Put a Device in Quarantine Using Cisco ISE pxGrid

Use the IoT Security integration with Cisco ISE pxGrid to quarantine IoT devices of concern.
As an IoT Security user, you can selectively quarantine devices through Cisco ISE pxGrid. In short, ISE quarantines impacted devices by applying a policy that IoT Security generates in one of its exception rules.
Let’s say you want to quarantine a device because you saw an alert that concerns you. In the IoT Security portal, use the
Quarantine via Cisco pxGrid
option. IoT Security sends a quarantine command through Cortex XSOAR, the XSOAR engine, and pxGrid to ISE.
In response, ISE sends a Disconnect-Request message to the switch through which the impacted device accesses the network and disconnects it. When the device reconnects, ISE checks the quarantine policy it received from IoT Security, finds that it applies to the device requesting access, and assigns it to a quarantine VLAN. The device remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you can then use the Release via Cisco pxGrid option to return the device to its regularly assigned VLAN.
For information about creating an authorization profile and exception authorization policy that assigns a quarantined device to a specific VLAN, see the “Setup Adaptive Network Control” chapter in the Cisco Identity Services Engine Administration Guide, Release 2.2.
  1. (
    IoT Security
    ) Click
    Alerts
    Security Alerts
    and select one of the alerts.
    This option is also available in the Action menu in the Risks and Alerts sections on the Device Details page.
  2. Click
    More
    Send to
    Quarantine via Cisco pxGrid
    .
  3. Add a comment.
    After you enter a comment, the
    Send
    button changes from gray to blue, indicating that you can proceed.
  4. Click
    Send
    .
    IoT Security automatically creates a policy called
    panw_iot_quarantine_anc_policy
    , assigns it to the device, and sends it through Cisco pxGrid to ISE. The policy appears in the ISE UI at
    Operations
    Adaptive Network Control
    Endpoint Assignment
    .
    After you click
    Send
    , a link appears in the IoT Security portal. When you click it, a new browser window opens to the XSOAR playbook for this action.
    To confirm that the task was completed, click the link to the XSOAR playbook for this action.
    For the link in IoT Security to open the corresponding playbook in Cortex XSOAR, you must already be logged in to your XSOAR instance before clicking it.
    The green boxes in the playbook indicate that a particular step was successfully performed. Following the path through the playbook gives you feedback about whether an action was carried out successfully or, if not, where the process changed course.

Recommended For You