Hey Terry,

What version of Cisco Firepower are you using?

Do you have your pxGrid remediaton instance configured on Firepower, have you setup your quarantine by source ip address  remediation policies and assigned them to your Firepower quarantine policies and configured your Firepower quarantine rules?

Firepower will trigger an automated mitigation action via pxGrid, you will want to have your Session:EPSStatus:Quarantine ISE authorization policy configured.

Both ISE authz Session:EPSStatus:Quarantine rules and ISE ANC policies (port-shut, port-bounce, quarantine) are Adaptive Network Control (ANC) mitigation actions.    Session:EPSStatus:Quarantine is considered ANC 1.0, Firepower subscribes the pxGrid EndpointProtection Service Topic to perform this mitigation action.  ISE ANC policies are considered ANC 2.0, pxGrid clients like Stealthwatch 7.0 subscribe to  the pxGrid AdaptiveNetworkControl topic to perform these mitigation actions..  Firepower, even though, they also subscribe to the pxGrid AdaptiveNetworkControl, DO NOT use ISE ANC policies, they still use Session:EPSSTATUS:Quarantine policies.

Firepower 6.0 does not support ANC mitigations via pxGrid.

If you have additional questions, please email me directly.

Thanks,

John

jeppich@cisco.com