Showing results for 
Search instead for 
Did you mean: 

Group-Based Policy Enforcement with Firepower 6.5


What’s New

Release 6.5 enhances TrustSec support with the following capabilities:

  • The ability to use Security Group Tags (SGTs) as destination matching criteria in access control rules (this is addition to the existing support for source matching criteria)

  • The ability to subscribe to the Security Group Tag eXchange Protocol (SXP) topic in Cisco ISE

  • SGTs shown in event messages



Prior to 6.5, SGTs were learned via inline or via ISE pxGrid session directory which only has informations from active endpoints that are authenticated via ISE.  By expanding to include SXP mappings from ISE, FTD gains end-to-end visibility from a wealth of user identity, endpoint device, and network context information. By supporting SGT as both source and destination matching criteria, this enables you to now leverage Firepower to enforce stateful access control policies that based on context rather than IP addresses or network objects.


How It Works

Connecting FMC to ISE

Figure 1: 6.5 ISE ConfigurationFMC2.png


Firepower registers with ISE and subscribes to the selected pxGrid topics.


Note: For configuration details for establishing a pxGrid connection, please refer to: Configure ISE and FMC pxGrid Integration

Verifying pxGrid Connectivity

Figure 2: FMC to ISE Test Button SuccessScreen Shot 2020-03-15 at 2.22.26 PM.png
Figure 3: FMC pxgrid connection success on ISExgrid.png


Viewing Retrieved pxGrid Information

To view the information pulled from session directory on FMC…

  1. Log into expert mode
  2. Type “sudo -i”
  3. Cd /var/sf/user_enforcement/
  4. Type “uip_reader -f uip_log_entries.1 -l -p” 

To view the information pulled from the SXP topic on FMC…

  1. Log into expert mode
  2. Type “sudo -I”
  3. Cd /var/sf/user_enforcement/
  4. Type “ uip_reader -f sxp_log_entries.1 -l -p -t”


Create Access Control Rules with SGT Criteria


View Connection Events with SGTsevent.png