https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Group-Tag-from-Cisco-ISE-not-assigned-to-Access-Role/m-p/277311#M105530 <P>Hi All,<BR /><BR />Customer has a R82 environment with a internal cluster and would like to use Security Group Tags from Cisco ISE to create access rules.<BR /><BR />We have configured an Identity Collector and configured Cisco ISE as the identity source. All statuses are OK.<BR />The Identity Collector is showing log-on and log-off events from this identity source.&nbsp;<BR /><BR />Following the documentation, we have configured an Identity Tag with the identifier field as an exact match with the SGT's name and used this Identity Tag in an Access Role. We have found an article mentioning a SGT_ prefix is needed when naming the Access Role where the part after the prefix must match the SGT's name. Created an access rule with this role and pushed policy.<BR /><BR />When running the 'pdp monitor ip x.x.x.x' command, we can see the security gateway has learned the object and the SGT is shown in the output. But the Access Role remains empty so the access rule is not hit.<BR /><BR />Disconnecting the device from the network shows a log-off event in SmartLog and connecting the device to the network shows a log-on event in SmartLog with the correct SGT name, but without a Access Role assigned.<BR /><BR />The configuration we have created is done by putting information from different documents and SK articles together.&nbsp;<BR /><BR />What am I missing here?<BR /><BR />Has anyone has configured this before?<BR /><BR />Tips and tricks would be appreciated.<BR /><BR />Regards,<BR />Martijn<BR /><BR />&nbsp;</P> Fri, 22 May 2026 09:19:58 GMT Martijn 2026-05-22T09:19:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Group-Tag-from-Cisco-ISE-not-assigned-to-Access-Role/m-p/277311#M105530 <P>Hi All,<BR /><BR />Customer has a R82 environment with a internal cluster and would like to use Security Group Tags from Cisco ISE to create access rules.<BR /><BR />We have configured an Identity Collector and configured Cisco ISE as the identity source. All statuses are OK.<BR />The Identity Collector is showing log-on and log-off events from this identity source.&nbsp;<BR /><BR />Following the documentation, we have configured an Identity Tag with the identifier field as an exact match with the SGT's name and used this Identity Tag in an Access Role. We have found an article mentioning a SGT_ prefix is needed when naming the Access Role where the part after the prefix must match the SGT's name. Created an access rule with this role and pushed policy.<BR /><BR />When running the 'pdp monitor ip x.x.x.x' command, we can see the security gateway has learned the object and the SGT is shown in the output. But the Access Role remains empty so the access rule is not hit.<BR /><BR />Disconnecting the device from the network shows a log-off event in SmartLog and connecting the device to the network shows a log-on event in SmartLog with the correct SGT name, but without a Access Role assigned.<BR /><BR />The configuration we have created is done by putting information from different documents and SK articles together.&nbsp;<BR /><BR />What am I missing here?<BR /><BR />Has anyone has configured this before?<BR /><BR />Tips and tricks would be appreciated.<BR /><BR />Regards,<BR />Martijn<BR /><BR />&nbsp;</P> Fri, 22 May 2026 09:19:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Group-Tag-from-Cisco-ISE-not-assigned-to-Access-Role/m-p/277311#M105530 Martijn 2026-05-22T09:19:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Group-Tag-from-Cisco-ISE-not-assigned-to-Access-Role/m-p/277315#M105531 <P>Apply some caution here but it's worth reviewing the following as relevant to this environment:</P> <P>pdp idc groups_consolidation status | enable | disabled</P> Fri, 22 May 2026 11:31:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Group-Tag-from-Cisco-ISE-not-assigned-to-Access-Role/m-p/277315#M105531 Chris_Atkinson 2026-05-22T11:31:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Group-Tag-from-Cisco-ISE-not-assigned-to-Access-Role/m-p/277316#M105532 <P>Chris,<BR /><BR />We also checked this one and the setting was enabled.<BR /><BR />Martijn</P> Fri, 22 May 2026 11:35:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Group-Tag-from-Cisco-ISE-not-assigned-to-Access-Role/m-p/277316#M105532 Martijn 2026-05-22T11:35:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Group-Tag-from-Cisco-ISE-not-assigned-to-Access-Role/m-p/277317#M105533 <P>Don't know the specifics of this environment but I've disabled it in the past for other SGT based deployments.</P> Fri, 22 May 2026 11:43:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Security-Group-Tag-from-Cisco-ISE-not-assigned-to-Access-Role/m-p/277317#M105533 Chris_Atkinson 2026-05-22T11:43:25Z