Static Security Group Tag (SGT) for TrustSec Plugin

Panorama plugin for Cisco TrustSec now supports static security group tags (SGTs).
The Panorama plugin for Cisco TrustSec enables you to create security policy for your TrustSec environment using dynamic or static address groups. The plugin monitors for changes in TrustSec security groups and registers that information with Panorama. It forwards IP information to the firewall, so Panorama can apply the correct policy to corresponding endpoints. The Panorama plugin for Cisco TrustSec supports up to 16 pxGrid (Cisco ISE) servers.
Differences between dynamic and static addresses
The mapping received from the Cisco ISE Server is converted before being processed by the Panorama plugin framework. This conversion, representing a custom tag, is based on the pxGrid server name and the Security Group Tag (SGT) received:
cts.svr_<server-name>.sgt_<SGT-name>
SGT names are represented in a Cisco ISE Server in 3 different formats:
  • String (for example, BYOD).
  • Decimal number (for example, 15).
  • Hexadecimal number (for example, 000F).
The format of the SGT name depends on the type of SGT:
  • The com.cisco.ise.session service, used by dynamic SGTs, returns the tag in a string format. As a result, the matching criteria for a dynamic SGT is cts.svr_<server-name>.sgt_BYOD.
  • The com.cisco.ise.sxp service, used by static SGTs, returns the tag in a decimal format. As a result, the matching criteria for a static SGT is cts.svr_<server-name>.sgt_15.
You can include both dynamic and static SGTs in the same address group, however, the matching criteria must include both formats. For example:
‘cts.svr_<server-name>.sgt_BYOD’ or ‘cts.svr_<server-name>.sgt_15’
Create a dynamic or static address group
  1. Create active sessions so that Panorama can learn SGT tags for dynamic or static address group definition. To create active sessions, use ISE to authenticate devices. Panorama does not collect default SGT tags on ISE. Create address groups and verify that they are added.
  2. Select
    Objects > Address Groups.
  3. Select the Device Group you created for monitoring endpoints in your Cisco TrustSec environment from the
    Device Group
    drop-down.
  4. Click
    Add
    and enter a
    Name
    and
    Description
    for the address group. The dynamic address group naming convention is cts.svr_(server-name).sgt_<SGT-name>. Static address group naming convention is: cts.svr_<server-name>.sgt_<SGT-decimal number>.
  5. Select
    Type
    as
    Dynamic
    or
    Static
    in the drop-down.
  6. Click
    Add Match Criteria
    .
  7. Select the
    And
    or
    Or
    operator and click the plus (+) icon next to the security group name to add it to the dynamic or static address group. Panorama can only display security group tags it has learned from active sessions. Security group tags in live sessions appear in the match criteria list.
  8. Click
    More
    in the
    Addresses
    column of the address group. Panorama displays a list of IP addresses added to that address group based on the match criteria you specified.
  9. Use dynamic or static addresses groups in policy. Dynamic address groups are empty until you attach them to a policy. You won’t see dynamic address groups unless a policy is using it. To use a address group in policy:
    1. Select
      Policies > Security.
    2. Click
      Add
      . Enter a
      Name
      and a
      Description
      for the policy.
    3. Add the
      Source Zone
      to specify the zone from which traffic originates.
    4. Add the
      Destination Zone
      at which traffic is terminating.
    5. For the
      Destination Address
      , select the address group you just created.
    6. Specify the action,
      Allow
      or
      Deny
      , for the traffic. Optionally attach the default security profiles to the rule.
    7. Repeat steps a-f to create another policy rule.
    8. Click
      Commit
      .
  10. Optionally update the objects from the pxGrid server at any time by synchronizing objects. Synchronizing objects enables you to maintain context on changes in the virtual environment and allows you to enable applications by automatically updating the address groups used in policy rules.
  11. Select
    Panorama > Cisco TrustSec > Monitoring Definition.
  12. Click
    Synchronize Dynamic Objects.

Recommended For You