Release a Device from Quarantine Using Forescout

Remove devices from quarantine through IoT Security integration with Forescout.
Releasing a device from quarantine is the same procedure as putting it in quarantine except that you click
More
Send to
Release via Forescout
on the
Alerts
Security Alerts
page. This option is also available in the Action menu in the Alerts section on a Device Details page.
Releasing a device from quarantine requires IoT Security owner or administrator privileges.
The XSOAR engine sends Forescout the PanwIoTQuarantine host property with the value set to
off
(
PanwIoTQuarantine=off
) using the Forescout API:
https://<Forescout_IP_address>/fsapi/niCore/Hosts
The instance or instances that have an endpoint with a matching MAC address take action based on how Forescout administrators choose to use the host property. For example, if the Forescout administrators use this host property to disconnect an impacted device and reassign its VLAN, then Forescout would send another
Disconnect-Request
message to the switch through which the device connects to the network. This time when the device reconnects and requests network access, Forescout accepts the device back onto the network and puts it in its normally assigned VLAN.

Recommended For You