ISE/ISE-PIC configuration fields

The fields in this reference are used to configure a connection to ISE/ISE-PIC.

Connection and certificate configuration fields for ISE/ISE-PIC integration:

  • Primary and Secondary Host Name/IP Address: The hostname or IP address for the primary and, optionally, the secondary pxGrid ISE servers. The ports used by the host names you specify must be reachable by both ISE and the Cloud-Delivered Firewall Management Center.

  • pxGrid Server CA: The trusted certificate authority for the pxGrid framework. If your deployment includes a primary and a secondary pxGrid node, the certificates for both nodes must be signed by the same certificate authority.

  • MNT Server CA: The trusted certificate authority for the ISE certificate when performing bulk downloads. If your deployment includes a primary and a secondary MNT node, the certificates for both nodes must be signed by the same certificate authority.

  • pxGrid Client Certificate: The internal certificate and key that the Cloud-Delivered Firewall Management Center must provide to /ISE-PIC to connect to /ISE-PIC or to perform bulk downloads.

Note

The pxGrid Client Certificate must include the clientAuth extended key usage value, or it must not include any extended key usage values.

Data filtering, subscription, and proxy configuration fields:

  • ISE Network Filter: An optional filter you can set to restrict the data that ISE reports to the Cloud-Delivered Firewall Management Center. If you provide a network filter, ISE reports data from the networks within that filter. You can specify a filter in these ways:

    • Leave the field blank to specify any.

    • Enter a single IPv4 address block using CIDR notation.

    • Enter a list of IPv4 address blocks using CIDR notation, separated by commas.

  • Subscribe to: Session Directory Topic: Check this box to subscribe to user session information from the ISE server. Includes SGT and endpoint metadata. SXP Topic: Check this box to subscribe to SXP mappings from the ISE server.

  • Proxy: You can optionally choose either a managed device or a proxy sequence to communicate with ISE/ISE-PIC if Security Cloud Control is unable to do so. For example, your Security Cloud Control might be in a public cloud but the ISE/ISE-PIC server might be on an internal intranet.

Note

This version of the system does not support filtering using IPv6 addresses, regardless of your ISE version.