Sunday, February 7, 2021

PxGrid Part # 2 - Integration with FMC

The FMC leverages pxGrid to learn the context of who and what is on the network and the mapping of those devices to IP addresses (User Activity and Host Profiling on FMC). However, the FMC leverages the LDAP-based realms to learn about what users and groups exist in Active Directory for the creation of access policy.

  • New connection seen by FTD using IP Address
  • FTD perform context check to find the username of the IP address. This is based on User Activity information in FMC which is shared from ISE
  • The username is verified against ACP which should have usernames/groups imported from LDAP Realm

 

Tip # 1

PxGrid version 2 was introduced in FMC 6.7 only. Pre-6.7 PxGrid 1.0 is used

 

Configuration Steps

Enable PxGrid on one of nodes in the deployment, Administration > Deployment > Select the ISE node to be used for pxGrid persona 




Verify PxGriD service is running

 

# show application status ise | in pxGrid

pxGrid Infrastructure Service running 24062

pxGrid Publisher Subscriber Service running 24366

pxGrid Connection Manager running 24323

pxGrid Controller running 24404

 

From Administration > pxGrid Services at the bottom of the page, ISE should display Connected to pxGrid <pxGrid node FQDN> as shown in the image



Once the pxGrid services are all up and running, the PAN and MnT will automatically register and publish their respective topics into the grid, as shown 

 


Notice in Figure the way the topics are listed under the pxGrid participant, as well as the role that node plays with the topic (Pub or Sub).

 

From Administration > pxGrid Services > Settings > Check the box: "Automatically approve new certificate-based accounts" 

 

Navigate to Administration > pxGrid Services > Certificates to generate PxGrid Cert to be imported in FMC


The generate zip file contains the signed certificate, the encrypted private key, and all the signing certificates in the PKI hierarchy for the issued certificate. Additionally, the signing certificates in the PKI hierarchy for the admin certificate are also included for good measure. Beginning with ISE 2.2, they should not be required, but are included in the ZIP file anyway.

 

Install the Certs in the FMC as follow and hit Test:

 


**** Make sure the when you install FMC Server Cert, you apply the encryption password. Otherwise installation will fail


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

DNS Performance Troubleshooting

When you are troubleshooting internet performance, there are different parts of the connection should be verified:   ·         DNS Pe...

  • PxGrid Part # 3 - Troubleshooting FMC-ISE Identity Sync
    From FMC CLI, verify ISE integration status using the command   root@vFPMC:/etc/rc.d# cat /var/sf/run/adi-health $status = {      'ADI&#...
  • Enable ISE SSH Access
    If you missed enabling SSH access during the initial setup of ISE, you can enable it using console by pasting the command   service sshd enable
  • CUCM SIP Early Offer
    By default CUCM uses SIP Delayed Offer. In order to enable Early Offer, use one of the following methods: MTP is required ...