Put a Device in Quarantine Using Cisco ISE pxGrid

Use the IoT Security integration with Cisco ISE pxGrid to quarantine IoT devices of concern.
As an IoT Security user, you can selectively quarantine devices through Cisco ISE pxGrid. In short, ISE quarantines impacted devices by applying a policy that IoT Security generates in one of its exception rules.
Let’s say you want to quarantine a device because you saw an alert that concerns you. In the IoT Security portal, use the
Quarantine via Cisco pxGrid
option. IoT Security sends a quarantine command through Cortex XSOAR, the XSOAR engine, and pxGrid to ISE.
In response, ISE sends a Disconnect-Request message to the switch through which the impacted device accesses the network and disconnects it. When the device reconnects, ISE checks the quarantine policy it received from IoT Security, finds that it applies to the device requesting access, and assigns it to a quarantine VLAN. The device remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you can then use the Release via Cisco pxGrid option to return the device to its regularly assigned VLAN.
For information about creating an authorization profile and exception authorization policy that assigns a quarantined device to a specific VLAN, see the “Setup Adaptive Network Control” chapter in the Cisco Identity Services Engine Administration Guide, Release 2.2.
  1. (
    IoT Security
    ) Click
    Alerts
    Security Alerts
    and select one of the alerts.
    This option is also available in the Action menu in the Risks and Alerts sections on the Device Details page.
  2. Click
    More
    Send to
    Quarantine via Cisco pxGrid
    .
  3. Add a comment and then click
    Send
    .
    IoT Security automatically creates a policy called panw_iot_quarantine_anc_policy, assigns it to the device, and sends it through Cisco pxGrid to ISE. The policy appears in the ISE UI at
    Operations
    Adaptive Network Control
    Endpoint Assignment
    .

Recommended For You