topic Re: Bulk Unquarantine function in Network Access Control

Bulk Unquarantine function

Chess Norris — Tue, 23 Jan 2018 07:58:39 GMT

Hello,

We have a Rapid Threat Containment solution with Firepower Threat Defense and ISE using pxGrid.

From Firepower we can send quarantine request to ISE, which will send a CoA to the switch and place the endpoint in a restricted VLAN.

This is working great, but we are looking for a function I ISE to un-quarantine those endpoints after they have been quarantined.

I am aware of the manual un-quarantine function in ISE, but removing each single endpoint from quarantine is not very convenient in an environment with 100 000+ endpoints.

Due to false positive detection, there is a possibility that a l large number of endpoints get quarantined and we are therefore looking for a function where we could select some or every endpoint that are currently in quarantine and do a bulk un-quarantine on the selected endpoints.

Is there some API calls available that could achieve this?

Best regards

/Jorgen

Re: Bulk Unquarantine function

hslai — Tue, 23 Jan 2018 16:19:16 GMT

Yes, there are. I will ask our SME to see whether he has a doc on this.

Re: Bulk Unquarantine function

paul — Tue, 23 Jan 2018 16:29:15 GMT

Jorgen,

If you enable the ERS interface on your ISE deployment you can browse the REST APIs. There is an API called ANC Endpoint that has a Clear call that can be made. It looks like that is used to clear the ANC policy from an endpoint. The API also has a Bulk Request. With Bulk requests you can submit up to 500 commands of the same type at once. So in theory you could Bulk Request 500 clears. The Bulk Request will give you Bulk Request ID back. You can use that ID to issue a Monitor Bulk Status query.

I haven't tested this particular API, but that is how I read the API documentation.

Re: Bulk Unquarantine function

Chess Norris — Wed, 24 Jan 2018 08:15:47 GMT

Thank you for the answer. The customer I work with are running ISE version 2.0.1.330 and I cannot

find the ANC Endpoint API there. However, on my LAB ISE 2.3, the documentation for ANC Endpoint is available. Do you know which version of ISE the ANC Endpoint API is available on?

The customer has a quite large ISE setup with 12 nodes and 100 000+ endpoints running 802.1X in closed mode and are reluctant to upgrade the ISE servers - at least not in the near future.

Re: Bulk Unquarantine function

jeppich — Wed, 24 Jan 2018 11:11:03 GMT

Hey Jorgan,

Using the ERS API's, you would have to unquarantine by IP. You can possible create an unquarantine policy and associated unquarantine rule via Firepower 6.1+. If you are looking for a bulk unquarantine button, in ISE, this would need to be a future request.

Thanks,

John

jeppich@cisco.com

Re: Bulk Unquarantine function

Chess Norris — Tue, 30 Jan 2018 13:12:09 GMT

I have now been testing the ANC Endpoint apply and the ANC Endpoint clear REST API calls.

I can execute the ANC Endpoint apply API call from the postman client and it will match the ANC Policy and the correct Authorization Profile. As expected, the ANC Endpoint clear API call will then un-quarantine the client.

My issue is when I am using Firepower Management Center to trigger the quarantine event, the ANC Endpoint clear API call will not work and I receive the following error in Postman:

<title>mac address is not associated with a policy</title>

Is this because FMC use EPS rather than ANC to do the quarantine through pxGrid?

I am aware that I can use an un-quarantine correlation rule in FMC, but I am struggle to find a reasonable use-case for this.

The customer is asking for a solution that would allow them to do the following:

Automatically quarantine clients based on certain IPS signatures from Firepower
Perform a antimalware/antivirus scan of the client
When the quarantined client has been determined as clean, un-qurantine the client either manually from ISE or via a custom built portal, using REST API calls.
Also have the possibility to bulk un-qurantine all clients in case of a false positive event that accidently put a lot of clients in quarantine.

While we have got automatic quarantine to work, do you have any suggestions on how we could achieve the un-quarantine part?

Re: Bulk Unquarantine function

jeppich — Tue, 30 Jan 2018 13:49:44 GMT

Hey Jorgen,

Yes, FMC is using EPS (ANC 1.0) with pxGrid and not using the enhanced EPS (ANC 2.0). FMC does not use the ANC policies rather it uses Session:EPSStatus:Quarantine. This is an FMC BU issue.

Can you send me an email with the customer name. I am at Cisco Live this week and will be back in the office Feb 5th.

Thanks,

John

jeppich@cisco.com