If you're using Security Group Tags (SGTs) in a Cisco
Trustsec network, PAN-OS 9.0 firewalls deployed inline in Layer
2 or Virtual Wire mode can inspect and enforce the tagged traffic.
If you're using Security Group Tags (SGTs)
to control user and device access in a Cisco Trustsec network, inline
firewalls in Layer 2 or Virtual Wire mode can now inspect and provide
threat prevention for the tagged traffic. Before PAN-OS 9.0, a firewall
in Layer 2 or virtual wire mode could allow SGT traffic but did
not process it. Now, processing of SGT traffic works by default
and without any configuration changes.
It’s important to
note that the firewall does not use SGTs as match criteria for security
policy enforcement—you should continue to define SGT-based policy
in the same way you do today.
Best practices for deploying
Palo Alto Networks firewalls in a Cisco Trustsec network include:
Deploy firewalls that you expect
to process SGT packets in either Layer 2 or virtual wire mode.
It’s not recommended to deploy firewalls that might process
SGT packets in Layer 3 mode. However, if you need to use a Layer 3 firewall in a
Cisco Trustsec network:
Deploy the Layer 3 firewall
between two SGT exchange protocol (SXP) peers.
Configure the firewall to allow the traffic between the SXP