Using Cisco ISE as Discovery Source

You can set up an IoT discovery engine on the Check Point Security Gateway or Management Server to discover IoT assets in your network. The IoT discovery engine uses the network devices in the network, such as switches, routers, gateways, or Network Access Control (NAC) devices to discover IoT assets.

You can use Cisco Identity Services Engine (ISE) as an IoT discovery engine. It is a NAC device that:

  • Allows organizations to provide highly secure network access to users and devices.

  • Uses a proprietary WebSocket-based protocol called Platform Exchange Grid (pxGrid) to share vital contextual data with integrated solutions. For pxGrid-related REST and WebSocket communication, pxGrid uses port 8910 over TCP on Cisco ISE.

  • Subscribes to Cisco ISE's session events. With this subscription, Quantum IoT Protect is notified of any event in which a network device is authenticated by Cisco ISE. The notification includes the MAC address and IP address of the device.

This network diagram shows the setup to use Cisco ISE as the IoT discovery engine.

Note - Quantum IoT Protect integration with Cisco ISE is based on pxGrid - Platform Exchange Grid 2.0, which is officially supported starting from ISE 2.4. The procedures described in this document are tested on Cisco ISE versions 2.6 and 2.7.0.356, on a virtual machine.

Prerequisites

  1. Set the relevant rules in the Access Control policy to allow pxGrid traffic between the Check Point Management Server and the Cisco ISE server.
  2. Configure pxGrid services on Cisco ISE:

    1. Log in to Cisco ISE Web Management portal.

    2. Go to Administration > pxGrid Services > Settings.

    3. Select these checkboxes:

      • Automatically approve new certificate-based accounts

      • Allow password based account creation

    4. Click Save.

Setting Up Cisco ISE as the IoT Discovery Engine

To set up Cisco ISE as the IoT Discovery Engine:

Testing the Cisco ISE IoT Discovery Engine

  1. Access the Check Point Security Gateway / Management Server through SSH and run:

    cpnano -s

    Sample output:

  2. Make sure these nano services are running:

    1. Check Point Orchestration

    2. Check Point IoT Cisco ISE

Troubleshooting the Cisco ISE IoT Discovery Engine

  1. Access the Check Point Security Gateway / Management Server through SSH.

  2. To ensure that the network and access rules have enabled pxGrid traffic between the Security Gateway / Management Server(pxGrid client) and Cisco ISE (pxGrid) server, run:

    • ping <Cisco ISE's IP Address>

    • ping <Cisco ISE's FQDN>

    • telnet <Cisco ISE's FQDN> 8910

  3. Make sure that the certificate files are copied and named correctly:

    File Type

    File Name

    pxGrid server certificate (Cisco ISE)

    server-cer.pem

    pxGrid client certificate (Management Server)

    client-cer.pem

    pxGrid client key (Management Server)

    client-key.pem

  4. If the certificate files are not copied, repeat these procedures:

    1. Create pxGrid certificate files in Cisco ISE. See Step 1 - Obtain pxGrid certificates.

    2. Copy pxGrid certificate files to the Management Server. See Step 3 - Copy the pxGrid certificates to your Check Point Security Gateway / Management Server.

  5. Verify that the log file exists:

    Product

    File

    Security Gateway / Management Server

    /etc/cp/scripts/iot/ciscoIse/cisco_ise.log