Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
238
Views
2
Helpful
3
Replies

SGT as destination in firewall rule

Go to solution
Antonio Macia
Level 3
Level 3

‎07-09-2024 07:48 AM

Hi,

We are in the process of implementing SGT based rules in our FTDs. Our FMC is integrated with ISE successfully and we retrieve SGT information normally.

Packets coming from our users network are tagged so the firewall can inspect the SGT and match the corresponding fw rules using SGTs as sources and Data Center IP addresses as destination.

What about packets originated in the Data Center towards the users network that come without SGTs? Does the FTD have an SGT-to-IP mapping so we can create rules with SGTs as destination or we need to have IP based rules for this traffic?

Thanks.

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Antonio Macia

‎07-09-2024 08:03 AM - edited ‎07-09-2024 08:05 AM

@Antonio Macia static bindings would be for devices that are not authenticated by ISE, such as servers in the DC etc.

If users are authenticated by ISE (wired, wireless or VPN), then assign an SGT during authorisation and those bindings would be sent to the FMC via pxGrid.

Or create a static binding for a subnet (i.e., RAVPN network) and send that to the FMC etc.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎07-09-2024 07:53 AM

Hi @Antonio Macia you can define static IP to SGT bindings in ISE, these are deployed to the FMC via pxGrid which sends them to the FTDs. Example: https://integratingit.wordpress.com/2020/04/24/ftd-static-ip-sgt-mapping/

 

0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to Rob Ingram

‎07-09-2024 08:00 AM

Hi Rob,

Thanks for your quick reply. Since our users can login from different sources (wired, WIFI and VPN) we cannot rely on any static mappings. I was thinking that FMC would act as SXP listener so everytime a device authenticates into SDA and gets the SGT, the IP-to-SGT info is sent to ISE and from here relay to FMC.

It is not like that?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Antonio Macia

‎07-09-2024 08:03 AM - edited ‎07-09-2024 08:05 AM

@Antonio Macia static bindings would be for devices that are not authenticated by ISE, such as servers in the DC etc.

If users are authenticated by ISE (wired, wireless or VPN), then assign an SGT during authorisation and those bindings would be sent to the FMC via pxGrid.

Or create a static binding for a subnet (i.e., RAVPN network) and send that to the FMC etc.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card