Create Dynamic Attributes Filters Using the Cisco Identity Controller

Dynamic attributes filters determine which dynamic objects are sent to the cloud-delivered Firewall Management Center for use in access control policies. We recommend setting up dynamic attributes filters for the pxGrid Cloud identity source that specify clients that are in compliance with posture and for clients that are not in compliance with posture. You can create other dynamic attributes filter as you desire.

Procedure

Step 1

Log in to Cisco Security Cloud Control as a user with the Super Admin role.

Step 2

Click Policies > Threat Defense > Integration > Other Integrations > Identity Sources.

Step 3

Click Identity Services Engine (pxGrid Cloud).

Step 4

Click Configure Filters as the following figure shows.

In the firewall manager, click Configure Filters

Step 5

On the page, click the Dynamic Attributes Filter tab.

Step 6

Do any of the following:

  • Add a new filter: click Add (add icon).

  • Edit or delete a filter: Click More (more icon), then click Edit or Delete at the end of the row.

Step 7

Enter the following information.

Item

Description

Name

Unique name to identify the dynamic filter (as a dynamic object) in access control policy and in Manage > Policies > Threat Defense > Objects > Object Manager > External Attributes > Dynamic Object.

Connector

From the list, click pxGrid Cloud.

Query

Click Add (add icon).

Step 8

To add or edit a query, enter the following information.

ItemDescription

Key

 Click a key from the list. Keys are fetched from the connector. A typical key for the pxGrid Cloud Identity Source is PostureStatus.

Operation

 Click one of the following:

  • Equals to exactly match the key to the value.

  • Contains to match the key to the value if any part of the value matches.

Values

 Click either Any or All and click one or more values from the list. Click Add another value to add values to your query.

Step 9

Click Show Preview to display a list of networks or IP addresses returned by your query.

Step 10

When you're finished, click Save.

The following figure shows two sample dynamic attributes filters: one for clients whose posture is compliant and the other for clients whose posture is non-compliant.

Sample dynamic attributes filters: one for compliant clients and one for non-compliant clients

Step 11

(Optional.) Verify the dynamic object.

  1. Log in to Cisco Security Cloud Control as a user with the Super Admin role.

  2. Click Manage > Policies > Threat Defense > Objects > Object Manager > External Attributes > Dynamic Object.

What to do next

Create Access Control Rules Using Dynamic Attributes Filters