Technical Articles ID:
KB90063
Last Modified: 4/27/2022
Environment
Cloud Workload Security (CWS) 5.x
CWS components:
CWS for Amazon Web Services (AWS)
CWS for Microsoft Azure
CWS for vSphere
NOTE: CWS was formerly known as Cloud Workload Discovery (CWD).
Summary
This article is a consolidated list of common questions and answers related to CWS. It's intended for users who are new to the product, but can be of use to all users.
Recent updates to this article
Date
Update
April 27, 2022
Minor formatting changes; no content changes.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents:
Click to expand the section you want to view:
What's CWS?
CWS helps you to discover, import, manage, and protect the virtual infrastructure from the cloud to ePolicy Orchestrator (ePO).
What's Data Protection for Cloud?
Data Protection for Cloud allows you to encrypt the cloud volumes of AWS that ePO discovers, registers, and manages.
How many CWS products are available?
Three products are currently available:
CWS for AWS
CWS for Azure
CWS for vSphere
What's included in the CWS extension?
Data Center Assessment
Data Center Metering
Data Center Visualization
AWS Connector
Azure Connector
Data Center Connector (DCC)
Data Protection for Cloud
vSphere Connector
CWS_License
NOTE: CWS_License is only included in the CWS advanced bundle.
What cloud computing solutions are compatible with CWS?
Each Cloud Connector can discover and manage your VMs from different solutions:
AWS - A collection of web services that make up the cloud computing solution offered by Amazon.
Microsoft Azure - A cloud computing platform, and infrastructure for building, deploying, and managing applications and services. Achieved through a global network of Microsoft-managed data centers.
VMware vSphere - The VMware cloud computing virtualization operating system.
What's new in CWS 5.0?
These new features are important for an organization's security, protection, and performance:
Card-based user interface for improved usability
Activate Adaptive Threat Protection
Activate Network Intrusion Prevention
Install license extension to enable advanced security features
View traffic details for Microsoft Azure instances
View traffic flow logs
Perform DAT assessment
System card filters
Summary card
Deploy NSP probe
Change Assessment Policy at account level and workload level
Set AWS and Azure permissions
Shut down workload
What's AMI?
AMI stands for Amazon Machine Image. It's a template available on the AWS marketplace that starts a virtual instance with a preconfigured installation of ePO and several products. For details, see this article.
Which products are included in the PCSCWS AMI?
At every release, the PCS AMI release notes are updated to retain a comprehensive list of the products included.
Why is the 'dc_vm_auto' tag applied on the VMs discovered by a connector?
This tag is used by the DCC extension to identify VMs discovered from CWS. This tag is essential for Dashboards to work.
Which product suites include CWS?
CWS is included as part of several product suites:
Server Security Suite Essentials
Server Security Suite Advanced
Public Cloud Server Security
Security Suite for VDI
CWS Basic - Provides the new card-based User Interface with basic security, based on Endpoint Security and Agentless Firewall.
CWS Essentials - Includes Endpoint Security Threat Protection, Threat Intelligence Exchange, Dynamic Application Containment, and Real Protect, with basic security for behavioral malware detection, network visualization, and network anomaly detection.
CWS Advanced - Includes Application Control, File Integrity Monitoring, and Change Control, for zero-day malware protection. These items are based on hardening and compliance, in addition to features included in essentials.
What are the differences between the three available CWS packages?
CWS is packaged in public, hybrid, and private variants to support different cloud vendor accounts.
The CWS packages contain different extensions to support a specific cloud type; see the table below for details.
Can I upgrade from a previous extension version?
Yes. The product supports upgrades from CWD version to 4.5.1, and then an upgrade to CWS 5.0.0.
IMPORTANT:
You can't upgrade from CWD 4.0.0 to CWS 5.0.0 directly.
The development team recommends upgrading your existing ePO to versions 5.3.3 or 5.9 (EPO590HF1208662).
What happens to my old policy settings and assignments when I upgrade from CWD 4.5.1 to CWS 5.0?
The previous policy settings and assignments are removed. The administrator must redefine the settings and assign them to the respective workloads in the ePO System Tree.
How can I get started with a CWS?
Check in the CWS extension to ePO, and then start the CWS user interface and follow the wizard to register the cloud account to establish the connection.
Can I use Puppet and Chef scripts to install and configure security solutions offered via CWS?
Yes. For details, see the CWS Product Guide. Toaccess product documentation, see the "Related Information" section below.
Are Azure Classic assets supported by CWS?
No. Azure Classic assets aren't supported. For all new Azure infrastructure assets created through the Azure Resource Manager, the tag is named as Azure connector.
Is it possible to remove the vSphere cloud connector extension from ePO if devices have already been discovered via the connector?
Yes. But, before removing the vSphere connector extension, remove the vSphere accounts from the Registered cloud accounts page. When you remove the cloud account, you can delete or keep the System Tree groups and system.
Is Google Platform supported with CWS?
No. CWS currently doesn't support Google Platform. To have support for this platform, submit a new product idea so we can explore its feasibility. To submit a new product idea, see the "Related Information" section in this article below.
Can ePO manage systems in the cloud?
Yes. An administrator can deploy the MA and then other products to the virtual machines.
The administrator can also view the following in the ePO Console: Query their virtualization properties, protection status, and security compliance with dashboards and queries.
What are the supported ePO versions for CWS?
We advise you to review the CWS Product Guide. Also, see the up-to-date information maintained in the CWS supported environment article. For details, see KB90062 - Supported platforms for Cloud Workload Security. To access product documentation, see the "Related Information" section below.
Is AWS China supported?
No. CWS doesn't currently support AWS China.
Does CWS support GuardDuty?
Yes. From CWS 5.0.1, GuardDuty alerts can be viewed and corrective actions can be taken from CWS.
How many cloud accounts can I register under one ePO server?
There's no limit to the number of cloud accounts that can be registered under one ePO server.
How do I configure ePO to automatically secure discovered instances?
MA deployment can happen automatically if the option is selected during registration of the cloud account. Securing the discovered instances can be done via the CWS UI.
What network configurations does the AWS connector support?
For details, see the Best Practices section in the CWS Product Guide. To access product documentation, see the "Related Information" section below.
How do I troubleshoot AWS instance connectivity issues?
For details, see this AWS documentation.
Can I use AWS Connector with a proxy server?
Yes. The proxy setup must allow DNS resolution for the CWS.
What's Subscription ID, Tenant ID, Client ID, and Secret Key for an Azure account?
See section "Configuring Microsoft Azure Cloud Account," in the CWS Product Guide. To access product documentation, see the "Related Information" section below.
Can I set different levels of user permissions for AWS and Microsoft Azure cloud accounts?
Yes. It's possible to set three levels of user permissions for your AWS and Microsoft Azure cloud accounts. The following three levels can be applied based on the selected privilege:
Does CWS require the Common User Interface Core extension update?
Yes. It's located in ePO in the extensions section under Shared components. If not present, use the ePO Software Manager and search for Common to locate the Common UI 1.7.x extension. Select it and install it.
What's Data Center Metering?
Data Center Metering is an extension to help track the CPU hours used by instances in AWS and Azure cloud.
What does the CWS Assessment Rules-General policy do?
It specifies the policy settings for workload assessment status for the following categories:
Strong security groups
Volume encryption
Threat Prevention
Application Control
Change Control
Network intrusion prevention
What's Data Center Assessment?
Data Center Assessment is an extension that allows administrators to assess security alerts. These alerts are based on categories and use tags to prioritize alerts from the ePO console.
Why is Data Center Assessment extension needed for CWS?
The Data Center Assessment extension provides the following:
Firewall
Antimalware status for workload
Security groups
Security group rules
How does CWS pull AWS tagging?
CWS always picks the value of the tag with KeyName as 'Name,' which is the standard naming convention on AWS.
Does CWS for AWS support Assume Role?
No.
If the AWS instance contains multiple AWS tags, how does CWS determine the tag?
CWS only picks the value of the tag 'Name;' all other tags, except 'Name' are ignored.
Is AWS Desktop-as-a-service (workspaces) identified and reported in ePO by CWS?
CWS currently identifies only AWS EC2. AWS workspaces form a separate environment.
How do I configure ePO-based AWS tagging?
The AWS tagging can be configured in the CWS user interface, which includes a Tags field.
If the AWS instances don't have a tag 'Name' specified, how does CWS tag them?
If the tag 'Name' isn't available, CWS picks up another tag for the VM randomly.
What's Data Center Visualization?
Data Center Visualization allows an administrator to view, create, and change discovered assets. This graphical visualization of your cloud accounts gives you visibility into your cloud infrastructure assets and their hierarchy.
Can systems in the cloud be managed in ePO?
Yes. An administrator can deploy the MA and then other products to the virtual machines. The administrator can also view and query their virtualization properties, protection status, and security compliance via several dashboards and queries.
When AWS instances are switched off, are they reported as 'powered off' in ePO?
Yes. If the computers are managed, they're not deleted, even when shut down. For unmanaged systems, they're no longer seen in the ePO System Tree when they're shut down.
How does CWS handle a situation where the instances already have MA installed?
If the discovered VMs are already managed through MA, they retain the existing policy and their group in ePO. Otherwise, on discovery, the instances are discovered and displayed as Unmanaged in the ePO System Tree.
How does the CWS handle instances that already have managed products installed?
The instance displays as Managed after discovery, and ePO manages the installed products.
How long until CWS discovers a new instance?
CWS discovers a new instance after the synchronization occurs. By default, the synchronization occurs every five minutes, but you can change this interval as needed.
What happens when an instance is terminated in EC2?
After the instance is terminated and a synchronization occurs, the instance is no longer displayed in the CWS user interface. But, any events from this instance are still present.
What ports are included when I select port as Any when configuring an inbound firewall rule?
Ports (0–65535) are included.
Can I view traffic details for Microsoft Azure instances?
Yes. You can view traffic details for your Microsoft Azure instances in the CWS console.
What's the DCC extension?
DCC is the base management extension for all CWS.
CWS relies on the DCC extension for the following management tasks:
Creating hierarchy in the ePO System Tree and CWS UI.
Saving VMs and group data in the ePO database.
Maintaining account data, such as identity endpoint, username, password, and tag.
Reporting and dashboards.
What's the new CWS_License extension?
The CWS_License extension enables traffic discovery, assessment, visualization, and Network Security Manager (NSM) account registration in CWS.
Why can't I enable traffic discovery, assessment, visualization, and NSM account registration in CWS?
You must install the license extension to enable these features.
Click Sign In and enter your ServicePortal User ID and password. If you do not yet have a ServicePortal or Community account, click Register to register for a new account on either website.
