: Put a Device in Quarantine Using Cisco ISE pxGrid
Focus
Focus

Put a Device in Quarantine Using Cisco ISE pxGrid

Table of Contents

Put a Device in Quarantine Using Cisco ISE pxGrid

Use the
IoT Security
integration with Cisco ISE pxGrid to quarantine IoT devices of concern.
As an
IoT Security
user, you can selectively quarantine devices through Cisco ISE pxGrid. In short, ISE quarantines impacted devices by applying a policy that
IoT Security
generates in one of its exception rules.
Let’s say you want to quarantine a device because you saw an alert that concerns you. In the IoT Security portal, use the
Quarantine via Cisco pxGrid
option.
IoT Security
sends a quarantine command through
Cortex XSOAR
, the XSOAR engine, and pxGrid to ISE.
In response, ISE sends a Disconnect-Request message to the switch through which the impacted device accesses the network and disconnects it. When the device reconnects, ISE checks the quarantine policy it received from IoT Security, finds that it applies to the device requesting access, and assigns it to a quarantine VLAN. The device remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you can then use the Release via Cisco pxGrid option to return the device to its regularly assigned VLAN.
For information about creating an authorization profile and exception authorization policy that assigns a quarantined device to a specific VLAN, see the “Setup Adaptive Network Control” chapter in the Cisco Identity Services Engine Administration Guide, Release 2.2.
  1. (
    IoT Security
    ) Click
    Alerts
    Security Alerts
    and select one of the alerts.
    This option is also available in the Action menu in the Risks and Alerts sections on the Device Details page.
  2. Click
    More
    Send to
    Quarantine via Cisco pxGrid
    .
  3. Add a comment.
    After you enter a comment, the
    Send
    button changes from gray to blue, indicating that you can proceed.
  4. Click
    Send
    .
    IoT Security
    automatically creates a policy called
    panw_iot_quarantine_anc_policy
    , assigns it to the device, and sends it through Cisco pxGrid to ISE. The policy appears in the ISE UI at
    Operations
    Adaptive Network Control
    Endpoint Assignment
    .
    After you click
    Send
    , a link appears in the IoT Security portal. When you click it, a new browser window opens to the XSOAR playbook for this action.
    To confirm that the task was completed, click the link to the XSOAR playbook for this action.
    For the link in
    IoT Security
    to open the corresponding playbook in
    Cortex XSOAR
    , you must already be logged in to your XSOAR instance before clicking it.
    The green boxes in the playbook indicate that a particular step was successfully performed. Following the path through the playbook gives you feedback about whether an action was carried out successfully or, if not, where the process changed course.

Recommended For You