cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1243
Views
4
Helpful
5
Replies
Highlighted
Cisco Employee

FP 6.0 / ISE 2.0 pxGrid Remediation Module

I was wondering if anyone knows if the pxGrid Remediation Module v1.0 is compatible with Firepower Management Center 6.0 and ISE 2.0.

Sourcefire Support Site:  "Threat Containment" section

https://support.sourcefire.com/sections/4/sub_sections/67

FireSIGHT pxGrid Remediation Module 1.0

pxGrid_Mitigation_Remediation_v1.0.tgz

Cisco FireSIGHT and ISE Rapid Threat Containment Solution Secure Access How-To Guide PDF

how-to-pxgrid_sourcefire_draft_1013_je.pdf

What I have working:

1. FMC 6.0 / ISE 2.0 Identity Source Integration - Native pxGrid Support, with ISE and FMC using trusted CA Signed Certs.

2. Correlation Rules that match on various events, such as IPS Signatures or Malware events.

3. Connection, IPS, Malware, and Correlation events all show user identity from ISE.

What is not working:

- Remediation actions.

I’ve installed the mitigation / remediation module package (v1.0), and created corresponding remediation actions for correlated events. (e.g. Quarantine, Port Bounce, etc).  They seem to install okay, but no actions are sent to ISE.

Syslog on FMC shows a possible problem, but don’t know if it’s verbose enough to troubleshoot:

Jan 31 2016 14:56:30 fmc01 SF-IMS[8756]: pxgrid_mitigation.pl:fatal [WARN] Unable to open Unix socket

I am going to attempt to try the same setup with FMC 5.4, but I was hoping to know if anyone else has this working with 6.0.  Any takers?

Many thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: FP 6.0 / ISE 2.0 pxGrid Remediation Module

Gilbert, remediation is not supported on 6.0. From the release note:

Firepower System Release Notes, Version 6.0 - Cisco

"The integration with Cisco ISE enhances the user identity data available to the system to use in analysis and policy control. By subscribing to Cisco’s Platform Exchange Grid (PxGrid), the Firepower Management Center is able to download additional user data, device type data, device location data, and Security Group Tags (SGTs —a method used by ISE to provide network access control). Beyond the added visibility into the users on your network, this data is also actionable intelligence because it extends the control you can provide by creating policies based on SGTs, or on device type, or any of the other information provided by ISE.

Note: In Version 6.0, you cannot use ISE to automatically quarantine an infected endpoint. This functionality will be added in a later release."

Hosuk

View solution in original post

5 REPLIES 5
Highlighted
Contributor

Re: FP 6.0 / ISE 2.0 pxGrid Remediation Module

Highlighted
Cisco Employee

Re: FP 6.0 / ISE 2.0 pxGrid Remediation Module

Gilbert, remediation is not supported on 6.0. From the release note:

Firepower System Release Notes, Version 6.0 - Cisco

"The integration with Cisco ISE enhances the user identity data available to the system to use in analysis and policy control. By subscribing to Cisco’s Platform Exchange Grid (PxGrid), the Firepower Management Center is able to download additional user data, device type data, device location data, and Security Group Tags (SGTs —a method used by ISE to provide network access control). Beyond the added visibility into the users on your network, this data is also actionable intelligence because it extends the control you can provide by creating policies based on SGTs, or on device type, or any of the other information provided by ISE.

Note: In Version 6.0, you cannot use ISE to automatically quarantine an infected endpoint. This functionality will be added in a later release."

Hosuk

View solution in original post

Highlighted
Cisco Employee

Re: FP 6.0 / ISE 2.0 pxGrid Remediation Module

Thank you, Hosuk.

I did actually read that, but was hoping that it would be the same as it was with 5.4, which also didn't have the remediation actions available until installing the mitigation module and pxGrid scripts.

In any case, bummer!!   Hehe. 

Thanks again.

Gilbert

Highlighted
Beginner

Re: FP 6.0 / ISE 2.0 pxGrid Remediation Module

Hi Gilibert,

       Now,  FMC6.1 is now released. Is remediation action supported in version 6.1. I couldn't find it online.

Thanks

Highlighted
Beginner

Re: FP 6.0 / ISE 2.0 pxGrid Remediation Module

Remediation is not only supported in 6.1, but the modules are built in now.  I have this successfully working to automatically remediate wireless users (using Cisco WLC).  Next steps are to get this working for Anyconnect and wired users..