cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
290
Views
1
Helpful
6
Replies

Machine is still able to access IPs after being placed in a policy

hank hale
Level 1
Level 1

We put a machine in a custom policy, that uses a blacklist to blocks all internal IPs. We are using VPN 5.1.4.74 and endpoint 8.4.2.30317 on a windows 10 machine. The IP blacklist includes our FTDs, and ISE servers. We are still able to access the IPs on the blacklist even though it is applied to that policy. 

Do you all have any ideas?

 

1 Accepted Solution

Accepted Solutions

What's the whole scenario???
Is this a case of IR, where you think the box might be infected and you want to keep it from connecting to your network?

Host firewall policy or isolation with whatever allow list you need would be your best bet.

View solution in original post

6 Replies 6

Take a look at this:
https://www.cisco.com/c/en/us/support/docs/security/secure-endpoint/217750-configure-ip-allow-and-block-list-in-the.pdf

Make sure you have the correct action defined in the network section of the policy. Note that is is based on DFC, and is inteneded to be an malware block/alerting mechanism, DFC only reacts to the first 100 hits. Its not intended as a firewall

There is a firewall feature available now.

hank hale
Level 1
Level 1

Thanks Ken, 

That was exactly what I did. I am basically trying to make a policy for traveling users, to keep them out of our internal networks, and off our VPN until our desktop support guys can work on it. Do you think I am going about this the wrong way? 

thanks, 

Eh.... yeah...

(assuming Cisco tech stack)

To keep them from VPNing in, I'd put an DAP policy based on an LDAP group on that blocks their connection with a message.

For internal network access are you trying to stop them connecting when the come in an office and plug in?

hank hale
Level 1
Level 1

Hi Ken,

Yep we are working with a full Cisco stack. We were trying to keep it inside of Secure Endpoint, but the DAP policy has come up in our talks. Our leadership is wanting to see if it can be done in Secure Endpoint, but if not we can scratch that off the list. Once an alert comes in that requires hands on it, and cannot be accomplished by our remote support tools, we will take the machine once an employee comes on prem. 

Thanks for the guidance!

What's the whole scenario???
Is this a case of IR, where you think the box might be infected and you want to keep it from connecting to your network?

Host firewall policy or isolation with whatever allow list you need would be your best bet.

Matthew Franks
Cisco Employee
Cisco Employee

Ken is correct as usual regarding DFC and the new Host Firewall feature. I second his recommendation to use the Host Firewall feature or Endpoint Isolation, depending on the situation.

Thanks,

-Matt