08-25-2017 02:10 AM - edited 02-21-2020 06:14 AM
Hi,
I've created in policy ASA (release 9.3) with SGT as source and destination, but in FTP (Firepower Threat Defense) I just find it as SGT source only.
In FTP it is possible to make a policy with source and destination SGT?
Thanks
06-28-2018 03:34 PM
That is not how it works. You create the rule with SRC/DST and bind the SGT to the rule.
So the SGT "source" just means it is mapped to the defined rule. The destination, in this sense, is controlled in the rule you define, rather than the SGT itself being a destination.
10-24-2018 06:57 AM - edited 10-24-2018 06:58 AM
I may be a day late and a dollar short on this, but I do not believe that is accurate.
On Cisco ASA, the source/destination SGT are criteria to match the rule. The SGT selected for the destination is not assigned to the traffic after matching based on the rest of the criteria as you seem to be implying. You select them the same as you would a source/destination network object.
The FTD simply doesn't have the capability to match on Destination SGT yet. The SGT selected is only applied to the source of the packet. From what I've heard, it is planned to get both source and destination in the platform at some point.
10-24-2018 08:09 PM
I think you're saying exactly the same thing. I said it's not the destination and is separately applied in the rule. You can also confirm this with the trace function on the FTD App. At least that's what the FTD cluster I implemented is telling me. I look forward to the added functionality you're referring to though. It would make things clearer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide