Short answer: Yes & No
Long answer:
- It generally works: we see session information appearing and can implement filter on Check Point based on SGT information.
- We still have problems as we do not get session information about all clients. We debugged long and hard because we thought the problem to be on the Identity Collector side.
- With the help of people at Check Point we found a tool from Cisco with which you can dump all session information into a file. As it turns out, the dump misses the same sessions as does the Check Point identity collector. That put the ball right into the field of Cisco.
- The support case with Cisco is now open for four weeks. It took quite a while to explain what the problem is.
- We just found out the our problem correlates with the lack of accounting information. Those session have in the Cisco debugs no IP address and are therefor not "publish-worthy on pxGrid".
- Our best guess is that we have problems with the Radius Accounting. This is used to transmit the IP address information between the switch and the Cisco ISE.
It is quite an adventure so far. We are probably the first to implement Check Point SGT based firewalling in conjunction with Cisco DNA.
Yours, Martin
