Cisco Cisco Firepower Management Center 2000 Guia De Resolução De Problemas
through pxGrid, providing the knowledge that user X from realm Y has logged in with SGT Z. FMC
takes the information and inserts into the user-IP mapping file. FMC uses an algorithm to
determine the time to push the acquired mapping to the sensors, depending on how much network
load is present.
takes the information and inserts into the user-IP mapping file. FMC uses an algorithm to
determine the time to push the acquired mapping to the sensors, depending on how much network
load is present.
Note: FMC does not push all User-IP mapping entries to sensors. For FMC to push
mapping, it must first have knowledge of the user through the Realm. If the user in the
session is not part of the Realm, sensors will not learn the mapping information of this user.
Support for non-Realm users is considered for future releases.
mapping, it must first have knowledge of the user through the Realm. If the user in the
session is not part of the Realm, sensors will not learn the mapping information of this user.
Support for non-Realm users is considered for future releases.
The Firepower System Version 6.0 only supports IP-User-SGT mapping. Actual tags in the traffic,
or SGT-IP mapping learned from SXP on an ASA are not used. When the sensor picks up
incoming traffic, the Snort process takes the source IP and looks up the User-IP mapping (which is
pushed by Firepower module to the Snort process), and finds the Secure Tag ID. If it matches the
SGT ID (not SGT number) configured in the access control policy, then the policy is applied to the
traffic.
or SGT-IP mapping learned from SXP on an ASA are not used. When the sensor picks up
incoming traffic, the Snort process takes the source IP and looks up the User-IP mapping (which is
pushed by Firepower module to the Snort process), and finds the Secure Tag ID. If it matches the
SGT ID (not SGT number) configured in the access control policy, then the policy is applied to the
traffic.
The Inline Tagging Method
Starting from ASA version 9.6.2 and ASA Firepower module 6.1, Inline SGT tagging is supported.
This means the Firepower module is now capable of extracting SGT number directly from the
packets without relying on User-IP mapping provided by FMC. This provides an alternative
solution for TrustSec-based access control when the user is not part of the Realm (such as
devices not capable of 802.1x authentication).
This means the Firepower module is now capable of extracting SGT number directly from the
packets without relying on User-IP mapping provided by FMC. This provides an alternative
solution for TrustSec-based access control when the user is not part of the Realm (such as
devices not capable of 802.1x authentication).
With the Inline Tagging Method, the sensors still replies on FMC to retrieve SGT groups from ISE
and push the SGT database down. When traffic tagged with the Security Group number reaches
the ASA, if the ASA is configured to trust the incoming SGT, the tag will be passed to the
Firepower module through the dataplane. The Firepower module takes the tag from the packets
and uses it directly to evaluate access control policies.
and push the SGT database down. When traffic tagged with the Security Group number reaches
the ASA, if the ASA is configured to trust the incoming SGT, the tag will be passed to the
Firepower module through the dataplane. The Firepower module takes the tag from the packets
and uses it directly to evaluate access control policies.
ASA must have proper TrustSec configuration on the interface in order to receive the tagged
traffic:
traffic:
interface GigabitEthernet1/1
nameif inside
cts manual policy static sgt 6 trusted security-level 100 ip address 10.201.229.81
255.255.255.224
Note: Only ASA version 9.6.2 and higher supports Inline Tagging. The earlier versions of an
ASA do not pass the Security Tag through the dataplane to the Firepower module. If a
sensor supports Inline Tagging, it will first try to extract tag from traffic. If the traffic is not
tagged, the sensor falls back to the User-IP mapping method.
ASA do not pass the Security Tag through the dataplane to the Firepower module. If a
sensor supports Inline Tagging, it will first try to extract tag from traffic. If the traffic is not
tagged, the sensor falls back to the User-IP mapping method.
Troubleshooting
From the Restricted Shell of a Firepower Device
To display access control policy pushed from FMC:
> show access-control-config .