Solved: TrustSec Pre-Requisite / Checklist

techmgr.aballesteros1 · ‎01-18-2019

Hi, with the new version of ISE 2.4, I would like to ask the community if you have any docs for TrustSec Pre-Requisite / Checklist. I would like know how would Trustsec fit in in a network with No ASA, i have only Palo as my FW. would I be able still to implement Cisco Trust sec even without asa? I have Currently ISE in my network doing the guest and byod wireless auth. Just thought somebody in my same situation.

Thanks!

Marvin Rhoads · ‎01-18-2019

Without a Trustsec-capable device (such as an ASA firewall) at the boundary of your network (or Trustsec domain) you won't be able to as easily fully segment your network using Trustsec SGTs.

You can use them internally and then apply some less capable (but possibly adequate policies) at your Palo Alto Networks edge firewall. It's easiest to do that if your SGT-protected resources correspond to well-defined subnets. That way you can protect them with L3 ACLs on the edge and SGTs internally.

View solution in original post

Marvin Rhoads · ‎01-18-2019

Without a Trustsec-capable device (such as an ASA firewall) at the boundary of your network (or Trustsec domain) you won't be able to as easily fully segment your network using Trustsec SGTs.

You can use them internally and then apply some less capable (but possibly adequate policies) at your Palo Alto Networks edge firewall. It's easiest to do that if your SGT-protected resources correspond to well-defined subnets. That way you can protect them with L3 ACLs on the edge and SGTs internally.

techmgr.aballesteros1 · ‎01-19-2019

That's very helpful to know and thanks heaps! I am gazing through our network landscape and good to know those unknown areas. I'm looking at other options such as ACI for network segmentation.