About Security Group Tags in ASA Policies

If you onboard an ASA that uses security group tags (SGT) in its access control rules, Cisco Defense Orchestrator allows you to edit the rules that use SGT groups and manage the policies that have these rules. However, you cannot create SGT groups or edit them using the CDO GUI. To create or edit SGT groups, you must use ASA's Adaptive Security Device Manager (ASDM) or the CLI available in CDO.

In CDO's object page, when looking at the details of SGT groups, you'll see that those objects are identified as noneditable, system-provided objects.

CDO administrators can perform these tasks on ACLs and ASA policies that contain SGT groups:

  • Edit all aspects of ACLs except the source and destination security groups.

  • Copy a policy containing SGT groups from one ASA to another.

For detailed instruction, on configuring Cisco TrustSec using the command line interface, see the "ASA and Cisco TrustSec" chapter of the ASA CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide pertaining to your ASA release.