topic Re: Firepower or ISE that block access? in Network Security

Firepower or ISE that block access?

raymondluis13 — Mon, 10 Oct 2022 10:12:39 GMT

hi, so i'm integrated my firepower with ISE, and i have a rule that will quarantine user that try to access something dangerous. The quarantine option come from ISE, but Firepower is the one that trigger the action.

I want to ask, if user get block into quarantine. Which technology responsible for it? Firepower or ISE?

Re: Firepower or ISE that block access?

Rob Ingram — Mon, 10 Oct 2022 10:28:53 GMT

@raymondluis13 ISE is the brains, when you quarantine it sends a CoA to reauthorise the session and can assign a different TrustSec SGT. The firepower device or switches, routers, WSA etc can all block traffic based on the SGT.

Re: Firepower or ISE that block access?

balaji.bandi — Mon, 10 Oct 2022 10:35:59 GMT

Is the identity source ISE, then ISE will have blocked user for this case i guess.

Re: Firepower or ISE that block access?

Aref Alsouqi — Mon, 10 Oct 2022 12:42:28 GMT

As @Rob Ingram mentioned, ISE is the brain. It is essentially going to instruct the network device(s) with what action should be applied to the endpoint session that triggered the violation, the network device itself won't be able to do that, this is why we need the integration with ISE. For example, with Secure Network Analytics (Stealthwatch) you can configure the violation rules, then when and endpoint triggers a rule, Secure Network Analytics will share that with ISE, ISE will then trigger the reauthentication of that session and will instruct the switch (where the endpoint is connected) to reject the traffic from that endpoint.