Create or Edit an FTD SGT Group
Prerequisites
You must have the following configurations or environments configured prior to creating a security group tag (SGT) group:
- FTD Device must be running at least Version 6.5.
- You must configure the ISE identity source to subscribe to SXP mappings and enable deploy changes. To manage SXP mappings, see Configure Security Groups and SXP Publishing in ISE of the Firepower Device Manager Configuration Guide for the version you're using, Version 6.7 and later.
- All SGTs must be created in ISE. To create an SGT, see the Cisco Identity Services Engine Configuration Guide of the version your are currently running.
Create an FTD SGT Group
To create an SGT group that can be used for an access control rule, use the following procedure:
- In the CDO navigation bar on the left, click Objects.
- Click the blue plus button
to create an object.
- Click FTD > Network.
- Enter an Object Name.
- (Optional) Add a description.
- Click SGT and use the drop-down menu to check all the applicable SGTs you want included in the group. You can sort the list by SGT name.
- Click Save.
Note: You cannot create or edit SGTs in CDO, you can only add or remove them from an SGT group. To create or edit an SGT, see the Cisco Identity Services Engine Configuration Guide of the version you are currently running.
Edit an FTD SGT Group
To edit an SGT group, use the following procedure:
- In the CDO navigation bar on the left, click Objects.
- Locate the SGT group you want to edit by using object filters and search field.
- Select the SGT group and click the edit icon
in the Actions pane.
- Modify the SGT group. Edit the name, description, or the SGTs associated with the group.
- Click Save.
Note: You cannot create or edit SGTs in CDO, you can only add or remove them from an SGT group. To create or edit an SGT, see the Cisco Identity Services Engine Configuration Guide of the version you are currently running.
Add an FTD SGT Group to an Access Control Rule
To add an SGT group to an access control rule, use the following procedure:
- In the CDO navigation bar on the left, click Devices & Services.
- Click the device you want to add the SGT group to. In the Management pane, select Policy.
- Click the blue plus button
for either the Source or Destination objects and select SGT Groups.
- Locate the SGT group(s) you want to edit by using object filters and search field.
- Click Save.
- Preview and Deploy Configuration Changes for All Devices.
Note: If you need to create an additional SGT group, click Create New Object. Fill in the required information mentioned in Create an FTD SGT Group and Add the SGT group to the rule.
Related Articles:
- FTD Security Group Tags
- FTD Policy Configuration
- Deploy Configuration Changes from CDO to FTD
- Source and Destination Criteria in an FTD Access Control Rule