I am a bit confused about the operation of Cisco ISE with SG Firewalls on ISR G2s. For reference, here is the latest support matrix for security group tagging (i think). http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html
Here are the questions:
Basically, to enable an SG Firewall on an ISR G2, you would need to turn on the zone based firewall, correct?
Next, is it possible to go into Cisco ISE and outline firewall rules that can be pushed to the router? Lets say I have 100 ISRs that I want to enable the SG Firewall on. I really do not want to touch each one more than once. I don't mind the initial ZBF setup, but the actual ZBF rules and security group definitions I would like to be pushed down from ISE. I want the rule set to be the same on all routers. When I make a change in ISE, I want it to be pushed to all of the routers. Is that even a thing? I am having trouble finding this information online.