This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martijn
MVP Silver
MVP Silver
Friday

Security Group Tag from Cisco ISE not assigned to Access Role

Hi All,

Customer has a R82 environment with a internal cluster and would like to use Security Group Tags from Cisco ISE to create access rules.

We have configured an Identity Collector and configured Cisco ISE as the identity source. All statuses are OK.
The Identity Collector is showing log-on and log-off events from this identity source. 

Following the documentation, we have configured an Identity Tag with the identifier field as an exact match with the SGT's name and used this Identity Tag in an Access Role. We have found an article mentioning a SGT_ prefix is needed when naming the Access Role where the part after the prefix must match the SGT's name. Created an access rule with this role and pushed policy.

When running the 'pdp monitor ip x.x.x.x' command, we can see the security gateway has learned the object and the SGT is shown in the output. But the Access Role remains empty so the access rule is not hit.

Disconnecting the device from the network shows a log-off event in SmartLog and connecting the device to the network shows a log-on event in SmartLog with the correct SGT name, but without a Access Role assigned.

The configuration we have created is done by putting information from different documents and SK articles together. 

What am I missing here?

Has anyone has configured this before?

Tips and tricks would be appreciated.

Regards,
Martijn

 

0 Kudos
3 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Friday

Apply some caution here but it's worth reviewing the following as relevant to this environment:

pdp idc groups_consolidation status | enable | disabled

CCSM R77/R80/ELITE
0 Kudos
Martijn
MVP Silver
MVP Silver
Friday
In response to Chris_Atkinson

Chris,

We also checked this one and the setting was enabled.

Martijn

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Friday
In response to Martijn

Don't know the specifics of this environment but I've disabled it in the past for other SGT based deployments.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events