Static Security Group Tag (SGT) for TrustSec Plugin
Panorama plugin for Cisco TrustSec now supports static security group tags (SGTs).
The Panorama plugin for Cisco TrustSec enables you to create security policy for your TrustSec environment using dynamic or static address groups. The plugin monitors for changes in TrustSec security groups and registers that information with Panorama. It forwards IP information to the firewall, so Panorama can apply the correct policy to corresponding endpoints. The Panorama plugin for Cisco TrustSec supports up to 16 pxGrid (Cisco ISE) servers.
Differences between dynamic and static addresses
The mapping received from the Cisco ISE Server is converted before being processed by the Panorama plugin framework. This conversion, representing a custom tag, is based on the pxGrid server name and the Security Group Tag (SGT) received:
SGT names are represented in a Cisco ISE Server in 3 different formats:
- String (for example, BYOD).
- Decimal number (for example, 15).
- Hexadecimal number (for example, 000F).
The format of the SGT name depends on the type of SGT:
- The com.cisco.ise.session service, used by dynamic SGTs, returns the tag in a string format. As a result, the matching criteria for a dynamic SGT is cts.svr_<server-name>.sgt_BYOD.
- The com.cisco.ise.sxp service, used by static SGTs, returns the tag in a decimal format. As a result, the matching criteria for a static SGT is cts.svr_<server-name>.sgt_15.
You can include both dynamic and static SGTs in the same address group, however, the matching criteria must include both formats. For example:
‘cts.svr_<server-name>.sgt_BYOD’ or ‘cts.svr_<server-name>.sgt_15’
Create a dynamic or static address group
- Create active sessions so that Panorama can learn SGT tags for dynamic or static address group definition. To create active sessions, use ISE to authenticate devices. Panorama does not collect default SGT tags on ISE. Create address groups and verify that they are added.
- SelectObjects > Address Groups.
- Select the Device Group you created for monitoring endpoints in your Cisco TrustSec environment from theDevice Groupdrop-down.
- ClickAddand enter aNameandDescriptionfor the address group. The dynamic address group naming convention is cts.svr_(server-name).sgt_<SGT-name>. Static address group naming convention is: cts.svr_<server-name>.sgt_<SGT-decimal number>.
- SelectTypeasDynamicorStaticin the drop-down.
- ClickAdd Match Criteria.
- Select theAndorOroperator and click the plus (+) icon next to the security group name to add it to the dynamic or static address group. Panorama can only display security group tags it has learned from active sessions. Security group tags in live sessions appear in the match criteria list.
- ClickMorein theAddressescolumn of the address group. Panorama displays a list of IP addresses added to that address group based on the match criteria you specified.
- Use dynamic or static addresses groups in policy. Dynamic address groups are empty until you attach them to a policy. You won’t see dynamic address groups unless a policy is using it. To use a address group in policy:
- SelectPolicies > Security.
- ClickAdd. Enter aNameand aDescriptionfor the policy.
- Add theSource Zoneto specify the zone from which traffic originates.
- Add theDestination Zoneat which traffic is terminating.
- For theDestination Address, select the address group you just created.
- Specify the action,AlloworDeny, for the traffic. Optionally attach the default security profiles to the rule.
- Repeat steps a-f to create another policy rule.
- Optionally update the objects from the pxGrid server at any time by synchronizing objects. Synchronizing objects enables you to maintain context on changes in the virtual environment and allows you to enable applications by automatically updating the address groups used in policy rules.
- SelectPanorama > Cisco TrustSec > Monitoring Definition.
- ClickSynchronize Dynamic Objects.
Recommended For You
Recommended videos not found.