11-25-2021 03:35 AM
Hi
I have a third party firewall, (Checkpoint) and i am trying to get my Security Groups to the firewall.
The Firewall can access the ISE, and i see all my Security Groups, but when accessing a SGT there are no IPS in it.
is there easy way to make sure that i setup my ISE correct for this to work?
Maybe i am missing something? that is my feeling that i missed something in the Creation of the SGT or ISE API.
Solved! Go to Solution.
11-28-2021 07:11 PM - edited 11-28-2021 07:17 PM
As the Checkpoint document states... "It allows the use of TrustSec security groups in the security policy according to the static IP-to-SGT mappings in ISE"
These are specifically the admin-created mappings found on the Work Centers > TrustSec > Components > IP SGT Static Mapping page. This is the same info returned by the '/ers/config/sgmapping' REST API call.
Dynamic IP-SGT bindings for endpoint sessions are stored in the Session Database and published by the pxGrid Session Directory topic. There is no single ERS API call that allows you to extract all dynamic IP-SGT bindings from ISE. This is the where the pxGrid integration would be used to allow the Checkpoint Identity Collector to learn these mappings as they are created/updated.
If the Checkpoint ID Collector is integrated correctly via pxGrid, but is not learning the IP-SGT bindings via the pxGrid topic(s), you might need to open a TAC case to investigate further.
11-25-2021 06:28 AM
I was looking at this, and it cointains "IP" ex. but i cant get it out of the ISE.
https://developer.cisco.com/docs/identity-services-engine/v1/#!sgmapping
ex. but i cant get it out of the ISE.
Also i have around 3000 Devices Connected but only 25 devices in the
Work Centers-> TrustSec -> Dashboard
11-25-2021 08:33 PM
I'm not sure I understand what you are trying to do using the REST API. Checkpoint supports direct integration with ISE via pxGrid to allow ISE to share Scalable Groups and IP-SGT bindings that Checkpoint can then use in firewall policies.
11-25-2021 10:44 PM
Yeah i been looking at this also, and tried it also.
And allways i get no hits, its like the ISE SGTs are empty both via PxGrid and or the API.
even when i curl this.
https://developer.cisco.com/docs/identity-services-engine/v1/#!sgmapping
it even says it should contain IP of the hosts
11-25-2021 11:12 PM
So this is the one i am trying to get to work with the API
11-28-2021 07:11 PM - edited 11-28-2021 07:17 PM
As the Checkpoint document states... "It allows the use of TrustSec security groups in the security policy according to the static IP-to-SGT mappings in ISE"
These are specifically the admin-created mappings found on the Work Centers > TrustSec > Components > IP SGT Static Mapping page. This is the same info returned by the '/ers/config/sgmapping' REST API call.
Dynamic IP-SGT bindings for endpoint sessions are stored in the Session Database and published by the pxGrid Session Directory topic. There is no single ERS API call that allows you to extract all dynamic IP-SGT bindings from ISE. This is the where the pxGrid integration would be used to allow the Checkpoint Identity Collector to learn these mappings as they are created/updated.
If the Checkpoint ID Collector is integrated correctly via pxGrid, but is not learning the IP-SGT bindings via the pxGrid topic(s), you might need to open a TAC case to investigate further.
11-29-2021 11:07 PM
Thank you Greg for clearing this up for me!
So for dynamic only the collector will work!
11-30-2021 02:55 PM
Copied from private message so that others with similar questions may learn as well...
Question from @Niklas.D:
So as i said before i tried to use the collector also!
and we did get alot of info, but could not get the IP in to Checkpoint.
Is there away to see what is in the PxGrid Database? To confirm that it working.
Response:
The session database is quite dynamic, so you would need to confirm if Checkpoint provides a way to list out all of the known (static and dynamic) IP-SGT bindings learned via pxGrid.
There is no way from the ISE GUI to list the sessions in the pxgrid Session topic, however, you can leverage the pxGrid API to pull this information directly. See the information on Cisco DevNet related to the pxGrid API.
One of my colleagues also built a python library that leverages the pxGrid API that is useful for this kind of testing. You can find his GitHub page here.
Example output from the 'session all' command using this client tool:
{ "sessions": [ { "timestamp": "2021-12-01T09:29:44.438+11:00", "state": "STARTED", "userName": "grzwin10pc1.domain.local", "callingStationId": "00:50:56:8D:C9:44", "calledStationId": "00:56:2B:80:C0:86", "auditSessionId": "C0A8642300000044EDAB61E1", "ipAddresses": [ "192.168.140.102" ], "macAddress": "00:50:56:8D:C9:44", "nasIpAddress": "192.168.120.35", "nasPortId": "GigabitEthernet0/6", "nasPortType": "Ethernet", "endpointProfile": "Windows10-Workstation", "endpointOperatingSystem": "Windows 10 Pro", "ctsSecurityGroup": "Employees",
...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide