Skip to content

TrustSec configuration

Jump to bottom
alei121 edited this page Aug 14, 2020 · 12 revisions

Service: com.cisco.ise.config.trustsec

This provides the configuration for TrustSec.

Service properties

Name Description Example ISE version
restBaseUrl https://ise-host1:8910/pxgrid/ise/config/trustsec 2.4
wsPubsubService com.cisco.ise.pubsub 2.4
securityGroupTopic /topic/com.cisco.ise.config.trustsec.security.group 2.4
securityGroupAclTopic /topic/com.cisco.ise.config.trustsec.security.group.acl 2.4p13 2.6p9 2.7

HTTP APIs

POST [restBaseUrl]/getSecurityGroups

The is used to get security groups. The security group id can be specified. If not specified, all security groups are returned.

If no request parameter is used, an empty json structure must be sent. If no security group is found, securityGroups will have an empty array.

Request
{      
  // Returns all if ID not specified
  "id": string (optional)
}
Reponse
{
  "securityGroups": [
    array of securityGroup object      
  ]
}

POST [restBaseUrl]/getSecurityGroupAcls

The is used to get security group ACLs. The id for security group ACLs can be specified. If not specified, all security group ACLs are returned.

If no request parameter is used, an empty json structure must be sent. If no security group ACL is found, securityGroupAcls will have an empty array.

Request
{
  // Returns all if ID not specified
  "id": string (optional)
}
Reponse
{
  "securityGroupAcls": [
    array of securityGroupAcl object      
  ]
}

POST [restBaseUrl]/getEgressPolicies

This is used to get egress policies.

An empty json structure must be sent as the request. If no egress policy is found, egressPolicies will have an empty array.

Request
{
}
Reponse
{
  "egressPolicies": [
    array of egressPolicy object      
  ]
}

POST [restBaseUrl]/getEgressMatrices

This is used to get egress policies.

An empty json structure must be sent as the request. If no egress matrix is found, egressMatrices will have an empty array.

Request
{
}
Reponse
{
  "egressMatrices": [
    array of egressMatrix object      
  ]
}

WS STOMP

securityGroupTopic

This topic provides events of security group configuration changes.

{
  "operation": operation type,
  "securityGroup": securityGroup object      
}

securityGroupAclTopic

This topic provides events of security group configuration changes.

{
  "operation": operation type,
  "securityGroupAcl": securityGroupAcl object      
}

Objects

"operation" type

"operation" type one of the following strings:

  • CREATE
  • UPDATE
  • DELETE

"securityGroup" object

Name Type Description
id string
name string
description string
tag integer

"securityGroupAcl" object

Name Type Description ISE version
id String SGACL ID 2.4
isDeleted Boolean Signifies entry has been deleted 2.4p13 2.6p9 2.7
name String 2.4
description String 2.4
ipVersion String IPV4 or IPV6 2.4
acl String 2.4
generationId String 2.4

"egressPolicy" object

Name Type Description
id string
name string
matrixId string Matrix this policy belongs to
status string ENABLE,MONITOR
description string
sourceSecurityGroupId string
destinationSecurityGroupId string
sgaclIds array of strings IDs of the SGACLs being used

"egressMatrix" object

Name Type Description
id string
name string
description string
monitorAll boolean
Samples
{
	"securityGroups": [{
		"id": "92adf9f0-8c01-11e6-996c-525400b48521",
		"name": "Unknown",
		"description": "Unknown Security Group",
		"tag": 0
	}, {
		"id": "92bb1950-8c01-11e6-996c-525400b48521",
		"name": "ANY",
		"description": "Any Security Group",
		"tag": 65535
	}, {
		"id": "934557f0-8c01-11e6-996c-525400b48521",
		"name": "Auditors",
		"description": "Auditor Security Group",
		"tag": 9
	}]
}


{
	"securityGroupAcls": [{
		"id": "92919850-8c01-11e6-996c-525400b48521",
		"name": "Deny IP",
		"description": "Deny IP SGACL",
		"ipVersion": "IPV4",
		"acl": "deny ip",
		"generationId": "0"
	}, {
		"id": "92951ac0-8c01-11e6-996c-525400b48521",
		"name": "Permit IP",
		"description": "Permit IP SGACL",
		"ipVersion": "IPV4",
		"acl": "permit ip",
		"generationId": "0"
	}]
}


{
	"egressPolicies": [{
		"id": "92c1a900-8c01-11e6-996c-525400b48521",
		"name": "ANY-ANY",
		"description": "Default egress rule",
		"status": "ENABLED",
		"sourceSecurityGroupId": "92bb1950-8c01-11e6-996c-525400b48521",
		"destinationSecurityGroupId": "92bb1950-8c01-11e6-996c-525400b48521",
		"sgaclIds": ["92951ac0-8c01-11e6-996c-525400b48521"],
		"matrixId": "9fa3a33a-329e-43cb-a4cf-7bd38df16e7b"
	}, {
		"id": "8edb3f11-373f-11e7-bc34-0242ae4776c4",
		"name": "BYOD-Auditors",
		"status": "ENABLED",
		"sourceSecurityGroupId": "935d4cc0-8c01-11e6-996c-525400b48521",
		"destinationSecurityGroupId": "934557f0-8c01-11e6-996c-525400b48521",
		"sgaclIds": ["130b3d00-36df-11e7-bc34-0242ae4776c4"],
		"matrixId": "9fa3a33a-329e-43cb-a4cf-7bd38df16e7b"
	}, {
		"id": "640add50-36df-11e7-bc34-0242ae4776c4",
		"name": "Auditors-BYOD",
		"description": "test1",
		"status": "ENABLED",
		"sourceSecurityGroupId": "934557f0-8c01-11e6-996c-525400b48521",
		"destinationSecurityGroupId": "935d4cc0-8c01-11e6-996c-525400b48521",
		"sgaclIds": ["92919850-8c01-11e6-996c-525400b48521"],
		"matrixId": "9fa3a33a-329e-43cb-a4cf-7bd38df16e7b"
	}]
}


{
   "egressMatrices": [{
      "id": "9fa3a33a-329e-43cb-a4cf-7bd38df16e7b",
      "name": "Production",
      "monitorAll": false
    }, {
      "id": "f58b05eb-04ab-4283-8b13-998eda207147",
      "name": "TestMatrix",
      "description": "Test Matrix only",
      "monitorAll": false
   }]
}
Clone this wiki locally