Secure Group Tag (SGT) enables identity-based security and enforces policies across networks. It preserves SGT information end-to-end, controlling access over public and private VPN overlays. You can customize SGT propagation per site, including Branch, Data Center, and Branch Gateway locations. When enabled at the site level, SGT allows the ION device to parse Cisco Metadata headers, extract Security Group Information (SGI) values, and preserve them across the Prisma SD-WAN. The system parses Cisco Metadata headers to extract and apply SGT values across the network. It also introduces LAN to LAN propagation and static SGT configuration for ION initiated traffic.

You can configure static tag values for ION-initiated traffic (e.g., NTP, DHCP, App Probes) and enable or disable SGT settings at the interface level. Static SGT tagging ensures effective routing and consistent propagation across the network, regardless of topology.

SGT information can be accessed through the Flow Browser and Device Toolkit commands, allowing for enhanced troubleshooting and monitoring capabilities.