Re: Details of ISE + FMC integration

mcavinat · ‎09-20-2018

Hello folks. One of my customers have been testing the use of SGT coming from ISE and being delivered to FMC in order to create Rules on FMC... they are only using a single ISE server running PAN,MNT,PSN and PxGrid. Since they loved it so far, they are planning to roll it out to the whole infrastructure, then come some questions.

1 > Is there any document explaining exactly how the information comes back and forth between then (including ADI)?

2 > Considering the information that ISE sends, like USER, SGT, DEVICE, where to they all come from? MnT node? PxGrid node?

3 > Considering they have a very broad ISE implementation already, with several PSNs (and, of course, 2x PAN, 2x MnT) what would be the best design scenario for FMC to talk to the specific nodes?

4 > What is the right flow for the Firepower devices to learn the tags? FMC talks to ISE and then delivers it to the devices? Or devices need to query FMC for all flows? -> this is really about DEsign planning since they have severa Firepower Devices and ISE nodes...

Overall, would be great to find a detailed document explaining all the intrinsic relationships involved in the whole SGT (FMC+ISE) communication.

Thanks!

paul · ‎09-20-2018

The data about the sessions should be coming from the pxGrid nodes. If you are in a large deployment you should be using dedicated pxGrid nodes. FMC also talks to the M&T node as well, but the SGT tag data should be fed from the pxGrid nodes in real time when the devices are authenticated.

mcavinat · ‎09-20-2018

Thanks Paul. So, thinking about a distributed scenario where you have standalone MnT and PxGrid... I believe network devices will continue to send Accounting packets do MnT, correct? Who does keep the standalone PxGrid node(s) informed about the data it must publish to it's subscribers? Do they (pxGrids) keep querying MnT and PAN for information?

paul · ‎09-20-2018

Look at your pxGrid screen in ISE. The Admin and M&T nodes are members of the pxGrid. The admin and M&T nodes are published and subscribers. For example the Admin node is a publisher for EndPoint Meta Data and TrustSec Meta Data and a subscriber for Grid Control Admin Service and Core. Each client that joins the grids subscribes to the data feeds they want to receive. There is no querying that I know of. Think of it as a feed service and you subscribe to the feeds you are interested in.

mcavinat · ‎10-01-2018

Paul, thank you again. That being the case, what are the design considerations, specially regarding latency and so on, when we need to distribute several PxGrid nodes? Does it even make sense to do so, since there will be only 1x ADM and 1x MNT that will publish information to it's Subscribed PxGrid? Would it make more sense to have a single PxGrid close to ADM/MNT and as close as possible to the FMC that will receive the feed?

paul · ‎10-01-2018

Just put your pxGrid in the same locations as your Admin/M&T. Only one pxGrid node is active and you can't really control which one is active unless you shut one down to force the other to become the active node. I don't think it really matters honestly.