Static Security Group Tag (SGT) for TrustSec Plugin

Panorama plugin for Cisco TrustSec now supports static security group tags (SGTs).
The Panorama plugin for Cisco TrustSec enables you to create security policy for your TrustSec environment using dynamic or static address groups. The plugin monitors for changes in TrustSec security groups and registers that information with Panorama. It forwards IP information to the firewall, so Panorama can apply the correct policy to corresponding endpoints. The Panorama plugin for Cisco TrustSec supports up to 16 pxGrid (Cisco ISE) servers.
Differences between dynamic and static addresses
The mapping received from the Cisco ISE Server is converted before being processed by the Panorama plugin framework. This conversion, representing a custom tag, is based on the pxGrid server name and the Security Group Tag (SGT) received:
SGT names are represented in a Cisco ISE Server in 3 different formats:
  • String (for example, BYOD).
  • Decimal number (for example, 15).
  • Hexadecimal number (for example, 000F).
The format of the SGT name depends on the type of SGT:
  • The service, used by dynamic SGTs, returns the tag in a string format. As a result, the matching criteria for a dynamic SGT is cts.svr_<server-name>.sgt_BYOD.
  • The service, used by static SGTs, returns the tag in a decimal format. As a result, the matching criteria for a static SGT is cts.svr_<server-name>.sgt_15.
You can include both dynamic and static SGTs in the same address group, however, the matching criteria must include both formats. For example:
‘cts.svr_<server-name>.sgt_BYOD’ or ‘cts.svr_<server-name>.sgt_15’
Create a dynamic or static address group
  1. Create active sessions so that Panorama can learn SGT tags for dynamic or static address group definition. To create active sessions, use ISE to authenticate devices. Panorama does not collect default SGT tags on ISE. Create address groups and verify that they are added.
  2. Select
    Objects > Address Groups.
  3. Select the Device Group you created for monitoring endpoints in your Cisco TrustSec environment from the
    Device Group
  4. Click
    and enter a
    for the address group. The dynamic address group naming convention is cts.svr_(server-name).sgt_<SGT-name>. Static address group naming convention is: cts.svr_<server-name>.sgt_<SGT-decimal number>.
  5. Select
    in the drop-down.
  6. Click
    Add Match Criteria
  7. Select the
    operator and click the plus (+) icon next to the security group name to add it to the dynamic or static address group. Panorama can only display security group tags it has learned from active sessions. Security group tags in live sessions appear in the match criteria list.
  8. Click
    in the
    column of the address group. Panorama displays a list of IP addresses added to that address group based on the match criteria you specified.
  9. Use dynamic or static addresses groups in policy. Dynamic address groups are empty until you attach them to a policy. You won’t see dynamic address groups unless a policy is using it. To use a address group in policy:
    1. Select
      Policies > Security.
    2. Click
      . Enter a
      and a
      for the policy.
    3. Add the
      Source Zone
      to specify the zone from which traffic originates.
    4. Add the
      Destination Zone
      at which traffic is terminating.
    5. For the
      Destination Address
      , select the address group you just created.
    6. Specify the action,
      , for the traffic. Optionally attach the default security profiles to the rule.
    7. Repeat steps a-f to create another policy rule.
    8. Click
  10. Optionally update the objects from the pxGrid server at any time by synchronizing objects. Synchronizing objects enables you to maintain context on changes in the virtual environment and allows you to enable applications by automatically updating the address groups used in policy rules.
  11. Select
    Panorama > Cisco TrustSec > Monitoring Definition.
  12. Click
    Synchronize Dynamic Objects.

Recommended For You