cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Group-Based Policy Enforcement with Firepower 6.5

503
Views
10
Helpful
0
Comments

What’s New

Release 6.5 enhances TrustSec support with the following capabilities:

  • The ability to use Security Group Tags (SGTs) as destination matching criteria in access control rules (this is addition to the existing support for source matching criteria)

  • The ability to subscribe to the Security Group Tag eXchange Protocol (SXP) topic in Cisco ISE

  • SGTs shown in event messages

 

Benefits

Prior to 6.5, SGTs were learned via inline or via ISE pxGrid session directory which only has informations from active endpoints that are authenticated via ISE.  By expanding to include SXP mappings from ISE, FTD gains end-to-end visibility from a wealth of user identity, endpoint device, and network context information. By supporting SGT as both source and destination matching criteria, this enables you to now leverage Firepower to enforce stateful access control policies that based on context rather than IP addresses or network objects.

 

How It Works

Connecting FMC to ISE

Figure 1: 6.5 ISE ConfigurationFMC2.png

 

Firepower registers with ISE and subscribes to the selected pxGrid topics.

 

Note: For configuration details for establishing a pxGrid connection, please refer to: Configure ISE and FMC pxGrid Integration

Verifying pxGrid Connectivity

Figure 2: FMC to ISE Test Button SuccessScreen Shot 2020-03-15 at 2.22.26 PM.png
 
Figure 3: FMC pxgrid connection success on ISExgrid.png

 

Viewing Retrieved pxGrid Information

To view the information pulled from session directory on FMC…

  1. Log into expert mode
  2. Type “sudo -i”
  3. Cd /var/sf/user_enforcement/
  4. Type “uip_reader -f uip_log_entries.1 -l -p” 

To view the information pulled from the SXP topic on FMC…

  1. Log into expert mode
  2. Type “sudo -I”
  3. Cd /var/sf/user_enforcement/
  4. Type “ uip_reader -f sxp_log_entries.1 -l -p -t”

 

Create Access Control Rules with SGT Criteria

Rule.png

View Connection Events with SGTsevent.png