FTD Policy with SGT

o.vidoni · ‎08-25-2017

Hi,

I've created in policy ASA (release 9.3) with SGT as source and destination, but in FTP (Firepower Threat Defense) I just find it as SGT source only.
In FTP it is possible to make a policy with source and destination SGT?

Thanks

dperowne · ‎06-28-2018

That is not how it works. You create the rule with SRC/DST and bind the SGT to the rule.

So the SGT "source" just means it is mapped to the defined rule. The destination, in this sense, is controlled in the rule you define, rather than the SGT itself being a destination.

Ryan Wolfe · ‎10-24-2018

I may be a day late and a dollar short on this, but I do not believe that is accurate.

On Cisco ASA, the source/destination SGT are criteria to match the rule. The SGT selected for the destination is not assigned to the traffic after matching based on the rest of the criteria as you seem to be implying. You select them the same as you would a source/destination network object.

The FTD simply doesn't have the capability to match on Destination SGT yet. The SGT selected is only applied to the source of the packet. From what I've heard, it is planned to get both source and destination in the platform at some point.

dperowne · ‎10-24-2018

I think you're saying exactly the same thing. I said it's not the destination and is separately applied in the rule. You can also confirm this with the trace function on the FTD App. At least that's what the FTD cluster I implemented is telling me. I look forward to the added functionality you're referring to though. It would make things clearer.