Skip to content

TrustSec configuration

jeanpark-cisco edited this page Oct 4, 2021 · 12 revisions

Service: com.cisco.ise.config.trustsec

This provides the configuration for TrustSec.

Service properties

Name Description Example ISE version
restBaseUrl https://ise-host1:8910/pxgrid/ise/config/trustsec 2.4
wsPubsubService com.cisco.ise.pubsub 2.4
securityGroupTopic /topic/com.cisco.ise.config.trustsec.security.group 2.4
securityGroupAclTopic /topic/com.cisco.ise.config.trustsec.security.group.acl 2.4p13 2.6p9 2.7
securityGroupVnVlanTopic /topic/com.cisco.ise.config.trustsec.security.group.vnvlan 3.0
virtualnetworkTopic /topic/com.cisco.ise.config.trustsec.virtualnetwork 3.1
egressPolicyTopic /topic/com.cisco.ise.config.trustsec.egress.policy 3.2

HTTP APIs

POST [restBaseUrl]/getSecurityGroups

This used to get security groups. The security group id can be specified for a particular security group. If not specified, all existing security groups are returned. These can be filtered by remaining optional parameters.

If no request parameter is used, an empty json structure must be sent. If no security group is found, securityGroups will have an empty array.

totalCount returns the total number of existing security groups. deletedSecurityGroups will have an empty array unless startTimestamp is provided. If provided, deletedSecurityGroups returns an array of security groups that have been deleted since the startTimestamp (inclusive) up to either current time or endTimestamp (inclusive).

Request
{      
  // Request to filter results
  "id": string (optional),
  "startIndex": int (optional),
  "recordCount": int (optional),
  "startTimestamp": ISO8601 Datetime (optional),
  "endTimestamp": ISO8601 Datetime (optional),
}
  • id -- id of desired record
  • startIndex -- first index to begin returning records
  • recordCount -- number of records to return
  • startTimestamp (inclusive) -- filters existing and deleted records starting from given time
  • endTimestamp (inclusive) -- filters existing records up to given time. Also filters deleted records if startTimestamp is also provided
Reponse
{
  "totalCount": string int,
  "securityGroups": [
    array of securityGroup object      
  ],
  "deletedSecurityGroups": [
    array of deleted securityGroup object    
  ],
}

POST [restBaseUrl]/getSecurityGroupAcls

The is used to get security group ACLs. The id for security group ACLs can be specified. If not specified, all security group ACLs are returned.

If no request parameter is used, an empty json structure must be sent. If no security group ACL is found, securityGroupAcls will have an empty array.

Request
{      
  // Request to filter results
  "id": string (optional),
  "startIndex": int (optional),
  "recordCount": int (optional)
}
  • id -- id of desired record
  • startIndex -- first index to begin returning records
  • recordCount -- number of records to return
Reponse
{
  "totalCount": string int,
  "securityGroupAcls": [
    array of securityGroupAcl object      
  ],
  "deletedSecurityGroupAcls": [
    array of deleted securityGroupAcl object    
  ],
}

POST [restBaseUrl]/getVirtualNetwork

This used to get virtual networks. The virtual network id can be specified for a particular virtual networks. If not specified, all existing virtual networks are returned. These can be filtered by remaining optional parameters.

If no request parameter is used, an empty json structure must be sent. If no virtual network is found, virtualNetworks will have an empty array.

totalCount returns the total number of existing virtual networks. deletedVirtualNetworks will have an empty array unless startTimestamp is provided. If provided, deletedVirtualNetworks returns an array of virtual networks that have been deleted since the startTimestamp (inclusive) up to either current time or endTimestamp (inclusive).

Request
{      
  // Request to filter results
  "id": string (optional),
  "startIndex": int (optional),
  "recordCount": int (optional),
  "startTimestamp": ISO8601 Datetime (optional),
  "endTimestamp": ISO8601 Datetime (optional),
}
  • id -- id of desired record
  • startIndex -- first index to begin returning records
  • recordCount -- number of records to return
  • startTimestamp (inclusive) -- filters existing and deleted records starting from given time
  • endTimestamp (inclusive) -- filters existing records up to given time. Also filters deleted records if startTimestamp is also provided
Reponse
{
  "totalCount": string int,
  "virtualNetworks": [
    array of virtualNetwork object      
  ],
  "deletedVirtualNetworks": [
    array of deleted virtualNetwork object    
  ],
}

POST [restBaseUrl]/getEgressPolicies

This is used to get egress policies.

An empty json structure must be sent as the request. If no egress policy is found, egressPolicies will have an empty array.

Request
{      
  // Request to filter results
  "id": string (optional),
  "matrixId": string (optional),
  "startIndex": int (optional),
  "recordCount": int (optional),
  "startTimestamp": ISO8601 Datetime (optional),
  "endTimestamp": ISO8601 Datetime (optional),
}
  • id -- id of desired record
  • matrixId -- id of desired matrix that contain the records
  • startIndex -- first index to begin returning records
  • recordCount -- number of records to return
  • startTimestamp (inclusive) -- filters existing and deleted records starting from given time
  • endTimestamp (inclusive) -- filters existing records up to given time. Also filters deleted records if startTimestamp is also provided
Reponse
{
  "totalCount": string int,
  "egressPolicies": [
    array of egressPolicy object      
  ],
  "deletedEgressPolicies": [
    array of deleted egressPolicy object    
  ],
}

POST [restBaseUrl]/getEgressMatrices

This is used to get egress policies.

An empty json structure must be sent as the request. If no egress matrix is found, egressMatrices will have an empty array.

Request
{
}
Reponse
{
  "egressMatrices": [
    array of egressMatrix object      
  ]
}

WS STOMP

securityGroupTopic

This topic provides events of security group configuration changes.

{
  "sequence": integer sequence number for loss detection (since ISE 3.0)
  "operation": operation type,
  "securityGroup": securityGroup object      
}

securityGroupAclTopic

This topic provides events of security group configuration changes.

{
  "operation": operation type,
  "securityGroupAcl": securityGroupAcl object      
}

Objects

"operation" type

"operation" type one of the following strings:

  • CREATE
  • UPDATE
  • DELETE

"securityGroup" object

Name Type Description
id string
name string
description string
tag integer

"securityGroupAcl" object

Name Type Description ISE version
id String SGACL ID 2.4
isDeleted Boolean Signifies entry has been deleted 2.4p13 2.6p9 2.7
name String 2.4
description String 2.4
ipVersion String IPV4 or IPV6 2.4
acl String 2.4
generationId String 2.4

"egressPolicy" object

Name Type Description
id string
name string
matrixId string Matrix this policy belongs to
status string ENABLE,MONITOR
description string
sourceSecurityGroupId string
destinationSecurityGroupId string
sgaclIds array of strings IDs of the SGACLs being used

"egressMatrix" object

Name Type Description
id string
name string
description string
monitorAll boolean

Samples
{
	"securityGroups": [{
		"id": "92adf9f0-8c01-11e6-996c-525400b48521",
		"name": "Unknown",
		"description": "Unknown Security Group",
		"tag": 0
	}, {
		"id": "92bb1950-8c01-11e6-996c-525400b48521",
		"name": "ANY",
		"description": "Any Security Group",
		"tag": 65535
	}, {
		"id": "934557f0-8c01-11e6-996c-525400b48521",
		"name": "Auditors",
		"description": "Auditor Security Group",
		"tag": 9
	}]
}


{
	"securityGroupAcls": [{
		"id": "92919850-8c01-11e6-996c-525400b48521",
		"name": "Deny IP",
		"description": "Deny IP SGACL",
		"ipVersion": "IPV4",
		"acl": "deny ip",
		"generationId": "0"
	}, {
		"id": "92951ac0-8c01-11e6-996c-525400b48521",
		"name": "Permit IP",
		"description": "Permit IP SGACL",
		"ipVersion": "IPV4",
		"acl": "permit ip",
		"generationId": "0"
	}]
}


{
	"egressPolicies": [{
		"id": "92c1a900-8c01-11e6-996c-525400b48521",
		"name": "ANY-ANY",
		"description": "Default egress rule",
		"status": "ENABLED",
		"sourceSecurityGroupId": "92bb1950-8c01-11e6-996c-525400b48521",
		"destinationSecurityGroupId": "92bb1950-8c01-11e6-996c-525400b48521",
		"sgaclIds": ["92951ac0-8c01-11e6-996c-525400b48521"],
		"matrixId": "9fa3a33a-329e-43cb-a4cf-7bd38df16e7b"
	}, {
		"id": "8edb3f11-373f-11e7-bc34-0242ae4776c4",
		"name": "BYOD-Auditors",
		"status": "ENABLED",
		"sourceSecurityGroupId": "935d4cc0-8c01-11e6-996c-525400b48521",
		"destinationSecurityGroupId": "934557f0-8c01-11e6-996c-525400b48521",
		"sgaclIds": ["130b3d00-36df-11e7-bc34-0242ae4776c4"],
		"matrixId": "9fa3a33a-329e-43cb-a4cf-7bd38df16e7b"
	}, {
		"id": "640add50-36df-11e7-bc34-0242ae4776c4",
		"name": "Auditors-BYOD",
		"description": "test1",
		"status": "ENABLED",
		"sourceSecurityGroupId": "934557f0-8c01-11e6-996c-525400b48521",
		"destinationSecurityGroupId": "935d4cc0-8c01-11e6-996c-525400b48521",
		"sgaclIds": ["92919850-8c01-11e6-996c-525400b48521"],
		"matrixId": "9fa3a33a-329e-43cb-a4cf-7bd38df16e7b"
	}]
}


{
   "egressMatrices": [{
      "id": "9fa3a33a-329e-43cb-a4cf-7bd38df16e7b",
      "name": "Production",
      "monitorAll": false
    }, {
      "id": "f58b05eb-04ab-4283-8b13-998eda207147",
      "name": "TestMatrix",
      "description": "Test Matrix only",
      "monitorAll": false
   }]
}
Clone this wiki locally