Autotransition from custom Security Group Tags to ISE Security Group Tags

An autotransition from custom Security Group Tags (SGTs) to ISE Security Group Tags is a system process that automatically adjusts rule configuration when you configure ISE/ISE-PIC as an identity source after creating rules with custom Security Group Tags.

System behavior during autotransition

If you create rules that match custom SGTs, then configure ISE or ISE-PIC as an identity source, the system will:

Disable Security Group Tag options: The system retains existing SGT objects, but you cannot modify them or add new ones.
Retain existing rules: Existing rules with custom SGT conditions remain, but they do not match traffic, and you cannot add more custom SGT conditions.

If you configure ISE, it is recommended to delete or disable existing rules with custom Security Group Tag conditions and use ISE attribute conditions to match traffic with Security Group Tag attributes.