topic Re: ISE FMC pxgrid integration in Network Access Control

ISE FMC pxgrid integration

AirBorn — Wed, 02 Feb 2022 11:19:35 GMT

Hello,

I have integrated SGT Pxgrid with FMC and ISE in order to share SGT/IP Mapping

when i configure manually an SGT/IP Mapping on ISE, this entry is not pushed automatically to FMC unless restarting ISE

Could someone help

Regards

Re: ISE FMC pxgrid integration

Mike.Cifelli — Wed, 02 Feb 2022 12:32:23 GMT

when i configure manually an SGT/IP Mapping on ISE, this entry is not pushed automatically to FMC unless restarting ISE

-Please share versions of ISE/FMC; Is the pxgrid client showing as ON in ISE? When you test integration from FMC what do the logs say(Settings->Integration->Identity Sources:Test)? In ISE download and take a look at the pxgrid logs: Operations->Troubleshoot->Download Logs->Select the PxGrid node: PxGrid section contains several debug logs; Those may help shed some light.

Re: ISE FMC pxgrid integration

Greg Gibbs — Wed, 02 Feb 2022 22:13:58 GMT

It's important to note that static IP/Subnet-SGT mappings are published to pxGrid subscribers via the SXP topic, so all of the SXP configuration has to be done in order for those bindings to be shared.

Please confirm that you have configured all of the necessary elements as per the following example guide:

https://integratingit.wordpress.com/2020/04/24/ftd-static-ip-sgt-mapping/

The same configuration works as expected in my lab using ISE 3.0p4 and FMC 7.0.1

Re: ISE FMC pxgrid integration

Andrii Oliinyk — Tue, 14 Mar 2023 10:41:16 GMT

Hi Greg

it's a bit confusing as previously i thought that IP-SGT mappings learned via SXP by ISE simply can be published to PxGrid for its consumers to learn that mappings w/o the need to additionally configure SXP pipe between PxGrid consumer & ISE:

Cisco Identity Services Engine Administrator Guide, Release 3.0 - pxGrid [Cisco Identity Services Engine] - Cisco

Publish and subscribe to SXP bindings (IP-SGT mappings) through pxGrid. For more information about SXP bindings, see the Security Group Tag Exchange Protocol section in the Segmentation chapter of the Cisco ISE Administrators Guide.

what is the benefit from above publishing if admin still need to configure SXP communication between PxGrid consumer & ISE?

also triggered drawback is that if static IP-SGT mapping must be consumed by PxGrid subscriber, it's mandatory to configure SXP session between PxGrid subscriber & IP-SGT-mapping provider/speaker . could u pls share documents where this restriction/limitation is announced?

Thanks in advance

Re: ISE FMC pxgrid integration

Greg Gibbs — Tue, 14 Mar 2023 23:46:40 GMT

Information about how the FMC consumes SGT bindings from ISE and how to configure it can be found in the Cisco Secure Firewall Management Center Device Configuration Guide.

As stated in the guide regarding the required option Publish SXP Bindings on PxGrid:

"This option makes ISE send the SGT mappings out using SXP. You must select this option for the threat defense device to “hear” anything from listing to the SXP topic. This option must be selected for the threat defense device to get static SGT-to-IP address mapping information. It is not necessary if you simply want to use SGT tags defined in the packets, or SGTs that are assigned to a user session."

Re: ISE FMC pxgrid integration

Andrii Oliinyk — Wed, 15 Mar 2023 07:33:18 GMT

Yes. i saw it. Is that statement specific to FMC/FTD, or other ISE's PxGrid consumers (like CheckPoint FW) r required to have SXP-peering with ISE as well? Other words is having both PxGrid consumer role & SXP-peer of ISE rule of thumb for the IP SGT static mappings to be learnt?

thanks

Re: ISE FMC pxgrid integration

Greg Gibbs — Wed, 15 Mar 2023 21:43:47 GMT

Static IP-SGT mappings are only published by ISE via the SXP Topic. For another consumer to learn these, they would need to support the ability to subscribe to the SXP Topic.

To be clear, this is not a real SXP peering. As the documentation says:

"This does not have to be a real device, you can even use the management IP address of the threat defense device. The table simply needs at least one device to induce ISE to publish the static SGT-to-IP address mappings."

Re: ISE FMC pxgrid integration

Andrii Oliinyk — Fri, 17 Mar 2023 15:21:05 GMT

Greg, pardon for being annoying around it but i really dont understand now how does it work & how it relates to PxGrid.

Does IP-SGT static mapping get populated via SXP-topic in PxGrid whilst subject mapping's consumer (PxGrid subscriber) must be declared in ISE's SXP-peer-list to make ISE as PxGrid controller aware about consumer's IP-SGT-mapping learning need?

or does it work different way?

P.S. on Technical Overview - pxGrid API - Document - Cisco Developer i've read that ISE'simplementation of "pxGrid will use port 8910 on ISE for pxGrid-related REST and Websocket communication" which seems to be owned by STOMP-speaking program module or whatever it is... is it up-to-date for ISE 3.X?

P.P.S. it's very pity CCO doesnt have documents clearly explaining this interoperation :0(