Net Worker World

  Terminology: SGT -   Security Group Tag SXP -  SGT Exchange Protocol over TCP EPS - Endpoint Protection Service ANC - Adaptive Network Control TrustSec = Group-Based Policy = Adaptive Policy Security Group = Scalable Group Security Group ACL = Contracts Lab: ISE3.0, FMC/FTD 7.0.5 Pre-requisite: FMC pxGrid to ISE is already configured. Note Session Directory Topic have three ISE services subscribed before SXP Topic is enabled on FMC FMC, enable SXP Topic  ISE: enable SXP service ISE: Enable SXP binding on PxGrid Add SXP Devices Seems as long as something is list here is fine, doesn't have to be something configured for FMC Create a Security Group Create a Authorization rule to apply Security Group FMC: Create ACP rule to match source SGT Verification: ISE: FMC: root@fmc67:/var/sf/user_enforcement# uip_reader -f sxp_log_entries.1 -b current set of sxp bindings ipPrefix 172.16.1.203/32, tag 16 ************************************* FMC connection event shows connection hit Test-SG

  1. Default Certificate of new ISE3.1 installation. Certificate Services Chain: Root CA - ISE31A >>>>  Node CA  - ISE31A  >>>>  Endpoint Sub CA    >>> ISE messaging Service                                                                                                             >>> pxGrid                                                                                                                                           ISE31B has similar system cert and trusted cert, once cluster is created, root CA on ISE31B is disappear, If this happens, we need re-generate Messaging Service Cert, other we go "queue link error", view Messaging Service Cert on ISE31B show chain is broken, to fix it: 1. Go to ISE31A admin gui 2. Navigate to Administration > System > Certificate 3. Click "Certificate Signing Requests" > click "Generate Certificate Signing Requests (CSR)" button 4. In Usage: Certificate(s) will be us