Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3016
Views
10
Helpful
3
Replies

pxGrid Integration between ISE and Firepower

Go to solution
Scott_22
Level 1
Level 1

‎06-04-2020 07:39 AM

We are working to implement the pxGrid integration between ISE and Firepower. If SGTs and user groups are imported from ISE and used in an ACP, what happens to that policy on the firepower device if the FMC goes down? Please provide documentation describing the result if possible. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎06-04-2020 12:55 PM - edited ‎06-04-2020 12:57 PM

I could not find a document to prove this what you requested. however, I have tested this in my lab. PxGrid is configured between ISE and FMC. Once FMC learn the SXP information from the ISE PxGrid. I push my policy to FTD. Than later i power off my FMC. therefore as excepted the FTD learn its policy from the FMC therefore the policy remain intact in FTD local database. prior to power off my FMC i took a sniping tool of my result. I set a rule Employees ping to Google must be denied. and the employee SGT number is 4. 900.PNG

 

now FMC is power off if you jump/login to FTD and give command show access-control-config

901.PNG

please do not forget to rate.

View solution in original post

3 Replies 3

Go to solution
Sheraz.Salim
VIP
VIP

‎06-04-2020 12:55 PM - edited ‎06-04-2020 12:57 PM

I could not find a document to prove this what you requested. however, I have tested this in my lab. PxGrid is configured between ISE and FMC. Once FMC learn the SXP information from the ISE PxGrid. I push my policy to FTD. Than later i power off my FMC. therefore as excepted the FTD learn its policy from the FMC therefore the policy remain intact in FTD local database. prior to power off my FMC i took a sniping tool of my result. I set a rule Employees ping to Google must be denied. and the employee SGT number is 4. 900.PNG

 

now FMC is power off if you jump/login to FTD and give command show access-control-config

901.PNG

please do not forget to rate.

Go to solution
Scott_22
Level 1
Level 1
In response to Sheraz.Salim

‎06-04-2020 01:44 PM

Ah! Great. I don't think there is documentation so hopefully this will help others with the same question. The FTD does maintain policy with ISE attributes once it has been pushed, even if the FMC fails. 

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Scott_22

‎06-04-2020 03:33 PM

Yes that correct. this is what i tested and posted my results. hope it will help you.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card