Appendix G - Using Cisco ISE as the IoT Discovery Engine

You can set up an IoT discovery engine on the Check Point Security Gateway or Management Server to discover IoT assets in your network. The IoT discovery engine uses the network devices in the network, such as switches, routers, gateways, or Network Access Control (NAC) devices to discover IoT assets.

You can use Cisco Identity Services Engine (ISE) as an IoT discovery engine. It is a NAC device that:

  • Allows organizations to provide highly secure network access to users and devices.

  • Uses a proprietary WebSocket-based protocol called Platform Exchange Grid (pxGrid) to share vital contextual data with integrated solutions. For pxGrid- related REST and WebSocket communication, pxGrid uses port 8910 over TCP on Cisco ISE.

  • Subscribes to Cisco ISE's session events. With this subscription, Quantum IoT Protect is notified of any event in which a network device is authenticated by Cisco ISE. The notification includes the MAC address and IP address of the device.

This network diagram shows the setup to use Cisco ISE as the IoT discovery engine.

Note - Our integration with Cisco ISE is based on pxGrid - Platform Exchange Grid 2.0, which is officially supported starting from ISE 2.4. The procedures described in this appendix are tested on Cisco ISE versions 2.6 and 2.7.0.356, on a virtual machine.

Prerequisites

  1. Set the relevant rules in the Access Control policy to allow pxGrid traffic between the Check Point Management Server and the Cisco ISE server.

  2. Configure pxGrid services on Cisco ISE:

    1. Log in to Cisco ISE Web Management portal.

    2. Go to Administration > pxGrid Services > Settings.

    3. Select these checkboxes:

      • Automatically approve new certificate-based accounts

      • Allow password based account creation

    4. Click Save.

Setting Up Cisco ISE as the IoT Discovery Engine

To set up Cisco ISE as the IoT Discovery Engine:

  1. Issue pxGrid certificates:

    1. Log in to Cisco ISE Web Management portal.

    2. Go to Administration > pxGrid Services > Certificates.

    3. Enter these:

      1. I want to - Select Generate a single certificate (without a certificate signing request).

      2. Common name (CN) - FQDN [Host.Domain] of the pxGrid client, the subscriber of Cisco ISE server's sessions (the Management Server on which the integration is installed).

      3. Subject Alternative Name (SAN) - Select IP Address and enter the IP Address of the pxGrid client, the subscriber of the Cisco ISE server's sessions (the Management Server on which the integration is installed).

      4. Certificate Download Format - Select Certificate in Privacy Enhanced Electronic Mail (PEM) format, key in PKCS8 PEM format (including certificate chain).

      5. Certificate Password - Enter the certificate password of the pxGrid client.

      6. Click Create.

        The system creates a zip file of the certificates and downloads it to the path selected in the Windows Explorer dialog box.

    4. Extract the zip file and download the three certificate files.

      • [1] - pxGrid Server certificate - Root CA (Cisco ISE server)

      • [2] - pxGrid Client certificate (Management Server)

      • [3] - pxGrid Client Key (Management Server)

    5. To view the certificates issued by the Cisco ISE server, go to Administration > System > Certificates > Certificate Authority > Issued Certificates.

  2. Set Cisco ISE as the discovery engine in Quantum IoT Protect:

    1. Log in to Check Point Infinity Portal.

    2. In the Quantum section, go to IoT Protect > IoT > Profiles.

    3. Click and select IoT Discovery Source Profile.

    4. In the Discovery Source section, from the Discovery source type list, select Cisco ISE.

    5. In the Discovery Source Settings section:

      1. In the IP address field, enter the IP address of the Cisco ISE Server.

      2. In the FQDN field, enter the Full Qualified Domain (FQDN) of the Cisco ISE Server.

      3. In the Client FQDN field, enter the FQDN of the client connected to the Cisco ISE Server.

    6. Click Generate Installation Command.

      The Generate Installation Command window appears.

    7. In the Properties section, enter the pxGrid client certificate password.

      Note - Cisco ISE discovery engine uses pxGrid certificates issued by the Cisco ISE server. See Issue pxGrid certificates in Prerequisites.

    8. In the Command section, click Generate.

      The system generates the command to configure the Cisco ISE discovery engine on the Check Point Security Gateway / Management Server.

    9. Copy the generated command.

    10. Access your Check Point Security Gateway / Management Server through SSH, for example using PuTTY.

    11. Log in to Expert mode.

    12. Paste the generated command.

    13. If the integration is installed on a cluster gateway or Management Server with High Availability (HA) or Multi-Domain Server (MDS) with HA:

      1. Access each member through SSH and log in to Expert mode.

      2. Paste the generated command.

    14. In the Run Discovery On section, select the Management Server on which the integration should be installed.

    15. In the Gateways That Use This Service section, select the gateways relevant to your discovered assets, or select the policy-package for all gateways.

    16. Click Enforce.

  3. Copy the pxGrid certificates to your Check Point Security Gateway / Management Server:

    1. Before you copy, rename the pxGrid certificate file names as per the table below.

      File Type

      File Name

      pxGrid server certificate ( Cisco ISE)

      server-cer.pem

      pxGrid client certificate ( Management Server)

      client-cer.pem

      pxGrid client key ( Management Server)

      client-key.pem

    2. Use a file transfer application, such as WinSCP to copy the pxGrid certificate files to your Check Point Security Gateway / Management Server:

      Copy the pxGrid certificates to the following path:

      /etc/cp/conf/iot-discovery/ciscoIse/cert/${cisco_ise_integration_id}

Testing the Cisco ISE IoT Discovery Engine

  1. Access the Check Point Security Gateway / Management Server through SSH and run:

    cpnano -s

    Sample output:

  2. Make sure these nano services are running:

    1. Check Point Orchestration

    2. Check Point IoT Cisco ISE

Troubleshooting the Cisco ISEIoT Discovery Engine

  1. Access the Check Point Security Gateway / Management Server through SSH.

  2. To ensure that the network and access rules have enabled pxGrid traffic between the Security Gateway / Management Server(pxGrid client) and Cisco ISE (pxGrid) server, run:

    • ping <Cisco ISE's IP Address>

    • ping <Cisco ISE's FQDN>

    • telnet <Cisco ISE's FQDN> 8910

  3. Make sure that the certificate files are copied and named correctly:

    File Type

    File Name

    pxGrid server certificate ( Cisco ISE)

    server-cer.pem

    pxGrid client certificate ( Management Server)

    client-cer.pem

    pxGrid client key ( Management Server)

    client-key.pem

  4. If the certificate files are not copied, repeat these procedures:

    1. Create pxGrid certificate files in Cisco ISE. See Issue pxGrid certificates:.

    2. Copy pxGrid certificate files to the Management server. See Copy the pxGrid certificates to your Check Point Security Gateway / Management Server:.

  5. Check whether the log file exists:

    /etc/cp/scripts/iot/ciscoIse/cisco_ise.log