- Introduction to the Cisco ASA FirePOWER Module
- Managing Reusable Objects
- Managing Device Configuration
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Access Control Rules: Realms and Users
- Access Control Rules: Custom Security Group Tags
- Controlling Traffic Using Intrusion and File Policies
- Intelligent Application Bypass
- Access Control Using Content Restriction
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Network Analysis and Intrusion Policies
- Using Layers in a Network Analysis or Intrusion Policy
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- AC Adaptive Profiles
- Getting Started with Intrusion Policies
- Tuning Intrusion Policies Using Rules
- Detecting Specific Threats
- Globally Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Introduction to Identity Data
- Realms and Identity Policies
- User Identity Sources
- DNS Policies
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Viewing Events
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Using the ASA FirePOWER Dashboard
- Using ASA FirePOWER Reporting
- Scheduling Tasks
- Managing System Policies
- Configuring ASA FirePOWER Module Settings
- Licensing the ASA FirePOWER Module
- Updating ASA FirePOWER Module Software
- Monitoring the System
- Using Backup and Restore
- Generating Troubleshooting Files
- Importing and Exporting Configurations
- Viewing the Status of Long-Running Tasks
- Security, Internet Access, and Communication Ports
Access Control Rules: Custom Security Group Tags
The Security Group Tag (SGT) specifies the privileges of a traffic source within a trusted network. Security Group Access (a feature of both Cisco TrustSec and Cisco ISE) automatically generates the SGT when a user adds a security group in TrustSec or ISE. SGA then applies the SGT attribute as packets enter the network. You can use SGTs for access control by configuring ISE as an identity source or creating custom SGT objects.
Custom SGT conditions allow you to configure access control rules based on custom SGT objects. You manually add custom SGT objects to the Firepower System, rather than obtaining SGTs via ISE.
You can only use custom SGT conditions if you disable ISE/ISE-PIC as an identity source.
The following topics describe how to use SGT conditions in access control rules:
ISE SGT v. Custom SGT Rule Conditions
You can use SGTs for access control by either configuring ISE as an identity source (ISE SGT) or creating custom SGT objects (custom SGT). The system handles ISE SGT and custom SGT rule conditions differently:
ISE SGT: ISE connection configured
You can use ISE SGTs as ISE attribute conditions in access control rules. When you choose Security Group Tag from the Available Attributes list in the SGT/ISE Attributes tab, the system populates the Available Metadata list by querying ISE for available tags. The presence or absence of an SGT attribute in a packet determines the system's response:
- If an SGT attribute is present in the packet, the system extracts that value and compares it to ISE SGT conditions in access control rules.
- If the SGT attribute is absent from the packet, the system determines whether the SGT associated with the packet’s source IP address is known in ISE and compares the SGT to the ISE SGT conditions in access control rules.
Custom SGT: No ISE connection configured
You can create custom SGT objects and use them as conditions in access control rules. When you choose Security Group Tag from the Available Attributes list in the SGT/ISE Attributes tab, the system populates the Available Metadata list with any SGT objects you have added. The presence or absence of an SGT attribute in a packet determines the system's response:
Automatic Transition from Custom SGT to ISE SGT Rule Conditions
If you create access control rules using custom SGT objects as conditions, then later configure ISE/ISE-PIC as an identity source, the system:
- Disables the Security Group Tag object option in the Object Manager. You cannot add new SGT objects, edit existing SGT objects, or add SGT objects as new conditions unless you disable the ISE/ISE-PIC connection.
- Retains existing SGT objects. You cannot modify these existing objects. You can view them only in the context of the existing access control rules that use them as conditions.
- Retains existing access control rules with custom SGT conditions. Because custom SGT objects can only be updated via manual editing, Cisco recommends that you delete or disable these rules. Instead, create rules using SGTs as ISE attribute conditions. The system automatically queries ISE to update SGT metadata for ISE attribute conditions, but you can only update custom SGT objects via manual editing.
Configuring Custom SGT Conditions
To configure a custom Security Group Tag (SGT) condition:
Step 1 In the access control rule editor, click the SGT/ISE Attributes tab.
Step 2 Choose Security Group Tag from the Available Attributes list.
Step 3 In the Available Metadata list, find and choose a custom SGT object.
If you choose , the rule matches all traffic with an SGT attribute. For example, you might choose this value if you want the rule to block traffic from hosts that are not configured for TrustSec.
Step 4 Click Add to Rule , or drag and drop.
Step 5 Save or continue editing the rule.
- Deploy configuration changes; see Deploying Configuration Changes.
Troubleshooting Custom SGT Conditions
If you notice unexpected rule behavior, consider tuning your custom SGT object configuration.
Security Group Tag objects unavailable
Custom SGT objects are only available if you do not configure ISE/ISE-PIC as an identity source. For more information, see Automatic Transition from Custom SGT to ISE SGT Rule Conditions.