Skip to main content

 

 

Cisco Defense Orchestrator

Create or Edit an FTD SGT Group

Prerequisites

You must have the following configurations or environments configured prior to creating a security group tag (SGT) group:

  • FTD Device must be running at least Version 6.5. 
  • You must configure the ISE identity source to subscribe to SXP mappings and enable deploy changes. To manage SXP mappings, see Configure Security Groups and SXP Publishing in ISE of the Firepower Device Manager Configuration Guide for the version you're using, Version 6.7 and later.
  • All SGTs must be created in ISE. To create an SGT, see the Cisco Identity Services Engine Configuration Guide of the version your are currently running.

Create an FTD SGT Group

To create an SGT group that can be used for an access control rule, use the following procedure:

  1. In the CDO navigation bar on the left, click Objects
  2. Click the blue plus button blue_cross_button.png to create an object.
  3. Click FTD > Network.
  4. Enter an Object Name.
  5. (Optional) Add a description. 
  6. Click SGT and use the drop-down menu to check all the applicable SGTs you want included in the group. You can sort the list by SGT name. 
  7. Click Save

Note: You cannot create or edit SGTs in CDO, you can only add or remove them from an SGT group. To create or edit an SGT, see the Cisco Identity Services Engine Configuration Guide of the version you are currently running.

Edit an FTD SGT Group

To edit an SGT group, use the following procedure:

  1. In the CDO navigation bar on the left, click Objects
  2. Click the blue plus button blue_cross_button.png to create an object.
  3. Locate the SGT group you want to edit by using object filters and search field.
  4. Select the SGT group and click the edit icon edit.png in the Actions pane.
  5. Modify the SGT group. Edit the name, description, or the SGTs associated with the group. 
  6. Click Save

Note: You cannot create or edit SGTs in CDO, you can only add or remove them from an SGT group. To create or edit an SGT, see the Cisco Identity Services Engine Configuration Guide of the version you are currently running.

Add an FTD SGT Group to an Access Control Rule

To add an SGT group to an access control rule, use the following procedure:

  1. In the CDO navigation bar on the left, click Devices & Services.
  2. Click the device you want to add the SGT group to. In the Management pane, select Policy
  3. Click the blue plus button blue_cross_button.png for either the Source or Destination objects and select SGT Groups
  4. Locate the SGT group(s) you want to edit by using object filters and search field.
  5. Click Save
  6. Preview and Deploy Configuration Changes for All Devices.

Note: If you need to create an additional SGT group, click Create New Object. Fill in the required information mentioned in Create an FTD SGT Group and Add the SGT group to the rule.

 

Related Articles: