Secure Group Tag (SGT) enables identity-based security and enforces policies across networks. It preserves SGT information end-to-end, controlling access over public and private VPN overlays. SGT propagation can be customized per site, including Branch, Data Center, and Branch Gateway locations. When enabled at the site level, SGT allows the ION device to parse Cisco Metadata headers, extract Security Group Information (SGI) values, and preserve them across the Prisma SD-WAN. The system parses Cisco Metadata headers to extract and apply SGT values across the network. It also introduces LAN to LAN propagation and static SGT configuration for ION initiated traffic.

Static tag values can be configured for ION-initiated traffic (e.g., NTP, DHCP, App Probes) and SGT settings can be enabled or disabled at the interface level. Static SGT tagging ensures effective routing and consistent propagation across the network, regardless of topology.

SGT information can be accessed through the Flow Browser and Device Toolkit commands, allowing for enhanced troubleshooting and monitoring capabilities.