02-02-2022 03:18 AM - edited 02-02-2022 03:19 AM
Hello,
I have integrated SGT Pxgrid with FMC and ISE in order to share SGT/IP Mapping
when i configure manually an SGT/IP Mapping on ISE, this entry is not pushed automatically to FMC unless restarting ISE
Could someone help
Regards
02-02-2022 04:32 AM
when i configure manually an SGT/IP Mapping on ISE, this entry is not pushed automatically to FMC unless restarting ISE
-Please share versions of ISE/FMC; Is the pxgrid client showing as ON in ISE? When you test integration from FMC what do the logs say(Settings->Integration->Identity Sources:Test)? In ISE download and take a look at the pxgrid logs: Operations->Troubleshoot->Download Logs->Select the PxGrid node: PxGrid section contains several debug logs; Those may help shed some light.
02-02-2022 02:13 PM
It's important to note that static IP/Subnet-SGT mappings are published to pxGrid subscribers via the SXP topic, so all of the SXP configuration has to be done in order for those bindings to be shared.
Please confirm that you have configured all of the necessary elements as per the following example guide:
https://integratingit.wordpress.com/2020/04/24/ftd-static-ip-sgt-mapping/
The same configuration works as expected in my lab using ISE 3.0p4 and FMC 7.0.1
03-14-2023 03:23 AM - edited 03-14-2023 03:41 AM
Hi Greg
it's a bit confusing as previously i thought that IP-SGT mappings learned via SXP by ISE simply can be published to PxGrid for its consumers to learn that mappings w/o the need to additionally configure SXP pipe between PxGrid consumer & ISE:
Publish and subscribe to SXP bindings (IP-SGT mappings) through pxGrid. For more information about SXP bindings, see the Security Group Tag Exchange Protocol section in the Segmentation chapter of the Cisco ISE Administrators Guide.
what is the benefit from above publishing if admin still need to configure SXP communication between PxGrid consumer & ISE?
also triggered drawback is that if static IP-SGT mapping must be consumed by PxGrid subscriber, it's mandatory to configure SXP session between PxGrid subscriber & IP-SGT-mapping provider/speaker . could u pls share documents where this restriction/limitation is announced?
Thanks in advance
03-14-2023 04:46 PM
Information about how the FMC consumes SGT bindings from ISE and how to configure it can be found in the Cisco Secure Firewall Management Center Device Configuration Guide.
As stated in the guide regarding the required option Publish SXP Bindings on PxGrid:
"This option makes ISE send the SGT mappings out using SXP. You must select this option for the threat defense device to “hear” anything from listing to the SXP topic. This option must be selected for the threat defense device to get static SGT-to-IP address mapping information. It is not necessary if you simply want to use SGT tags defined in the packets, or SGTs that are assigned to a user session."
03-14-2023 11:22 PM - edited 03-15-2023 12:33 AM
Yes. i saw it. Is that statement specific to FMC/FTD, or other ISE's PxGrid consumers (like CheckPoint FW) r required to have SXP-peering with ISE as well? Other words is having both PxGrid consumer role & SXP-peer of ISE rule of thumb for the IP SGT static mappings to be learnt?
thanks
03-15-2023 02:43 PM
Static IP-SGT mappings are only published by ISE via the SXP Topic. For another consumer to learn these, they would need to support the ability to subscribe to the SXP Topic.
To be clear, this is not a real SXP peering. As the documentation says:
"This does not have to be a real device, you can even use the management IP address of the threat defense device. The table simply needs at least one device to induce ISE to publish the static SGT-to-IP address mappings."
03-15-2023 11:46 PM - edited 03-17-2023 08:21 AM
Greg, pardon for being annoying around it but i really dont understand now how does it work & how it relates to PxGrid.
Does IP-SGT static mapping get populated via SXP-topic in PxGrid whilst subject mapping's consumer (PxGrid subscriber) must be declared in ISE's SXP-peer-list to make ISE as PxGrid controller aware about consumer's IP-SGT-mapping learning need?
or does it work different way?
P.S. on Technical Overview - pxGrid API - Document - Cisco Developer i've read that ISE'simplementation of "pxGrid will use port 8910 on ISE for pxGrid-related REST and Websocket communication" which seems to be owned by STOMP-speaking program module or whatever it is... is it up-to-date for ISE 3.X?
P.P.S. it's very pity CCO doesnt have documents clearly explaining this interoperation :0(
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide