https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3316722#M926149 <P>You're welcome.</P> <P>&nbsp;</P> <P>The Cisco solution is known as Rapid Threat Containment. More information can be found here:</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/solutions/enterprise-networks/rapid-threat-containment/index.html" target="_blank">https://www.cisco.com/c/en/us/solutions/enterprise-networks/rapid-threat-containment/index.html</A></P> Tue, 23 Jan 2018 13:21:35 GMT Marvin Rhoads 2018-01-23T13:21:35Z https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3310283#M926146 <P>Hi,</P> <P>&nbsp;</P> <P>Can firepower / firesight, auto block an IP address if the IP generates an event or an alert. So rather than constantly blocking the attack, i would like FP to actually block the a fending IP for a set period.</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:07:24 GMT https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3310283#M926146 paul-d 2020-02-21T15:07:24Z https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3312952#M926147 <P>Not by itself it cannot.</P> <P>&nbsp;</P> <P>If the offending host is internal and you have something like ISE you can create a correlation policy to have ISE quarantine the host or shutdown the switchport or kick it off the WLAN.</P> Wed, 17 Jan 2018 15:16:06 GMT https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3312952#M926147 Marvin Rhoads 2018-01-17T15:16:06Z https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3316574#M926148 <P>Hi,</P> <P>&nbsp;</P> <P>Thank you, i dont suppose you have any links to any sources? at all&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>kind regards</P> <P>Chris.</P> Tue, 23 Jan 2018 09:58:57 GMT https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3316574#M926148 paul-d 2018-01-23T09:58:57Z https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3316722#M926149 <P>You're welcome.</P> <P>&nbsp;</P> <P>The Cisco solution is known as Rapid Threat Containment. More information can be found here:</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/solutions/enterprise-networks/rapid-threat-containment/index.html" target="_blank">https://www.cisco.com/c/en/us/solutions/enterprise-networks/rapid-threat-containment/index.html</A></P> Tue, 23 Jan 2018 13:21:35 GMT https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3316722#M926149 Marvin Rhoads 2018-01-23T13:21:35Z https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3321620#M926150 <P>While the&nbsp;<SPAN>Rapid Threat Containment working fine for quarantine endpoints in ISE , I am struggling&nbsp;to find a good solution for un-</SPAN>quarantine. Do you know if is is possible to use the FMC REST API to un-quarantine an endpoint based on MAC or IP address?</P> <P>&nbsp;</P> <P>Thanks</P> <P>/Jorgen</P> Tue, 30 Jan 2018 13:32:58 GMT https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3321620#M926150 Chess Norris 2018-01-30T13:32:58Z https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3321678#M926151 <P>Assuming ISE quarantined the endpoint, it can also unquarantine it and send a message via pxGrid for Firepower to do the same.</P> <P>&nbsp;</P> <P>I'm not sure about using the API directly. Even if the documentation told me I could use the API, I would lab that up first.</P> Tue, 30 Jan 2018 14:46:35 GMT https://community.cisco.com/t5/network-security/auto-blocking-ip-after-alert-event/m-p/3321678#M926151 Marvin Rhoads 2018-01-30T14:46:35Z