Hello @Royi_Priov ,

thank you for the information. That is really useful. We are currently trying to setup a connection to the ISE 2.6. I think we will see the results within the next week. I will report here.

Yours, Martin

Update: Connection to the ISE 2.6 seems to be working. We get Login/Logout events and the group names are matching known SGTs. Now we will build some rules.

Yours, Martin

Hello all,

I tried to integrate R80.10 with ISE 2.6 and i wanted to know if you have already done it and what was the result, if it works for you or NOT?

i know it's not recommended by Check Point.

thanks in advance 

Hi,

we are doing it with R80.30 and Cisco ISE 2.6. It looks good (we see the IA events in the log), but we have not completed the tests. I will update this post when we are finished.

Yours, Martin

Hi @Martin_Seeger 

Any new information on r80.30 and Cisco ISE 2.6?

BR,

David

Short answer: Yes & No

Long answer:

• It generally works: we see session information appearing and can implement filter on Check Point based on SGT information.
• We still have problems as we do not get session information about all clients. We debugged long and hard because we thought the problem to be on the Identity Collector side.
• With the help of people at Check Point we found a tool from Cisco with which you can dump all session information into a file. As it turns out, the dump misses the same sessions as does the Check Point identity collector. That put the ball right into the field of Cisco.
• The support case with Cisco is now open for four weeks. It took quite a while to explain what the problem is.
• We just found out the our problem correlates with the lack of accounting information. Those session have in the Cisco debugs no IP address and are therefor not "publish-worthy on pxGrid".
• Our best guess is that we have problems with the Radius Accounting. This is used to transmit the IP address information between the switch and the Cisco ISE.

It is quite an adventure so far. We are probably the first to implement Check Point SGT based firewalling in conjunction with Cisco DNA.

Yours, Martin

I just read your message properly.
We experience a bit of the same, some clients do not show up as a session. This I've figured out is probably 99% our wireless clients, but only a very few of them, and these clients have for some reason not triggered an accounting update from the WLC. I haven't looked into this but have thought that the authentication went wrong or something. We are using Cisco WLC 5508 and 5520, tunneled (flexconnect) from inside Cisco SDA/DNA, so no vxlan to the AP.
Our SDA-switches are by default configured to send accounting via the switches default update interval, some 2days (172000s) on cat9300. We haven't concluded on any different interval to use yet.

Sure is an adventure and will be amazing when it works! Rest assured that you are not alone! We are also trying to use SGT in our rules! 🙂
I've sent you a message directly.