Static Security Group Tag (SGT) for TrustSec Plugin
Panorama plugin for Cisco TrustSec now supports static
security group tags (SGTs).
The Panorama plugin for Cisco TrustSec enables
you to create security policy for your TrustSec environment using
dynamic or static address groups. The plugin monitors for changes
in TrustSec security groups and registers that information with Panorama.
It forwards IP information to the firewall, so Panorama can apply
the correct policy to corresponding endpoints. The Panorama plugin
for Cisco TrustSec supports up to 16 pxGrid (Cisco ISE) servers.
between dynamic and static addresses
The mapping received
from the Cisco ISE Server is converted before being processed by
the Panorama plugin framework. This conversion, representing a custom
tag, is based on the pxGrid server name and the Security Group Tag
names are represented in a Cisco ISE Server in 3 different formats:
String (for example, BYOD).
Decimal number (for example, 15).
Hexadecimal number (for example, 000F).
of the SGT name depends on the type of SGT:
service, used by dynamic SGTs, returns the tag in a string format.
As a result, the matching criteria for a dynamic SGT is cts.svr_<server-name>.sgt_BYOD.
The com.cisco.ise.sxp service, used by static SGTs, returns
the tag in a decimal format. As a result, the matching criteria
for a static SGT is cts.svr_<server-name>.sgt_15.
can include both dynamic and static SGTs in the same address group,
however, the matching criteria must include both formats. For example:
‘cts.svr_<server-name>.sgt_BYOD’ or ‘cts.svr_<server-name>.sgt_15’
a dynamic or static address group
Create active sessions so that Panorama can learn
SGT tags for dynamic or static address group definition. To create
active sessions, use ISE to authenticate devices. Panorama does
not collect default SGT tags on ISE. Create address groups and verify
that they are added.
Objects > Address Groups.
Select the Device Group you created for monitoring endpoints
in your Cisco TrustSec environment from the
and enter a
the address group. The dynamic address group naming convention is cts.svr_(server-name).sgt_<SGT-name>.
Static address group naming convention is: cts.svr_<server-name>.sgt_<SGT-decimal
Add Match Criteria
and click the plus (+) icon next to the security group name to add
it to the dynamic or static address group. Panorama can only display
security group tags it has learned from active sessions. Security
group tags in live sessions appear in the match criteria list.
of the address group. Panorama displays a list of IP addresses added
to that address group based on the match criteria you specified.
Use dynamic or static addresses groups in policy. Dynamic
address groups are empty until you attach them to a policy. You
won’t see dynamic address groups unless a policy is using it. To
use a address group in policy:
Policies > Security.
. Enter a
for the policy.
the zone from which traffic originates.
which traffic is terminating.
select the address group you just created.
Specify the action,
for the traffic. Optionally attach the default security profiles
to the rule.
Repeat steps a-f to create another policy rule.
Optionally update the objects from the pxGrid server
at any time by synchronizing objects. Synchronizing objects enables
you to maintain context on changes in the virtual environment and
allows you to enable applications by automatically updating the
address groups used in policy rules.