Secure Group Tag (SGT) Propagation
Learn about secure group tag propagation and its use in performance policy
rules.
Secure Group Tag (SGT) enables identity-based
security and enforces policies across networks. It preserves SGT information end-to-end,
controlling access over public and private VPN overlays. You can customize SGT
propagation per site, including Branch, Data Center, and Branch Gateway locations. When
enabled at the site level, SGT allows the ION device to parse Cisco Metadata headers,
extract Security Group Information (SGI) values, and preserve them across the Prisma
SD-WAN. The system parses Cisco Metadata headers to extract and apply SGT values across
the network. It also introduces LAN to LAN propagation and static SGT configuration for
ION initiated traffic.
You can configure static tag values for ION-initiated traffic (e.g., NTP, DHCP,
App Probes) and enable or disable SGT settings at the interface level. Static SGT
tagging ensures effective routing and consistent propagation across the network,
regardless of topology.
SGT information can be accessed through the Flow Browser and Device
Toolkit commands, allowing for enhanced troubleshooting and monitoring
capabilities.