Not available for Ubuntu and AIX.Option to change the default logfile directory and specify a custom logfile directory location Use an existing unprivileged user instead of the install script creating a new userFor Linux - installer script will test this user for Sudo capability For Windows – MSI installer provides the option to specify an existing service user. This could be an AD managed service account.User Session Configuration – User Idle Session Timeout is the interval to timeout when there is no user activity. This duration can be configured per on-premises appliance under Company > User Session Configuration. This duration can be per tenant (TaaS) under Organization > User Session Configuration.Cisco Tetration SaaS supports identity federation for authentication of tenant users through their organization’s authentication system using SAML 2.0. For Ubuntu, software agents now use a native .deb package. This is only supported with the installation script and will install at a new fixed location, /opt/cisco/tetration. Using the classic packaged installation is not recommended, since it requires rpm support. Using it requires running rpm installing as root, not using sudo. Tetration UI Connector workflow is now enabled for ERSPAN appliances. It allows and guides the administrator in generating the appliance’s ISO configuration disk.ERSPAN virtual appliance ISO configuration file generation is integrated with ingest appliance connector workflow in the Tetration UI. It provides the configuration wizard and workflow for administrator to generate this file.EnhancementsEnhancements to vulnerability information provided in the Tetration platform:Reduce CVE false positives for Ubuntu OS and Windows .Net packageReport vulnerabilities for Windows operating systemsProvide exploit information for known CVEsOpen API support to fetch CVE informationEnforcement status filtered by scope - The enforcement status page now supports filtering status data by root or child scope. This allows tenant owners to filter the status data by any sub scope that is part of their tenant root scope.Workspace level details for enforcement status – Details of the enforcement status for the workspace’s current scope is available as a tab through the application workspace page.Enforcement impact analysis - The four-step policy enforcement wizard allows users to view and select policy changes to enforce (or roll back), inspect workloads with enforcement agent that could be impacted by policy changes, confirm that desired policies from ancestor workspaces are enforced and review the summary before enabling/updating policy enforcement.Pausing enforcement policy update globally: Pausing policy update will prevent firewall rule updates in all enforcement points. This control is on the enforcement status page. This feature is reserved for site admin and customer support. Note: This is a global configuration regardless which scope the current user is in.OpenAPI API Key Warnings - When authentication and authorization with LDAP is enabled, Tetration UI now includes a warning on the individual user’s API Key page and the user details page in the user wizard. This warning indicates that when LDAP authorization is enabled, the preferred approach is to have a user on ‘Local Authentication’ to ensure uninterrupted access to OpenAPI API endpoints. For physical Tetration hardware clusters, the CIMC externalization process has been simplified. Once CIMC externalization is enabled, access to the CIMC WebUI can be obtained by expanding a specific baremetal node in the cluster status page and clicking on the CIMC IP address. In addition, the CIMC externalization feature now allows the externalization to be renewed.For physical clusters the cluster switch interfaces are now monitored. If any critical interfaces are found to not be in an up state the Service Status page will show the ClusterSwitches service as unhealthy. In addition, if the service remains unhealthy for 80% of an hour, a platform alert will be raised.Changes in BehaviorThese are changes in behavior for this release:Software Agents List – table data downloaded as csv now has updated columns that are more readable as opposed to a set of keys returned from the software agent model.UI enhancements to Agent Config Page to reflect feature support per Tetration sub-Agent binary. Renamed “Visibility” to “Flow Visibility” and “Forensics” to “Process Visibility and Forensics”.Renamed “Tags” and “Annotations” to “Labels” for all features in Tetration.Removed all Visit History related features: tabs/components/routes/functionality.Ubuntu based virtual machines in Tetration-V ESXi clusters have had their root disk sizes increased from 8 Gigabytes to 12 Gigabytes.CaveatsThis section contains lists of open and resolved caveats, as well as known behaviors. HYPERLINK \l "kix.ggnm33zbm1f0" \h Open CaveatsResolved CaveatsKnown BehaviorsOpen CaveatsThe following table lists the open caveats in this release. Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug.Table 2 Open Caveats Bug IDDescription HYPERLINK "" CSCvx47947kubernetes daemonset agent uninstall requires jq utility CSCvx48421(Static Enforcement) Pausing enforcement policy update is not supported in the federation setup in the current release.CSCvx29180Kubernetes traffic from the host network to cluster ip services escapes Tetration policies.CSCvx74451Apply existing (pre 3.5) license if licensing info is not correctly displayed upon upgrade to 3.5CSCvx74789Enforcement Agent upgrade enables Windows Advanced FirewallResolved CaveatsThe following table lists the resolved caveats in this release. Click a bug ID to access Cisco’s Bug Search Tool to see additional information about that bug. Table 3 Resolved CaveatsBug IDDescriptionCSCvw71876User guide not consistent with scope and tenant related UI behaviorCSCvw91543Upgrade bash to fix Add note to user guide that user IDs must be lower case.CSCvx00402Node and disk decommission fail when a predictive drive failure error is presentCSCvo1989/local/tetration/log/tet-ldap-loader log requires timestamps in AnyConnect VMCSCvx13733Attack Surface table is confusing to users expecting to see only open and unused ports that contribute to a lower score.CSCvu92078Flow output for policy analysis distinguishes between inbound and outbound policies. Allows the user to determine if the catch-all policies was applied on the consumer or provider side.CSCvw90465User guide documentation for Dashboard Metrics Known BehaviorsUpgrading or installing a 3.5.1.1 Windows enforcement agent will turn on Windows Advanced Firewall on the server irrespective of the sensor profile configuration. This does not happen if Windows Advanced Firewall is disabled through a GPO profile or if the agent is a deep visibility agent. There is also no impact to existing Windows workloads if enforcement is turned on and policies are being enforced. To overcome this behavior:Option-1: For upgrade scenarios, disable Auto Upgrade in Agent Config before upgrading to Tetration 3.5.1.1. Leave enforcement agents on the existing version until a fix is ready.Option 2: Create GPO (domain or local) to explicitly disable all Firewall profiles before upgrading to Tetration 3.5.1.1. GPO setting takes precedence over the agent setting.For on-premises customers upgrading from 3.4.1.x: The license file is not automatically recognized by the platform after upgrade to 3.5.1.1. To resolve this issue, upload the previously issued license key file again. There is no need to request a new license key file and there is no impact to any existing functionalities.The External Orchestrator TAXII type supports TAXII feeds with STIX 1.x and ingests only IP and hash indicators. The Tetration platform ingests up to 100K of the most recent IP indicators per TAXII feed, and up to 500K of the most recent hash indicators for all TAXII feeds.Cisco FMC integration deploys Tetration policies to an FMC prefilter policy with the allow action “FASTPATH”, which prevents further packet inspection by the access control policy with which the prefilter policy is associated. This approach ensures that the allowed traffic as defined in Tetration policies is not blocked by any access control policy rule or its default action that would otherwise block the traffic.Depending on the number of Tetration policies and also the resource configuration of the FMC and assigned FTDs, the policy deployment via the External Orchestrator for FMC may take a few minutes to complete.The conversation feature should not be turned on in a scope where “Universal Visibility Agents” exists. Currently, inter-operability between “Universal Visibility Agents” and conversation enabled agents are not supported.Changing the configuration from conversation to detailed visibility mode may result in the restarting of the tet-main software agent process. This process restart does not impact the functionality of the Tetration Agent or enforced patibility InformationThe software agents in the 3.5.1.1 release support the following operating systems (virtual machines and bare-metal servers) for micro segmentation (deep visibility and enforcement):Linux:Amazon Linux 2CentOS-6.x: 6.1 to 6.10CentOS-7.x: 7.0 to 7.9CentOS-8.x: 8.0 to 8.3Red Hat Enterprise Linux-6.x: 6.1 to 6.10Red Hat Enterprise Linux-7.x: 7.0 to 7.9Red Hat Enterprise Linux-8.x: 8.0 to 8.3Oracle Linux Server-6.x: 6.1 to 6.10Oracle Linux Server-7x: 7.0 to 7.9Oracle Linux Server-8.x: 8.0 to 8.3SUSE Linux-11.x: 11.2, 11.3, and 11.4SUSE Linux-12.x: 12.0, 12.1, 12.2,12.3, 12.4SUSE Linux-15.x: 15.0, 15.1Ubuntu-14.04Ubuntu-16.04Ubuntu-18.04Ubuntu-20.04Windows Server (64-bit):Windows Server 2008R2 DatacenterWindows Server 2008R2 EnterpriseWindows Server 2008R2 EssentialsWindows Server 2008R2 StandardWindows Server 2012 DatacenterWindows Server 2012 EnterpriseWindows Server 2012 EssentialsWindows Server 2012 StandardWindows Server 2012R2 DatacenterWindows Server 2012R2 EnterpriseWindows Server 2012R2 EssentialsWindows Server 2012R2 StandardWindows Server 2016 StandardWindows Server 2016 EssentialsWindows Server 2016 DatacenterWindows Server 2019 StandardWindows Server 2019 EssentialsWindows Server 2019 DatacenterWindows VDI desktop Client:Microsoft Windows 8Microsoft Windows 8 ProMicrosoft Windows 8 EnterpriseMicrosoft Windows 8.1Microsoft Windows 8.1 ProMicrosoft Windows 8.1 EnterpriseMicrosoft Windows 10Microsoft Windows 10 ProMicrosoft Windows 10 EnterpriseMicrosoft Windows 10 Enterprise 2016 LTSBIBM AIX operating system:AIX version 7.1AIX version 7.2Container host OS version for policy enforcement:Red Hat Enterprise Linux Release 7.1, 7.2, 7.3, 7.4, 7.7CentOS Release 7.1, 7.2, 7.3, 7.4, 7.7Ubuntu-16.04The 3.5.1.1 release supports the following operating systems for visibility use cases only:Windows VDI desktop Client:Microsoft Windows 7 Microsoft Windows 7 ProMicrosoft Windows 7 EnterpriseThe 3.5.1.1 release supports the following operating systems for the universal visibility agent:Windows Server (32-bit and 64-bit)Solaris 11 on x86 (64-bit)AIX 5.3 (PPC)LinuxRed Hat Enterprise Linux 4.0 (32-bit and 64-bit)CentOS 4.0 (32-bit and 64-bit)Red Hat Enterprise Linux 5.0 (32-bit and 64-bit)CentOS 5.0 (32-bit and 64-bit)The 3.5.1.1 release no longer supports the full visibility agent for the following operating systems:Red Hat Enterprise Linux Release 5.xCentOS Release 5.xThe 3.5.1.1 release supports the following Cisco Nexus 9000 series switches in NX-OS and Cisco Application Centric Infrastructure (ACI) mode:Table 4 Supported Cisco Nexus 9000 Series Switches in NX-OS and ACI ModeProduct linePlatformMinimum Software releaseCisco Nexus 9300 platform switches (NX-OS mode)Cisco Nexus 93180YC-EX, 93108TC-EX, and 93180LC-EXCisco NX-OS Release 9.2.1 and laterCisco Nexus 93180YC-FX, 93108TC-FX, and 9348GC-FXPCisco NX-OS Release 9.2.1 and laterCisco Nexus 9336C-FX2Cisco NX-OS Release 9.2.1 and laterCisco Nexus 9300 platform switches (ACI mode)Cisco Nexus 93180YC-EX, 93108TC-EX, and 93180LC-EXCisco ACI Release 3.1(1i) and laterCisco Nexus 93180YC-FX, 93108TC-FXCisco ACI Release 3.1(1i) and laterCisco Nexus 9348GC-FXPCisco ACI Release 3.1(1i) and laterCisco Nexus 9336C-FX2Cisco ACI Release 3.2 and laterCisco Nexus 9500 series switches with N9K-X9736C-FX linecards onlyCisco ACI Release 3.1(1i) and laterUsage GuidelinesThis section lists usage guidelines for the Cisco Tetration Analytics software.You must use the Google Chrome browser version 40.0.0 or later to access the web-based user interface. After setting up your DNS, browse to the URL of your Cisco Tetration Analytics cluster: using the commission / decommission feature for Tetration virtual appliance environments, please observe the following usage guidelines:This feature is meant to be used with the assistance of TAC and can cause unrecoverable damage if used incorrectly. No two VMs should ever be decommissioned at the same time, without explicit approval from TAC. The following combinations of VMs must never be decommissioned concurrently:More than one orchestratorMore than one datanodeMore than one namenode (namenode or secondaryNamenode)More than one resourceManagerMore than one happobatMore than one mongodb (mongodb or mongoArbiter)Only one decommission/commission process can be executed at a time. Do not overlap the decommission/commission of different VMs at the same time.Please always contact TAC prior to using the esx_commission snapshot endpointVerified Scalability LimitsThe following tables provide the scalability limits for Cisco Tetration (39-RU), Cisco Tetration-M (8-RU), and Cisco Tetration Cloud:Table 5 Scalability Limits for Cisco Tetration (39-RU)Configurable OptionScaleNumber of workloadsUp to 25,000 (VM or Baremetal)Flow features per secondUp to 2 MillionNumber of hardware agent enabled Cisco Nexus 9000 series switchesUp to 100Note: Supported scale will always be based on whichever parameter reaches the limit firstTable 6 Scalability Limits for Cisco Tetration-M (8-RU)Configurable OptionScaleNumber of workloadsUp to 5,000 (VM or Baremetal)Flow features per secondUp to 500,000Number of hardware agent enabled Cisco Nexus 9000 series switchesUp to 100Note: Supported scale will always be based on whichever parameter reaches the limit firstTable 7 Scalability Limits for Cisco Tetration Virtual (VMWare ESXi)Configurable OptionScaleNumber of workloadsUp to 1,000 (VM or bare-metal)Flow features per secondUp to 70,000Number of hardware agent enabled Cisco Nexus 9000 series switchesNot supportedNote: Supported scale will always be based on whichever parameter reaches the limit first.Related DocumentationThe Cisco Tetration Analytics documentation can be accessed from the following websites:Tetration Analytics Platform Datasheet: Documentation: documentation includes installation information and release notes.Table 8 Installation DocumentationDocumentDescriptionCisco Tetration Analytics Cluster Deployment GuideDescribes the physical configuration, site preparation, and cabling of a single- and dual-rack installation for Cisco Tetration (39-RU) platform and Cisco Tetration-M (8-RU).Document Link: Cisco Tetration Virtual Deployment GuideDescribes the deployment of Tetration virtual appliances.Document Link: Cisco Tetration Cluster Upgrade GuideDocumentation Link: NOTE: As a best practice, it’s always recommended to patch a cluster to the latest available patch version before performing a major version upgrade.Latest Threat Data Sources Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.? 2021 Cisco Systems, Inc. All rights reserved. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download