: Static Security Group Tag (SGT) for TrustSec Plugin
Focus
Focus

Static Security Group Tag (SGT) for TrustSec Plugin

Table of Contents
End-of-Life (EoL)

Static Security Group Tag (SGT) for TrustSec Plugin

Panorama plugin for Cisco TrustSec now supports static security group tags (SGTs).
The Panorama plugin for Cisco TrustSec enables you to create security policy for your TrustSec environment using dynamic or static address groups. The plugin monitors for changes in TrustSec security groups and registers that information with Panorama. It forwards IP information to the firewall, so Panorama can apply the correct policy to corresponding endpoints. The Panorama plugin for Cisco TrustSec supports up to 16 pxGrid (Cisco ISE) servers.
Differences between dynamic and static addresses
The mapping received from the Cisco ISE Server is converted before being processed by the Panorama plugin framework. This conversion, representing a custom tag, is based on the pxGrid server name and the Security Group Tag (SGT) received:
cts.svr_<server-name>.sgt_<SGT-name>
SGT names are represented in a Cisco ISE Server in 3 different formats:
  • String (for example, BYOD).
  • Decimal number (for example, 15).
  • Hexadecimal number (for example, 000F).
The format of the SGT name depends on the type of SGT:
  • The com.cisco.ise.session service, used by dynamic SGTs, returns the tag in a string format. As a result, the matching criteria for a dynamic SGT is cts.svr_<server-name>.sgt_BYOD.
  • The com.cisco.ise.sxp service, used by static SGTs, returns the tag in a decimal format. As a result, the matching criteria for a static SGT is cts.svr_<server-name>.sgt_15.
You can include both dynamic and static SGTs in the same address group, however, the matching criteria must include both formats. For example:
‘cts.svr_<server-name>.sgt_BYOD’ or ‘cts.svr_<server-name>.sgt_15’
Create a dynamic or static address group
  1. Create active sessions so that Panorama can learn SGT tags for dynamic or static address group definition. To create active sessions, use ISE to authenticate devices. Panorama does not collect default SGT tags on ISE. Create address groups and verify that they are added.
  2. Select Objects > Address Groups.
  3. Select the Device Group you created for monitoring endpoints in your Cisco TrustSec environment from the Device Group drop-down.
  4. Click Add and enter a Name and Description for the address group. The dynamic address group naming convention is cts.svr_(server-name).sgt_<SGT-name>. Static address group naming convention is: cts.svr_<server-name>.sgt_<SGT-decimal number>.
  5. Select Type as Dynamic or Static in the drop-down.
  6. Click Add Match Criteria.
  7. Select the And or Or operator and click the plus (+) icon next to the security group name to add it to the dynamic or static address group. Panorama can only display security group tags it has learned from active sessions. Security group tags in live sessions appear in the match criteria list.
  8. Click More in the Addresses column of the address group. Panorama displays a list of IP addresses added to that address group based on the match criteria you specified.
  9. Use dynamic or static addresses groups in policy. Dynamic address groups are empty until you attach them to a policy. You won’t see dynamic address groups unless a policy is using it. To use a address group in policy:
    1. Select Policies > Security.
    2. Click Add. Enter a Name and a Description for the policy.
    3. Add the Source Zone to specify the zone from which traffic originates.
    4. Add the Destination Zone at which traffic is terminating.
    5. For the Destination Address, select the address group you just created.
    6. Specify the action, Allow or Deny, for the traffic. Optionally attach the default security profiles to the rule.
    7. Repeat steps a-f to create another policy rule.
    8. Click Commit.
  10. Optionally update the objects from the pxGrid server at any time by synchronizing objects. Synchronizing objects enables you to maintain context on changes in the virtual environment and allows you to enable applications by automatically updating the address groups used in policy rules.
  11. Select Panorama > Cisco TrustSec > Monitoring Definition.
  12. Click Synchronize Dynamic Objects.