Solved: Re: API call for the EPS unquarantine function?

Chess Norris · ‎11-07-2018

Hi,

We are using the EPS unquarantine function in ISE 2.4, but it's a manual process where we have to copy/paste the MAC address of the client we want to unquarantine. Is it possible to do unquarantine through an API call instead? If so, are there any documentation that describe this?

Thanks

/Jorgen

Surendra · ‎11-07-2018

You can use the following APIs :

https://[ISE IP]/admin/API/eps/UnQuarantineByMAC/<endpoint MAC>
https://[ISE IP]/admin/API/eps/UnQuarantineByIP/<endpoint IP>

If you would like to quarantine, you can use the below :

https://[ISE IP]/admin/API/eps/QuarantineByIP/<endpoint IP>
https://[ISE IP]/admin/API/eps/QuarantineByMAC/<endpoint MAC>

They are not documented anywhere because EPS is legacy and i think is used by a very few customers.

View solution in original post

Jason Kunst · ‎11-08-2018

Please request through firepower team

I will check internally

View solution in original post

jeppich · ‎11-08-2018

Hi Jorgen,

Firepower 6.1 and above uses pxGrid for ANC 1.0 mitigation actions subscribing to the EndpointProtection Topic, and uses the Session:ESTATUS:Quarantine ISE authz.policy. (legacy EPS)

For ANC 2.0 mitigation actions, Firepower would need to subscribe to the AdaptiveNetworkControl Topic, and use the true ANC policies: port_bounce, quarantine, shut_down and associated actions.

Do you have customers asking for this? If so, can you unicast me their names. We would have to route them over the Firepower PM. As Jason indicates, we will check and get back with you if it's something that we can share.

Thanks,

John

jeppich@cisco.com

View solution in original post

Surendra · ‎11-07-2018

You can use the following APIs :

https://[ISE IP]/admin/API/eps/UnQuarantineByMAC/<endpoint MAC>
https://[ISE IP]/admin/API/eps/UnQuarantineByIP/<endpoint IP>

If you would like to quarantine, you can use the below :

https://[ISE IP]/admin/API/eps/QuarantineByIP/<endpoint IP>
https://[ISE IP]/admin/API/eps/QuarantineByMAC/<endpoint MAC>

They are not documented anywhere because EPS is legacy and i think is used by a very few customers.

Chess Norris · ‎11-07-2018

Thank you for the quick reply,

My understanding is that Firepower - in it's current version - is not able to use the newer ANC method to do quarantine/unquarantine and we are stuck with using legacy EPS for that. Do you have any insight when or if Firepower will ever support ANC.

Thanks

/Jorgen

Jason Kunst · ‎11-08-2018

Please request through firepower team

I will check internally

jeppich · ‎11-08-2018

Hi Jorgen,

Firepower 6.1 and above uses pxGrid for ANC 1.0 mitigation actions subscribing to the EndpointProtection Topic, and uses the Session:ESTATUS:Quarantine ISE authz.policy. (legacy EPS)

For ANC 2.0 mitigation actions, Firepower would need to subscribe to the AdaptiveNetworkControl Topic, and use the true ANC policies: port_bounce, quarantine, shut_down and associated actions.

Do you have customers asking for this? If so, can you unicast me their names. We would have to route them over the Firepower PM. As Jason indicates, we will check and get back with you if it's something that we can share.

Thanks,

John

jeppich@cisco.com

Chess Norris · ‎11-08-2018

Hi John,

I sent you an email earlier today with information about the customer. (let me know if you didn't received it).

The customer have about 30 000 endpoints and before they go live with Rapid Threat Containment, the customer require a function to unquarantine multiple endpoints. The customer is worried about false positives from Firepower that could potentially put thousands of endpoints in quarantine.

That's why they feel it's very importand to have a fail safe/emergency function that could achieve this. I imagine it would be a lot easier to accomplish this with ANC 2,0 where we would actually see a list of MAC addresses being quarantine and have an option to select all and unqurantine them.

Best regards

/Jorgen

jofr@conscia.com

Chess Norris · ‎11-08-2018

Hi John,

I sent you an email earlier today with information about the customer. (let me know if you didn't received it).

The customer have about 30 000 endpoints and before they go live with Rapid Threat Containment, the customer require a function to unquarantine multiple endpoints. The customer is worried about false positives from Firepower that could potentially put thousands of endpoints in quarantine.

That's why they feel it's very importand to have a fail safe/emergency function that could achieve this. I imagine it would be a lot easier to accomplish this with ANC 2,0 where we would actually see a list of MAC addresses being quarantine and have an option to select all and unqurantine them.

Best regards

/Jorgen

jofr@conscia.com

Chess Norris · ‎11-08-2018

John,

I sent you an email earlier today with information about the customer. (let me know if you didn't received it).

The customer have about 30 000 endpoints and before they go live with Rapid Threat Containment, the customer require a function to unquarantine multiple endpoints. The customer is worried about false positives from Firepower that could potentially put thousands of endpoints in quarantine.

That's why they feel it's very importand to have a fail safe/emergency function that could achieve this. I imagine it would be a lot easier to accomplish this with ANC 2,0 where we would actually see a list of MAC addresses being quarantine and have an option to select all and unqurantine them.

Best regards

/Jorgen

Jorgen Frejso

Senior Network Engineer

Conscia Netsafe

Phone: +46-8-765 53 00

Mobile: +46-72-532 05 29

Email: jofr@conscia.com

jeppich · ‎11-12-2018

Just for closure on this thread, I am corresponding with Jorgen directly.

Thanks,

John