>
    Strata Copilot
    Set up Cisco ISE to Identify and Quarantine IoT Devices
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Integration Guide
    4. Network Access Control
    5. Integrate Device Security with Cisco ISE
    6. Set up Cisco ISE to Identify and Quarantine IoT Devices
    Download PDF
    Device Security

    Set up Cisco ISE to Identify and Quarantine IoT Devices

    Table of Contents

    Set up Cisco ISE to Identify and Quarantine IoT Devices

    Integrate Device Security through Cortex XSOAR with Cisco ISE to identify and quarantine IoT devices.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
    • Device Security X subscription
    One of the following Cortex XSOAR setups:
    • A free, cohosted, limited-featured Cortex XSOAR instance
      AND
      A free Cortex XSOAR Engine (on-premises integration)
    • A full-featured Cortex XSOAR server
    As a Device Security administrator, you can selectively quarantine devices through Cisco ISE using PanwIoTAlertSeverity and PanwIoTAlertType attributes. When you send ISE the quarantine command, ISE quarantines impacted devices by applying policy rules based on the alert severity, alert type, or both.
    In addition to configuring ISE to identify IoT devices, configure the following on your Cisco ISE system to quarantine IoT devices when there are security alerts:
    • Add these custom endpoint attributes for Device Security alerts: PanwIoTAlertSeverity and PanwIoTAlertType
    • Create authorization profiles
    • Create exception rules
    1. Add Device Security endpoint attributes for alert severity and type.
      1. Click AdministrationIdentity ManagementSettingsEndpoint Custom Attributes.
      2. Click the Add icon ( + ), enter PanwIoTAlertSeverity in the Attribute name field, and then choose String from the Type drop-down.
      3. Click the Add icon ( + ), enter PanwIoTAlertType in the Attribute name field, choose String from the Type drop-down, and then Save the configuration.
        This is a possible set of attributes:
        PanwIoTProfile, PanwIoTIP, PanwIoTCategory, PanwIoTRiskScore, PanwIoTConfidence, PanwIoTTag, PanwIoTHostname, PanwIoTOS, PanwIoTModel, PanwIoTVendor, PanwIoTSerial, PanwIoTEPP, PanwIoTInternetAccess, PanwIoTAET, PanwIoTAlertSeverity, PanwIoTAlertType
    2. Create an authorization profile that allows IoT devices to access the network and associates them with the quarantine VLAN.
      1. Click PolicyPolicy ElementsResultsAuthorizationAuthorization Profiles and then click Add.
      2. Enter settings like those described below, leave the other settings at their default values:
        Name: Enter a name for the profile; for example: IoT-device-protection
        Access Type: ACCESS_ACCEPT
        VLAN: (select); Tag ID: 1; ID/Name: 999, where 999 is the ID number of the quarantine VLAN.
      3. Submit the settings.
    3. Create a condition for applying an exception rule, such as applying it when the severity is critical.
      1. Click PolicyPolicy ElementsConditionsLibrary Conditions and then enter the following in Editor:
        Click to add an attribute: EndpointsPanwIoTAlertSeverity
        Operator: Equals
        Attribute value: Critical
      2. Save the configuration.
      3. In the Save condition dialog box, select Save as a new Library Condition, enter a name such as Critical Alert Severity in the Condition Name field, and then click Save.
    4. Create authorization policy exception rule that assigns devices with critical alerts to the quarantine VLAN.
      1. Click PolicyPolicy Sets and then click the Arrow icon ( > ) to modify your existing policy set.
      2. Expand Authorization Policy - Local Exceptions, click the Plus icon ( + ) to add an exception rule, and then click the Plus icon ( + ) to add a condition.
      3. Click-drag Critical Alert Severity from the Library into the Editor and then click Use.
      4. In Results-Profiles, choose IoT-device-protection, which is the authorization profile you created for this condition.
      5. Save the configuration.
        When you quarantine a device in the Device Security portal, it sends the two alert attributes (PanwIoTAlertType and PanwIoTAlertSeverity) for that device (identified by its MAC address) through XSOAR to ISE. The next time that device connects to the network and requests access from Cisco ISE, the two alert attributes will match this exception rule and assign it to the quarantine VLAN.
        The device remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you then release it from quarantine, which clears the alert attributes. When the device connects to the network and again requests access from Cisco ISE, ISE reassigns it to its usual VLAN.

    © 2026 Palo Alto Networks, Inc. All rights reserved.