* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Secure the Enterprise](https://www2.paloaltonetworks.com/blog/category/secure-the-enterprise/)
* Better Security Policy En...

# Better Security Policy Enforcement with Panorama Plugin for Cisco TrustSec

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F01%2Fnetwork-panorama-plugin%2F)  
[](https://twitter.com/share?text=Better+Security+Policy+Enforcement+with+Panorama+Plugin+for+Cisco+TrustSec&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F01%2Fnetwork-panorama-plugin%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F01%2Fnetwork-panorama-plugin%2F&title=Better+Security+Policy+Enforcement+with+Panorama+Plugin+for+Cisco+TrustSec&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/01/network-panorama-plugin/&ts=markdown)  
\[\](mailto:?subject=Better Security Policy Enforcement with Panorama Plugin for Cisco TrustSec)  
Link copied  
By [Jesse Ralston](https://www.paloaltonetworks.com/blog/author/jesse-ralston/?ts=markdown "Posts by Jesse Ralston")  
Jan 03, 2020  
4 minutes  
[Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)  
[Cisco TrustSec](https://www.paloaltonetworks.com/blog/tag/cisco-trustsec/?ts=markdown)  
[Dynamic Address Groups](https://www.paloaltonetworks.com/blog/tag/dynamic-address-groups/?ts=markdown)  
[network segmentation](https://www.paloaltonetworks.com/blog/tag/network-segmentation/?ts=markdown)  
[network visibility](https://www.paloaltonetworks.com/blog/tag/network-visibility/?ts=markdown)  
[Panorama](https://www.paloaltonetworks.com/blog/tag/panorama/?ts=markdown)  
[security group tags](https://www.paloaltonetworks.com/blog/tag/security-group-tags/?ts=markdown)

Palo Alto Networks customers can now use Panorama, our network security management tool, for even greater network visibility, with a new plugin for Cisco TrustSec.

Enterprise networks have become increasingly vulnerable to advanced threats because of fundamental shifts in the way diverse groups of users access the network from multiple endpoints. Once an adversary breaches their way into the network through any of these endpoints, they move laterally to gain access to sensitive data. [Segmenting the network](https://www.paloaltonetworks.com/resources/videos/importance-of-segmentation) is an effective security strategy in reducing the risks and impacts of these breaches. With [segmentation](https://www.paloaltonetworks.com/cyberpedia/what-is-network-segmentation), it's easier to confine an adversary breaking into your network. However, network segmentation modeled on IP addresses alone is inefficient and complex to maintain, and can be exploited by adversaries.

Since our commitment is to provide the best security possible, we integrate with third parties so our customers can have security in heterogeneous environments. One example is our Panorama plugin integration. The Cisco Identity Services Engine (ISE) is designed to provide rich user device details when a user connects to the network. After the device is classified, Cisco TrustSec, which is configured on top of ISE, associates security group tags (SGTs) to the user's endpoints. Other network components such as switches, routers, WLAN controllers and firewalls also utilize SGTs to enforce access control security policies. As a Palo Alto Networks customer, you can now leverage [Panorama](https://www.paloaltonetworks.com/network-security/panorama)TM to get visibility into this data to further enforce security across your network.

With the new [Panorama plugin for Cisco TrustSec](https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/endpoint-monitoring-for-cisco-trustsec.html), your enterprise IT teams can create a security policy for your TrustSec environment using [dynamic address groups](https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/monitor-changes-in-the-virtual-environment/use-dynamic-address-groups-in-policy) (DAGs). The Panorama plugin is designed to monitor changes in IP addresses and tags in the [Cisco ISE/Platform Exchange Grid (pxGrid) service](https://www.cisco.com/c/en/us/products/security/pxgrid.html#~stickynav=1) and register that data into Panorama. It processes the endpoint information and converts it to a set of tags that you can use as match criteria for placing IP addresses in dynamic address groups. Allowing you to create policies that automatically adapt to change.

**Use Case: Leverage Security Tags in Your Healthcare Environment**

I talked with a customer recently who has a few hundred biomedical devices deployed on a network. An important part of the customer's security policy is to segment these devices from the internal network for compliance, ensuring the availability of patient care and data security. Because the customer has a lot of external vendors, these devices also need to support remote VPN.

This customer plans to adopt the Security Group Tag framework to classify and segment these biomedical devices. This will help prevent any lateral movement from the biomedical devices to the internal network that contains sensitive data.

**How it Works**

The new Panorama plugin consumes session objects from the ISE pxGrid service. Each session object contains a TrustSec SGT and the IP address of the device. The plugin then pushes the IP and SGT mapping to the firewalls. This improves on previous approaches because customers can use the tags to configure DAGs for security policy enforcement. With the new Panorama plugin, you can now use these tags in the Palo Alto Networks Next-Generation Firewall security policy and enforce segmentation and access.

**Ready to Install Now?**  
The plugin requires Panorama with version 9.0 or later and is capable of supporting both PA-Series physical appliances and the VM-Series virtualized firewalls. Since the plugin is optional and not built-in, you must install or upgrade it on Panorama to enable functionality.

If you do not have a Panorama, we have an alternative open source solution [gridMeld](https://github.com/PaloAltoNetworks/gridmeld/blob/master/doc/admin-guide.rst). Feel free to check out the above link to get integration with Cisco TrustSec.

Read more in our TechDocs article: [Endpoint Monitoring for Cisco TrustSec.](https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/endpoint-monitoring-for-cisco-trustsec.html)

*** ** * ** ***

## Related Blogs

### [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Perimeter Is Where Your Workload Is: Policy Abstracted from IP Addressing](https://www2.paloaltonetworks.com/blog/2019/12/network-data-center-security/)

### [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### SEGA Europe: You Cannot Protect What You Cannot See](https://www2.paloaltonetworks.com/blog/2019/07/sega-europe/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### All Layers Are Not Created Equal](https://www2.paloaltonetworks.com/blog/2019/05/network-layers-not-created-equal/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Introducing PAN-OS 9.0: Stop Threats Hiding in DNS, Close Security Gaps](https://www2.paloaltonetworks.com/blog/2019/02/introducing-pan-os-9-0-stop-threats-hiding-dns-close-security-gaps/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### You Want Network Segmentation, But You Need Zero Trust](https://www2.paloaltonetworks.com/blog/2019/01/you-want-network-segmentation-but-you-need-zero-trust/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Scaling Panorama to New Heights](https://www2.paloaltonetworks.com/blog/2018/09/scaling-panorama-new-heights/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language