CloudGuard Controller for Cisco Identity Services Engine (ISE)

The CloudGuard ControllerClosed Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. integrates Cisco ISEClosed Cisco® Identity Services Engine. Provides highly secure network access to users and devices to streamline security policy management and reduce operating costs. Trademark of Cisco. with Check Point security. It allows the use of TrustSec Security Groups in the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. according to the static IP-to-SGT mappings in ISE. The ISE server is represented as the Data CenterClosed Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. server in Check Point. It connects to the ISE administration nodes and automatically retrieves object data. For redundancy, it is possible to provide both primary and secondary ISE administration nodes.

The ISE External RESTful Services (ERS) API enables communication with ISE.

Prerequisites

  • Cisco ISE version 3.2

  • An ISE administrator with the ERS-Operator or ERS-Admin group assignment

  • ERS enabled on the ISE administration nodes

Connecting to a Cisco ISE Data Center with SmartConsole

Step

Instructions

1

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new Data Center object in one of these ways:

  • In the top left corner, click Objects menu > More object types > Server > Data Center > New Cisco ISE.

  • In the top right corner, click Objects Pane > New > More > Server > Data Center > Cisco ISE.

2

In the Enter Object Name field, enter a name.

3

In the Hostname(s) field, add the ISE administration Node(s) IP address or hostname.

4

In the Username field, enter the ISE administrator username.

5

In the Password field, enter the ISE administrator password.

6

Click Test Connection.

7

Click OK.

8

Publish the SmartConsole session.

9

Install the Access Control Policy on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

Connecting to a Cisco ISE Data Center Server with Management API

Go to Management API Reference > Click on see arguments per Data Center Server type and select Cisco ISE.

Connecting to a Cisco ISE Data Center Server with Terraform

See checkpoint_management_ise_data_center_server.

Cisco ISE Objects and Properties

Cisco ISE Imported Objects

Object

Description

Security Groups

Groups of users, endpoints, and resources that share Access Control policies.

You define the Security Groups in Cisco ISE.

Automatic Failover

If there is a failure to communicate with the provided ISE administration nodes, CloudGuard Controller enters a recovery mode. In recovery mode, it automatically attempts to establish the connection again with the administration nodes. Connection is attempted with the nodes based on the order they were entered.

Important - Make sure that the secondary node is correctly synchronized with the primary node. If not, the IP-to-SGT data may not be up to date.

Limitations

  • Filtering IP-to-SGT mappings by Security Gateway name uses a wildcard ('SG_NAME') search, so incorrect IPs may be returned, in case two Security Gateway's have overlapping names (one is contained in the other).