Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1117
Views
5
Helpful
1
Replies

TrustSec SGACL

Go to solution
dm2020
Level 1
Level 1

‎05-23-2022 09:48 AM - edited ‎05-23-2022 09:48 AM

Hi All,

 

I am currently lab testing TrustSec and I have a question regarding the use and configuration of SGACLs.

 

For basic testing I have an SGT named 'Monitoring_Servers' and an SGT named 'Clients'. I want to configured an SGACL and Policy to allow the Monitoring_Servers to access the Clients using TCP/SSH but deny all traffic from the Clients to the Monitoring_Servers.

 

Based on my testing SGACLs seem to be stateless so I need two SGACLs and two policies to achieve the above

 

SGACL: ACL_Monitoring_Servers_to_Clients

permit tcp dst eq 22 log
deny ip log

 

SGACL: ACL_Clients_to_Monitoring_Servers

permit tcp src eq 22 log
deny ip log

 

Policy

1 - Monitoring_Servers to Clients ->  ACL_Monitoring_Servers_to_Clients

2 - Clients to Monitoring_Servers -> ACL_Clients_to_Monitoring_Servers

 

Is this the correct approach to achieve what I need?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-30-2022 07:56 AM

Yes, sounds correct.

Also see https://cs.co/ise-resources#Segmentation > Group Based Policy Fundamentals for background in TrustSec that should help.

View solution in original post

1 Reply 1

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-30-2022 07:56 AM

Yes, sounds correct.

Also see https://cs.co/ise-resources#Segmentation > Group Based Policy Fundamentals for background in TrustSec that should help.

Customers Also Viewed These Support Documents