Create Dynamic Attributes Filters for the pxGrid Cloud Identity Source

Dynamic attributes filters determine which dynamic objects are sent to the cloud-delivered Firewall Management Center for use in access control policies. We recommend setting up dynamic attributes filters for the pxGrid cloud identity source that specify clients that are in compliance with posture and for clients that are not in compliance with posture. You can create other dynamic attributes filter as you desire.

Procedure

Step 1

Log in to Cisco Security Cloud Control.

Step 2

Click Objects.

Step 3

Click Integration > Other Integrations > Identity Sources.

Step 4

Click Identity Services Engine (pxGrid Cloud).

Step 5

Click Configure Filters as the following figure shows.

In the cloud-delivered Firewall Management Center, click Configure Filters

Step 6

On the Dynamic Attributes Connector page, click the Dynamic Attributes Filter tab.

Step 7

Do any of the following:

  • Add a new filter: click Add icon (add icon).

  • Edit or delete a filter: Click More (more icon), then click Edit or Delete at the end of the row.

Step 8

Enter the following information.

Item

Description

Name

Unique name to identify the dynamic filter (as a dynamic object) in access control policy and in the ((CDO)) Object Manager (External Attributes > Dynamic Object).

Connector

From the list, click pxGrid Cloud.

Query

  • Add a new query: click Add icon (add icon).

  • Edit or delete a query: Click More (more icon), then click Edit or Delete at the end of the row.

Step 9

To add or edit a query, enter the following information.

ItemDescription

Key

 Click a key from the list. Keys are fetched from the connector. A typical key for the pxGrid Cloud Identity Source is PostureStatus.

Operation

 Click one of the following:

  • Equals to exactly match the key to the value.

  • Contains to match the key to the value if any part of the value matches.

Values

 Click either Any or All and click one or more values from the list. Click Add another value to add values to your query.

Step 10

Click Show Preview to display a list of networks or IP addresses returned by your query.

Step 11

When you're finished, click Save.

The following figure shows two sample dynamic attributes filters: one for clients whose posture is compliant and the other for clients whose posture is non-compliant.

Sample dynamic attributes filters: one for compliant clients and one for non-compliant clients

Step 12

(Optional.) Verify the dynamic object in the Cisco Security Cloud Control.

  1. Log in to Cisco Security Cloud Control.

  2. Click Policies > FTD Policies.

  3. Click Objects > Object Management.

  4. In the left pane, click External Attributes > Dynamic Object.

    The dynamic attribute query you created should be displayed as a dynamic object.

What to do next

Create Access Control Rules Using Dynamic Attributes Filters