>
    Strata Copilot
    Quarantine a Device Using Cisco ISE
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Integration Guide
    4. Network Access Control
    5. Integrate Device Security with Cisco ISE
    6. Quarantine a Device Using Cisco ISE
    Download PDF
    Device Security

    Quarantine a Device Using Cisco ISE

    Table of Contents

    Quarantine a Device Using Cisco ISE

    Use the Device Security integration with Cisco ISE to quarantine IoT devices of concern.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
    • Device Security X subscription
    One of the following Cortex XSOAR setups:
    • A free, cohosted, limited-featured Cortex XSOAR instance
      AND
      A free Cortex XSOAR Engine (on-premises integration)
    • A full-featured Cortex XSOAR server
    Through the Device Security integration with Cisco ISE, you can send a request to Cisco ISE to quarantine devices or to remove devices from quarantine.

    Strata Cloud Manager

    Use the Device Security integration with Cisco ISE to quarantine IoT devices of concern from Device Security in Strata Cloud Manager.

    Put a Device in Quarantine Using Cisco ISE

    Put a Device in Quarantine Using Cisco ISE
    If you want to quarantine a device because you saw an alert that concerns you, use the quarantine option on the AlertsSecurity Alerts page. You can also do this in the Action menu in the Alerts section on the Device Details page.
    1. Select an alert on AlertsSecurity Alerts in Device Security in Strata Cloud Manager.
    2. Click MoreSend toQuarantine via Cisco ISE.
    3. Add a comment.
      After you enter a comment, the Send button changes from gray to blue, indicating that you can proceed.
    4. Click Send.
      Device Security sends PanwIoTAlertSeverity and PanwIoTAlertType attributes, together with the MAC address of the impacted device, through Cortex XSOAR to all configured Cisco ISE instances. The instance or instances that have an endpoint with a matching MAC address apply the quarantine. The next time the device disconnects from the network and then reconnects, it requests access permission from Cisco ISE. If you configured an exception rule to put devices with a security alert into the quarantine VLAN, Cisco ISE will assign the device to that VLAN instead of its usual VLAN. While it’s in the quarantine VLAN, which has no connection to the rest of the network, you can investigate the alert. When it’s resolved, you can then release a device from quarantine.
      After you click Send, a link appears. When you click it, a new browser window opens to the XSOAR playbook for this action.
      To confirm that the quarantine command was sent, click the link to the XSOAR playbook for this action.
      For the link in Device Security to open the corresponding playbook in Cortex XSOAR, you must already be logged in to your XSOAR instance before clicking it.
      The green boxes in the playbook indicate that a particular step was successfully performed. Following the path through the playbook gives you feedback about whether an action was carried out successfully or, if not, where the process changed course.

    Release a Device from Quarantine Using Cisco ISE

    Release a Device from Quarantine Using Cisco ISE
    Removing a device from quarantine is the same procedure as putting it in quarantine except that you select MoreSend toRelease via Cisco ISE on the AlertsSecurity Alerts page. This option is also available in the Action menu in the Alerts section on the Device Details page.
    Device Security sends ISE the PanwIoTAlertSeverity and PanwIoTAlertType attributes with None as the text string and the MAC address of the impacted device, which means the exception rule assigning it to a quarantine VLAN no longer applies to it. The instance or instances that have an endpoint with a matching MAC address release it from quarantine. The next time the device disconnects from the network and then reconnects, it requests network access from Cisco ISE. When ISE doesn’t find any matching exception rules in its policy and accepts the device back onto the network, it puts the device back in its normally assigned VLAN.

    Legacy IoT Security

    Use the Device Security integration with Cisco ISE to quarantine IoT devices of concern from the Device Security portal.

    Put a Device in Quarantine Using Cisco ISE

    Put a Device in Quarantine Using Cisco ISE
    If you want to quarantine a device because you saw an alert that concerns you, use the quarantine option on the AlertsSecurity AlertsAll Alerts page. You can also do this in the Action menu in the Alerts section on the Device Details page.
    1. Select an alert on AlertsSecurity AlertsAll Alerts in the Device Security portal.
    2. Click MoreSend toQuarantine via Cisco ISE.
    3. Add a comment.
      After you enter a comment, the Send button changes from gray to blue, indicating that you can proceed.
    4. Click Send.
      Device Security sends PanwIoTAlertSeverity and PanwIoTAlertType attributes, together with the MAC address of the impacted device, through Cortex XSOAR to all configured Cisco ISE instances. The instance or instances that have an endpoint with a matching MAC address apply the quarantine. The next time the device disconnects from the network and then reconnects, it requests access permission from Cisco ISE. If you configured an exception rule to put devices with a security alert into the quarantine VLAN, Cisco ISE will assign the device to that VLAN instead of its usual VLAN. While it’s in the quarantine VLAN, which has no connection to the rest of the network, you can investigate the alert. When it’s resolved, you can then release a device from quarantine.
      After you click Send, a link appears. When you click it, a new browser window opens to the XSOAR playbook for this action.
      To confirm that the quarantine command was sent, click the link to the XSOAR playbook for this action.
      For the link in Device Security to open the corresponding playbook in Cortex XSOAR, you must already be logged in to your XSOAR instance before clicking it.
      The green boxes in the playbook indicate that a particular step was successfully performed. Following the path through the playbook gives you feedback about whether an action was carried out successfully or, if not, where the process changed course.

    Release a Device from Quarantine Using Cisco ISE

    Release a Device from Quarantine Using Cisco ISE
    Removing a device from quarantine is the same procedure as putting it in quarantine except that you select MoreSend toRelease via Cisco ISE on the AlertsSecurity AlertsAll Alerts page. This option is also available in the Action menu in the Alerts section on the Device Details page.
    Device Security sends ISE the PanwIoTAlertSeverity and PanwIoTAlertType attributes with None as the text string and the MAC address of the impacted device, which means the exception rule assigning it to a quarantine VLAN no longer applies to it. The instance or instances that have an endpoint with a matching MAC address release it from quarantine. The next time the device disconnects from the network and then reconnects, it requests network access from Cisco ISE. When ISE doesn’t find any matching exception rules in its policy and accepts the device back onto the network, it puts the device back in its normally assigned VLAN.

    © 2026 Palo Alto Networks, Inc. All rights reserved.