What’s New
Release 6.5 enhances TrustSec support with the following capabilities:
- The ability to use Security Group Tags (SGTs) as destination matching criteria in access control rules (this is addition to the existing support for source matching criteria)
- The ability to subscribe to the Security Group Tag eXchange Protocol (SXP) topic in Cisco ISE
- SGTs shown in event messages
Benefits
Prior to 6.5, SGTs were learned via inline or via ISE pxGrid session directory which only has informations from active endpoints that are authenticated via ISE. By expanding to include SXP mappings from ISE, FTD gains end-to-end visibility from a wealth of user identity, endpoint device, and network context information. By supporting SGT as both source and destination matching criteria, this enables you to now leverage Firepower to enforce stateful access control policies that based on context rather than IP addresses or network objects.
How It Works
Connecting FMC to ISE
Figure 1: 6.5 ISE Configuration
Firepower registers with ISE and subscribes to the selected pxGrid topics.
Note: For configuration details for establishing a pxGrid connection, please refer to: Configure ISE and FMC pxGrid Integration
Verifying pxGrid Connectivity
Figure 2: FMC to ISE Test Button Success
Figure 3: FMC pxgrid connection success on ISE
Viewing Retrieved pxGrid Information
To view the information pulled from session directory on FMC…
- Log into expert mode
- Type “sudo -i”
- Cd /var/sf/user_enforcement/
- Type “uip_reader -f uip_log_entries.1 -l -p”
To view the information pulled from the SXP topic on FMC…
- Log into expert mode
- Type “sudo -I”
- Cd /var/sf/user_enforcement/
- Type “ uip_reader -f sxp_log_entries.1 -l -p -t”
Create Access Control Rules with SGT Criteria
View Connection Events with SGTs