14-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 14 Managing TrustSec Firewall Policies
Configuring TrustSec Firewall Policies
Creating Security Group Objects
You can create security group object groups for use in features that support Cisco TrustSec by including
the group in an extended ACL, which in turn can be used in an access rule, for example.
When integrated with Cisco TrustSec, the ASA downloads security group information from the Cisco
Identity Services Engine (ISE). The ISE acts as an identity repository, by providing Cisco TrustSec tag
to user identity mapping and Cisco TrustSec tag to server resource mapping. You provision and manage
security group access lists centrally on the ISE.
However, the ASA might have localized network resources that are not defined globally that require local
security groups with localized security policies. Local security groups can contain nested security
groups that are downloaded from the ISE. The ASA consolidates local and central security groups.
To create local security groups on the ASA, you create a local security object group. A local security
object group can contain one or more nested security object groups or Security IDs or security group
names. Users can also create a new Security ID or security group name that does not exist on the ASA.
You can use the security object groups you create to control access to network resources. You can use
the security object group as part of an access group or service policy.
Tips
Use of these objects is supported on ASA 9.0(1)+ only.
You must configure the TrustSec policy on the ASA to enable the use of these objects.
You can create security group objects when defining policies or objects that use this object type. For
more information, see Selecting Security Groups in Policies, page 14-13.
Related Topics
Selecting Security Groups in Policies, page 14-13
Creating Policy Objects, page 6-9
Step 1 Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager,
page 6-4).
Step 2 Select Security Group from the Object Type selector.
Step 3 Right-click in the work area, then select New Object to open the Add Security Group dialog box.
Step 4 Enter a name for the object and optionally a description of the object.
Step 5 Add and remove items in the Members in Group list to identify the users and user groups defined in the
object.
To populate the list, do any combination of the following:
In Available Security Group, select an existing object and click the Add >> button between the
lists.
In Search name/tag, select a security group from the ISE server configured in the ISE Settings
administrative options. You must configure the settings before you can select a name or tag.
To find a security group, enter a search string. Then, click Search to find matches. A name is
considered a match if the string appears anywhere within the security group name.
To add the security group, select it in the list and click the Add >> button between the lists.