Quarantine a Device Using Cisco ISE pxGrid
Focus
Focus
Device Security

Quarantine a Device Using Cisco ISE pxGrid

Table of Contents

Quarantine a Device Using Cisco ISE pxGrid

Use the Device Security integration with Cisco ISE pxGrid to quarantine IoT devices of concern.
Where Can I Use This?What Do I Need?
  • Device Security (Managed by Strata Cloud Manager)
  • (Legacy) IoT Security (Standalone portal)
One of the following subscriptions:
  • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
  • Device Security X subscription
One of the following Cortex XSOAR setups:
  • A free, cohosted, limited-featured Cortex XSOAR instance
    AND
    A Cortex XSOAR Engine (on-premises integration)
  • A full-featured Cortex XSOAR server
After integrating Device Security with Cisco ISE pxGrid, you can selectively quarantine devices through Cisco ISE pxGrid. Cisco ISE quarantines impacted devices by applying a policy that Device Security generates in one of its exception rules.

Strata Cloud Manager

Use the Device Security integration with Cisco ISE pxGrid to quarantine IoT devices of concern in Device Security in Strata Cloud Manager.

Put a Device in Quarantine Using Cisco ISE pxGrid

Put a Device in Quarantine Using Cisco ISE pxGrid
Let’s say you want to quarantine a device because you saw an alert that concerns you. In Device Security in Strata Cloud Manager, use the Quarantine via Cisco pxGrid option. Device Security sends a quarantine command through Cortex XSOAR, the XSOAR engine, and pxGrid to ISE.
In response, ISE sends a Disconnect-Request message to the switch through which the impacted device accesses the network and disconnects it. When the device reconnects, ISE checks the quarantine policy it received from Device Security, finds that it applies to the device requesting access, and assigns it to a quarantine VLAN. The device remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you can then use the Release via Cisco pxGrid option to return the device to its regularly assigned VLAN.
For information about creating an authorization profile and exception authorization policy that assigns a quarantined device to a specific VLAN, see the “Setup Adaptive Network Control” chapter in the Cisco Identity Services Engine Administration Guide, Release 2.2.
  1. In Device Security in Strata Cloud Manager, click AlertsSecurity Alerts and select one of the alerts.
    This option is also available in the Action menu in the Alerts section on the Device Details page.
  2. Click MoreSend toQuarantine via Cisco pxGrid.
  3. Add a comment.
    After you enter a comment, the Send button changes from gray to blue, indicating that you can proceed.
  4. Click Send.
    Device Security automatically creates a policy called panw_iot_quarantine_anc_policy, assigns it to the device, and sends it through Cisco pxGrid to ISE. The policy appears in the ISE web interface at OperationsAdaptive Network ControlEndpoint Assignment.
    After you click Send, a link appears in Device Security. When you click it, a new browser window opens to the XSOAR playbook for this action.
    To confirm that the task completed, click the link to the XSOAR playbook for this action.
    For the link in Device Security to open the corresponding playbook in Cortex XSOAR, you must already be logged in to your XSOAR instance before clicking it.
    The green boxes in the playbook indicate that a particular step was successfully performed. Following the path through the playbook gives you feedback about whether an action was carried out successfully or, if not, where the process changed course.

Release a Device from Quarantine Using Cisco ISE pxGrid

Release a Device from Quarantine Using Cisco ISE pxGrid
Removing a device from quarantine is the same procedure as putting it in quarantine except that you select the alert on the AlertsSecurity Alerts page and then click MoreSend toRelease via Cisco pxGrid. This option is also available in the Action menu in the Risks and Alerts sections on the Device Details page.
Device Security removes the device from the quarantine policy and sends ISE a command through Cortex XSOAR, the XSOAR engine, and pxGrid to reset authorization for the device. Cisco ISE sends another Disconnect-Request message to the switch, causing it to disconnect the device. This time when the device reconnects and requests network access, ISE does not find a policy match and accepts the device back onto the network, assigning it to its usual, unquarantined VLAN.

Legacy IoT Security

Use the Device Security integration with Cisco ISE pxGrid to quarantine IoT devices of concern in the Device Security portal.

Put a Device in Quarantine Using Cisco ISE pxGrid

Put a Device in Quarantine Using Cisco ISE pxGrid
Let’s say you want to quarantine a device because you saw an alert that concerns you. In the Device Security portal, use the Quarantine via Cisco pxGrid option. Device Security sends a quarantine command through Cortex XSOAR, the XSOAR engine, and pxGrid to ISE.
In response, ISE sends a Disconnect-Request message to the switch through which the impacted device accesses the network and disconnects it. When the device reconnects, ISE checks the quarantine policy it received from Device Security, finds that it applies to the device requesting access, and assigns it to a quarantine VLAN. The device remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you can then use the Release via Cisco pxGrid option to return the device to its regularly assigned VLAN.
For information about creating an authorization profile and exception authorization policy that assigns a quarantined device to a specific VLAN, see the “Setup Adaptive Network Control” chapter in the Cisco Identity Services Engine Administration Guide, Release 2.2.
  1. In Device Security in Strata Cloud Manager, click AlertsSecurity AlertsAll Alerts and select one of the alerts.
    This option is also available in the Action menu in the Alerts section on the Device Details page.
  2. Click MoreSend toQuarantine via Cisco pxGrid.
  3. Add a comment.
    After you enter a comment, the Send button changes from gray to blue, indicating that you can proceed.
  4. Click Send.
    Device Security automatically creates a policy called panw_iot_quarantine_anc_policy, assigns it to the device, and sends it through Cisco pxGrid to ISE. The policy appears in the ISE web interface at OperationsAdaptive Network ControlEndpoint Assignment.
    After you click Send, a link appears in Device Security. When you click it, a new browser window opens to the XSOAR playbook for this action.
    To confirm that the task completed, click the link to the XSOAR playbook for this action.
    For the link in Device Security to open the corresponding playbook in Cortex XSOAR, you must already be logged in to your XSOAR instance before clicking it.
    The green boxes in the playbook indicate that a particular step was successfully performed. Following the path through the playbook gives you feedback about whether an action was carried out successfully or, if not, where the process changed course.

Release a Device from Quarantine Using Cisco ISE pxGrid

Release a Device from Quarantine Using Cisco ISE pxGrid
Removing a device from quarantine is the same procedure as putting it in quarantine except that you select the alert on the AlertsSecurity Alerts page and then click MoreSend toRelease via Cisco pxGrid. This option is also available in the Action menu in the Risks and Alerts sections on the Device Details page.
Device Security removes the device from the quarantine policy and sends ISE a command through Cortex XSOAR, the XSOAR engine, and pxGrid to reset authorization for the device. Cisco ISE sends another Disconnect-Request message to the switch, causing it to disconnect the device. This time when the device reconnects and requests network access, ISE does not find a policy match and accepts the device back onto the network, assigning it to its usual, unquarantined VLAN.