Implementing Cisco Security Group Tag as Policy Matching Criteria on Fortigate
Introduction
The ability to read Cisco Security Group Tags (SGT) in Ethernet frames and utilize them as policy matching criteria offers enhanced flexibility and security management on FortiGate devices. This article will guide you through configuring FortiGate to recognize Cisco SGTs, allowing more refined control over network traffic.
Why Use Cisco Security Group Tags?
Cisco Security Group Tags provide a way to classify users and devices within a network using identifiers. When used as firewall policy matching criteria, SGTs enhance the granularity of traffic filtering, allowing for fine-tuned, identity-based security controls.
Configuring FortiGate to Use Cisco Security Group Tags
This section provides detailed instructions on how to configure FortiGate to utilize SGTs:
- Read SGTs in Ethernet Frames: FortiGate can detect and use Cisco SGTs as matching criteria within firewall policies.
- Applicable Scenarios: This functionality is available for policies in flow mode, virtual wire pair policies, or policies in transparent mode VDOMs.
Steps to Configure Firewall Policies for SGT
Follow these commands to configure firewall policies to recognize and match SGTs:
config firewall policy
edit 1
set sgt-check {enable | disable}
set sgt <ID numbers>
next
end
Examples
Let's explore different configurations using examples:
- Example 1: Match SGT with Specific ID Match frames having an SGT with ID 20:
config firewall policy
edit 1
set srcintf "wan1"
set dstintf "wan2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set sgt-check enable
set sgt 20
next
end
- Example 2: Match SGT with Any ID Pass frames containing any SGT:
config firewall policy
edit 1
set srcintf "wan1"
set dstintf "wan2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set sgt-check enable
next
end
- Example 3: Match SGT with Multiple Specific IDs Allow frames with SGT IDs 20 or 21:
config firewall policy
edit 1
set srcintf "wan1"
set dstintf "wan2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set sgt-check enable
set sgt 20 21
next
end
Verification of Configuration
After configuring the policies, verify the sessions:
Use the command: diagnose sys session list to check active sessions and ensure the ext_header_type=0xc5:0xc5 flag is present, confirming recognition of SGTs by FortiGate.
Handling Ethernet and VLAN Tags
FortiGate can manage Ethernet frames tagged with both a Cisco SGT and a VLAN ID, enabling complex policy handling. Example scenario involves a frame from PC02, tagged with SGT ID 20 and VLAN ID 2, passing through the firewall.
Use Wireshark or similar tools on destination machines like PC05 for packet capture and verification of included VLAN and SGT fields.
Conclusion
Understanding how to use Cisco Security Group Tags for firewall policy matching on FortiGate offers a strategic advantage in traffic management. Follow this guide to optimally configure your FortiGate devices and ensure robust network security.
For more detailed documentation, please refer to the official Fortinet guide here.