Put a Device in Quarantine Using Cisco ISE

Use the IoT Security integration with Cisco ISE to quarantine IoT devices of concern.
If you want to quarantine a device because you saw an alert that concerns you, use the quarantine option on the
Security Alerts
page. You can also do this in the Action menu in the Risks and Alerts sections on the Device Details page.
  1. Select an alert on
    Security Alerts
    in the IoT Security portal.
  2. Click
    Send to
    Quarantine via Cisco ISE
    IoT Security sends PanwIoTAlertSeverity and PanwIoTAlertType attributes, together with the MAC address of the impacted device, through Cortex XSOAR to all configured Cisco ISE instances. The instance or instances that have an endpoint with a matching MAC address apply the quarantine. The next time the device disconnects from the network and then reconnects, it requests access permission from Cisco ISE. If you configured an exception rule to put devices with a security alert into the quarantine VLAN, Cisco ISE will assign the device to that VLAN instead of its usual VLAN. While it’s in the quarantine VLAN, which has no connection to the rest of the network, you can investigate the alert. When it’s resolved, you can then release a device from quarantine.

Recommended For You