04-11-2024 04:06 AM
Hi,
Please help me to get some use cases for integrate FMC with ISE to use SGTs?
04-11-2024 04:25 AM - edited 04-11-2024 04:25 AM
04-11-2024 04:26 AM
@KayaaKashyap if you using TrustSec SGTs you can apply Access Contol rules on the FTD's using the SGT's instead of IP addresses or AD user/group, which simplifies Access Control rules. You would classify your devices and ISE assigns the SGTs to authenticated endpoints/users. The SGTs are applied dynamically via ISE, so if the user's status changes, they can automatically assigned a different SGT and different Access Control rules would apply, all without having to change the user's IP address, reducing complexity.
04-15-2024 02:46 AM
AS @Rob Ingram mentioned, we use SGTs on the FTD access rules to enforce the traffic based on the SGTs rather than the IP addresses. This comes into handy if you want to simplify the security enforcements and not to condition the rules based on the IP addresses that could easily change if the users should hop on different networks. For instance, in ISE you can create an authorization rule that will match the AD group Finance and associate a unique SGT to those sessions. The FTD will then enforce the traffic based on the finance SGT regardless of what IP has been assigned to the users.
Another use case would be if you want to apply microsegmentation within the same subnet. For instance, say you have some people in Finance department that can access all the finance resources, but others should only be restricted to some resources. In that case you can create two rules in ISE where each one has a different AD group associated and apply a different SGT to each one. Then in the FMC you configure multiple access rules allowing and denying the traffic based on the source SGT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide