11-07-2018 08:15 PM
Hi,
We are using the EPS unquarantine function in ISE 2.4, but it's a manual process where we have to copy/paste the MAC address of the client we want to unquarantine. Is it possible to do unquarantine through an API call instead? If so, are there any documentation that describe this?
Thanks
/Jorgen
Solved! Go to Solution.
11-07-2018 09:24 PM
11-08-2018 06:04 AM
11-08-2018 06:49 AM
Hi Jorgen,
Firepower 6.1 and above uses pxGrid for ANC 1.0 mitigation actions subscribing to the EndpointProtection Topic, and uses the Session:ESTATUS:Quarantine ISE authz.policy. (legacy EPS)
For ANC 2.0 mitigation actions, Firepower would need to subscribe to the AdaptiveNetworkControl Topic, and use the true ANC policies: port_bounce, quarantine, shut_down and associated actions.
Do you have customers asking for this? If so, can you unicast me their names. We would have to route them over the Firepower PM. As Jason indicates, we will check and get back with you if it's something that we can share.
Thanks,
John
jeppich@cisco.com
11-07-2018 09:24 PM
11-07-2018 11:48 PM
Thank you for the quick reply,
My understanding is that Firepower - in it's current version - is not able to use the newer ANC method to do quarantine/unquarantine and we are stuck with using legacy EPS for that. Do you have any insight when or if Firepower will ever support ANC.
Thanks
/Jorgen
11-08-2018 06:04 AM
11-08-2018 06:49 AM
Hi Jorgen,
Firepower 6.1 and above uses pxGrid for ANC 1.0 mitigation actions subscribing to the EndpointProtection Topic, and uses the Session:ESTATUS:Quarantine ISE authz.policy. (legacy EPS)
For ANC 2.0 mitigation actions, Firepower would need to subscribe to the AdaptiveNetworkControl Topic, and use the true ANC policies: port_bounce, quarantine, shut_down and associated actions.
Do you have customers asking for this? If so, can you unicast me their names. We would have to route them over the Firepower PM. As Jason indicates, we will check and get back with you if it's something that we can share.
Thanks,
John
jeppich@cisco.com
11-08-2018 10:11 AM - edited 11-08-2018 10:14 AM
Hi John,
I sent you an email earlier today with information about the customer. (let me know if you didn't received it).
The customer have about 30 000 endpoints and before they go live with Rapid Threat Containment, the customer require a function to unquarantine multiple endpoints. The customer is worried about false positives from Firepower that could potentially put thousands of endpoints in quarantine.
That's why they feel it's very importand to have a fail safe/emergency function that could achieve this. I imagine it would be a lot easier to accomplish this with ANC 2,0 where we would actually see a list of MAC addresses being quarantine and have an option to select all and unqurantine them.
Best regards
/Jorgen
jofr@conscia.com
11-08-2018 10:21 AM
Hi John,
I sent you an email earlier today with information about the customer. (let me know if you didn't received it).
The customer have about 30 000 endpoints and before they go live with Rapid Threat Containment, the customer require a function to unquarantine multiple endpoints. The customer is worried about false positives from Firepower that could potentially put thousands of endpoints in quarantine.
That's why they feel it's very importand to have a fail safe/emergency function that could achieve this. I imagine it would be a lot easier to accomplish this with ANC 2,0 where we would actually see a list of MAC addresses being quarantine and have an option to select all and unqurantine them.
Best regards
/Jorgen
jofr@conscia.com
11-08-2018 10:24 AM
John,
I sent you an email earlier today with information about the customer. (let me know if you didn't received it).
The customer have about 30 000 endpoints and before they go live with Rapid Threat Containment, the customer require a function to unquarantine multiple endpoints. The customer is worried about false positives from Firepower that could potentially put thousands of endpoints in quarantine.
That's why they feel it's very importand to have a fail safe/emergency function that could achieve this. I imagine it would be a lot easier to accomplish this with ANC 2,0 where we would actually see a list of MAC addresses being quarantine and have an option to select all and unqurantine them.
Best regards
/Jorgen
Jorgen Frejso
Senior Network Engineer
Conscia Netsafe
Phone: +46-8-765 53 00
Mobile: +46-72-532 05 29
Email: jofr@conscia.com
11-12-2018 08:31 AM
Just for closure on this thread, I am corresponding with Jorgen directly.
Thanks,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide