-
Notifications
You must be signed in to change notification settings - Fork 22
TrustSec configuration
This provides the configuration for TrustSec.
| Name | Description | Example | ISE version |
|---|---|---|---|
| restBaseUrl | https://ise-host1:8910/pxgrid/ise/config/trustsec | 2.4 | |
| wsPubsubService | com.cisco.ise.pubsub | 2.4 | |
| securityGroupTopic | /topic/com.cisco.ise.config.trustsec.security.group | 2.4 | |
| securityGroupAclTopic | /topic/com.cisco.ise.config.trustsec.security.group.acl | 2.4p13 2.6p9 2.7 | |
| securityGroupVnVlanTopic | /topic/com.cisco.ise.config.trustsec.security.group.vnvlan | 3.0 | |
| virtualnetworkTopic | /topic/com.cisco.ise.config.trustsec.virtualnetwork | 3.1 | |
| egressPolicyTopic | /topic/com.cisco.ise.config.trustsec.egress.policy | 3.2 |
This is used to get security groups.
The security group id can be specified for a particular security group.
If not specified, all existing security groups are returned. These can be filtered by remaining optional parameters.
If no request parameter is used, an empty json structure must be sent.
If no security group is found, securityGroups will have an empty array.
totalCount returns the total number of existing security groups.
deletedSecurityGroups will have an empty array unless startTimestamp is provided. If provided, deletedSecurityGroups returns an array of security groups that have been deleted since the startTimestamp (inclusive) up to either current time or endTimestamp (inclusive). Deleted security group records will only contain basic information (id, name, and timestamp) with tag value as -1 and will be present for 24hrs.
{
// Request to filter results
"id": string (optional),
"startIndex": int (optional),
"recordCount": int (optional),
"startTimestamp": ISO8601 Datetime (optional),
"endTimestamp": ISO8601 Datetime (optional),
}
-
id-- id of desired record -
startIndex-- first index to begin returning records -
recordCount-- number of records to return -
startTimestamp(inclusive) -- filters existing and deleted records starting from given time -
endTimestamp(inclusive) -- filters existing records up to given time. Also filters deleted records ifstartTimestampis provided
{
"totalCount": string int,
"securityGroups": [
array of securityGroup object
],
"deletedSecurityGroups": [
array of deleted securityGroup object
],
}
This is used to get security group ACLs.
The id for security group ACLs can be specified. If not specified, all security group ACLs are returned.
If no request parameter is used, an empty json structure must be sent.
If no security group ACL is found, securityGroupAcls will have an empty array.
totalCount returns the total number of existing security groups.
deletedSecurityGroupAcls will have an empty array unless startTimestamp is provided. If provided, deletedSecurityGroupAcls returns an array of security group ACLs that have been deleted since the startTimestamp (inclusive) up to either current time or endTimestamp (inclusive). Deleted security group ACL records will only contain basic information (id, name, and timestamp) and will be present for 24hrs.
{
// Request to filter results
"id": string (optional),
"startIndex": int (optional),
"recordCount": int (optional),
"startTimestamp": ISO8601 Datetime (optional),
"endTimestamp": ISO8601 Datetime (optional),
}
-
id-- id of desired record -
startIndex-- first index to begin returning records -
recordCount-- number of records to return -
startTimestamp(inclusive) -- filters existing and deleted records starting from given time -
endTimestamp(inclusive) -- filters existing records up to given time. Also filters deleted records ifstartTimestampis provided
{
"totalCount": string int,
"securityGroupAcls": [
array of securityGroupAcl object
],
"deletedSecurityGroupAcls": [
array of deleted securityGroupAcl object
],
}
This is used to get virtual networks.
The virtual network id can be specified for a particular virtual networks.
If not specified, all existing virtual networks are returned. These can be filtered by remaining optional parameters.
If no request parameter is used, an empty json structure must be sent.
If no virtual network is found, virtualNetworks will have an empty array.
totalCount returns the total number of existing virtual networks.
deletedVirtualNetworks will have an empty array unless startTimestamp is provided. If provided, deletedVirtualNetworks returns an array of virtual networks that have been deleted since the startTimestamp (inclusive) up to either current time or endTimestamp (inclusive). Deleted virtual networks will only contain basic information (id, name, and timestamp) and will be present for 24hrs.
{
// Request to filter results
"id": string (optional),
"startIndex": int (optional),
"recordCount": int (optional),
"startTimestamp": ISO8601 Datetime (optional),
"endTimestamp": ISO8601 Datetime (optional),
}
-
id-- id of desired record -
startIndex-- first index to begin returning records -
recordCount-- number of records to return -
startTimestamp(inclusive) -- filters existing and deleted records starting from given time -
endTimestamp(inclusive) -- filters existing records up to given time. Also filters deleted records ifstartTimestampis provided
{
"totalCount": string int,
"virtualNetworks": [
array of virtualNetwork object
],
"deletedVirtualNetworks": [
array of deleted virtualNetwork object
],
}
This is used to get egress policies.
The egress policy id can be specified for a particular egress policies.
If not specified, all existing egress policies are returned. These can be filtered by remaining optional parameters.
If no request parameter is used, an empty json structure must be sent.
If no egress policy is found, egressPolicies will have an empty array.
totalCount returns the total number of existing egress policies.
deletedEgressPolicies will have an empty array unless startTimestamp is provided. If provided, deletedEgressPolicies returns an array of egress policies that have been deleted since the startTimestamp (inclusive) up to either current time or endTimestamp (inclusive). Deleted egress policies will only contain basic information (id, matrixId, name, and timestamp) and will be present for 24hrs.
{
// Request to filter results
"id": string (optional),
"matrixId": string (optional),
"startIndex": int (optional),
"recordCount": int (optional),
"startTimestamp": ISO8601 Datetime (optional),
"endTimestamp": ISO8601 Datetime (optional),
}
-
id-- id of desired record -
matrixId-- id of desired matrix that contains the records -
startIndex-- first index to begin returning records -
recordCount-- number of records to return -
startTimestamp(inclusive) -- filters existing and deleted records starting from given time -
endTimestamp(inclusive) -- filters existing records up to given time. Also filters deleted records ifstartTimestampis provided
{
"totalCount": string int,
"egressPolicies": [
array of egressPolicy object
],
"deletedEgressPolicies": [
array of deleted egressPolicy object
],
}
This is used to get egress policies.
An empty json structure must be sent as the request.
If no egress matrix is found, egressMatrices will have an empty array.
{
}
{
"egressMatrices": [
array of egressMatrix object
]
}
This topic provides events of security group configuration changes.
{
"sequence": integer sequence number for loss detection (since ISE 3.0)
"operation": operation type,
"securityGroup": securityGroup object
}
This topic provides events of security group acl configuration changes.
{
"id": string,
"name": string,
"description": string,
"ipVersion": string,
"acl": string,
"modelledContent": modelledContent object,
"generationId": string,
"isReadOnly": boolean,
"sequence": long,
"deleted" : boolean,
"timestamp" : ISO8601 Datetime,
}
This topic provides events of virtual network configuration changes.
{
"id": string,
"name": string,
"additionalAttributes": string,
"sequence": long,
"deleted" : boolean,
"timestamp" : ISO8601 Datetime,
}
This topic provides events of egress policy configuration changes.
{
"id": string,
"name": string,
"description": string,
"sourceSgtId": string,
"sourceSgtName": string,
"destinationSgtId": string,
"destinationSgtName": string,
"matrixCellStatus": string,
"sgaclIds": array of strings,
"defaultRule": string,
"sequence": long,
"deleted": boolean,
"timestamp": ISO8601 Datetime
}
"operation" type one of the following strings:
- CREATE
- UPDATE
- DELETE
| Name | Type | Description | ISE version |
|---|---|---|---|
| id | string | ||
| name | string | ||
| description | string | ||
| tag | integer | ||
| timestamp | ISO8601 Datetime | 3.2 |
| Name | Type | Description | ISE version |
|---|---|---|---|
| id | String | SGACL ID | 2.4 |
| isDeleted | Boolean | Signifies entry has been deleted | 2.4p13 2.6p9 2.7 |
| name | String | 2.4 | |
| description | String | 2.4 | |
| ipVersion | String | IPV4 or IPV6 | 2.4 |
| acl | String | 2.4 | |
| modelledContent | Object | 3.1 | |
| generationId | String | 2.4 | |
| timestamp | ISO8601 Datetime | 3.2 |
| Name | Type | Description | ISE version |
|---|---|---|---|
| id | string | 3.1 | |
| name | string | 3.1 | |
| additionalAttributes | string | json string | 3.1 |
| timestamp | ISO8601 Datetime | 3.1 3.2 |
| Name | Type | Description | ISE version |
|---|---|---|---|
| id | string | ||
| name | string | ||
| matrixId | string | Matrix this policy belongs to | |
| status | string | ENABLE,MONITOR | |
| description | string | ||
| sourceSecurityGroupId | string | ||
| destinationSecurityGroupId | string | ||
| sgaclIds | array of strings | IDs of the SGACLs being used | |
| timestamp | ISO8601 Datetime | 3.2 |
| Name | Type | Description |
|---|---|---|
| id | string | |
| name | string | |
| description | string | |
| monitorAll | boolean |
{
"totalCount": "3",
"securityGroups": [
{
"description": "Any Security Group",
"tag": 65535,
"timestamp": "2021-09-30T00:18:46.664Z",
"id": "92bb1950-8c01-11e6-996c-525400b48521",
"name": "ANY"
}, {
"id": "92adf9f0-8c01-11e6-996c-525400b48521",
"name": "Unknown",
"description": "Unknown Security Group",
"tag": 0,
"timestamp": "2021-09-30T00:18:46.664Z"
}, {
"id": "934557f0-8c01-11e6-996c-525400b48521",
"name": "Auditors",
"description": "Auditor Security Group",
"tag": 9,
"timestamp": "2021-09-30T00:18:46.664Z"
}
],
"deletedSecurityGroups":[
{
"id":"53776386-04e3-4726-ab28-5a0c9f468590",
"name":"sg1",
"tag":-1,
"timestamp":"2021-10-04T14:35:46.303Z",
]
}
{
"totalCount": "2",
"securityGroupAcls": [
{
"description": "Deny IP SGACL",
"ipVersion": "IP_AGNOSTIC",
"acl": "deny ip",
"modelledContent": {
"contractClassifier": []
},
"generationId": "0",
"id": "92919850-8c01-11e6-996c-525400b48521",
"name": "Deny IP"
}, {
"description": "Permit IP SGACL",
"ipVersion": "IP_AGNOSTIC",
"acl": "permit ip",
"modelledContent": {
"contractClassifier": []
},
"generationId": "0",
"id": "92951ac0-8c01-11e6-996c-525400b48521",
"name": "Permit IP"
}
],
"deletedSecurityGroupAcls": [
{
"id": "ffa51b40-2a55-11ec-bfcd-969230058ed3",
"name": "sgacl1"
}]
}
{
"totalCount": "2",
"egressPolicies": [
{
"description": "Default egress rule",
"status": "ENABLED",
"sourceSecurityGroupId": "92bb1950-8c01-11e6-996c-525400b48521",
"destinationSecurityGroupId": "92bb1950-8c01-11e6-996c-525400b48521",
"sgaclIds": [
"92951ac0-8c01-11e6-996c-525400b48521"
],
"matrixId": "9fa3a33a-329e-43cb-a4cf-7bd38df16e7b",
"timestamp": "2016-10-06T20:15:06.714861Z",
"id": "92c1a900-8c01-11e6-996c-525400b48521",
"name": "ANY-ANY"
}, {
"status": "MONITOR",
"sourceSecurityGroupId": "935d4cc0-8c01-11e6-996c-525400b48521",
"destinationSecurityGroupId": "935d4cc0-8c01-11e6-996c-525400b48521",
"sgaclIds": [
"92951ac0-8c01-11e6-996c-525400b48521"
],
"matrixId": "9fa3a33a-329e-43cb-a4cf-7bd38df16e7b",
"timestamp": "2021-10-08T10:43:17.359248Z",
"id": "8bf20331-2824-11ec-bfcd-969230058ed3",
"name": "sg2-sg3"
}
],
"deletedEgressPolicies": [
{
"id": "8c41d0e0-2824-11ec-bfcd-969230058ed3",
"matrixId": "9fa3a33a-329e-43cb-a4cf-7bd38df16e7b",
"timestamp": "2021-10-08T10:43:17.879974Z",
"name": "sg1-sg2"
}
]
}
{
"egressMatrices": [{
"id": "9fa3a33a-329e-43cb-a4cf-7bd38df16e7b",
"name": "Production",
"monitorAll": false
}, {
"id": "f58b05eb-04ab-4283-8b13-998eda207147",
"name": "TestMatrix",
"description": "Test Matrix only",
"monitorAll": false
}]
}