Security Group Tags in ASA Policies

If you onboard an ASA that uses security group tags in security group object groups, (hereafter referred to as "SGT groups") in its access control rules, Cisco Defense Orchestrator allows you to edit the rules that use those SGT groups and manage the policies that have those rules. However, you cannot create SGT groups or edit them using the CDO GUI. To create or edit SGT groups, you need to use ASA's Adaptive Security Device Manager (ASDM) or the command line interface available in CDO.

In CDO's object page, when reading the details of SGT groups, you'll see that those objects are identified as non-editable, system-provided objects.

CDO administrators can perform these tasks on ACLs and ASA policies that contain SGT groups:

  • CDO administrators can edit all aspects of the ACL except the source and destination security groups.

  • Copy a policy containing SGT groups from one ASA to another.

For detailed instruction on configuring Cisco TrustSec using the command line interface, see the "ASA and Cisco TrustSec" chapter of the ASA CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide for your ASA release.