05-23-2022 09:48 AM - edited 05-23-2022 09:48 AM
Hi All,
I am currently lab testing TrustSec and I have a question regarding the use and configuration of SGACLs.
For basic testing I have an SGT named 'Monitoring_Servers' and an SGT named 'Clients'. I want to configured an SGACL and Policy to allow the Monitoring_Servers to access the Clients using TCP/SSH but deny all traffic from the Clients to the Monitoring_Servers.
Based on my testing SGACLs seem to be stateless so I need two SGACLs and two policies to achieve the above
SGACL: ACL_Monitoring_Servers_to_Clients
permit tcp dst eq 22 log
deny ip log
SGACL: ACL_Clients_to_Monitoring_Servers
permit tcp src eq 22 log
deny ip log
Policy
1 - Monitoring_Servers to Clients -> ACL_Monitoring_Servers_to_Clients
2 - Clients to Monitoring_Servers -> ACL_Clients_to_Monitoring_Servers
Is this the correct approach to achieve what I need?
Solved! Go to Solution.
05-30-2022 07:56 AM
Yes, sounds correct.
Also see https://cs.co/ise-resources#Segmentation > Group Based Policy Fundamentals for background in TrustSec that should help.
05-30-2022 07:56 AM
Yes, sounds correct.
Also see https://cs.co/ise-resources#Segmentation > Group Based Policy Fundamentals for background in TrustSec that should help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide