Solved: Re: Applying an ANC Policy via RESP API to unquarantine clients

Chess Norris · ‎06-18-2019

Hi,

I am working on a project where a customer use Firepower and ISE to quarantine endpoints. Firepower and ISE communicate via pxGrid and based on IPS signatures, Firepower will send a qurantine request to ISE. This part of the solution works, but the challenge comes when we want to unquarantine clients. I have created an authorization policy and an ANC Policy for quarantine/quarantine and I can use this to unquarantine clients by select a client matching this authorization policy and then assign the ANC unquarantine policy. The ´customer now wants to build a web portal for the network security team so that will use this portal to unquarantine clients after they been investigated for malware, etc. They also need a "panic button" in case of false positives where they can select all clients in quarantine and do a bulk unquarantine. Would this be possible to achieve via REST API commands? What we basically need is one command that will list all clients that match the quarantine authorization policy and then bulk unqurantine them. If someone have some example code that can achieve this, it would be greatly appreciated.

Thanks

/Jörgen

jeppich · ‎06-18-2019

Hey Jorgen,

Email me directly to discuss. Firepower uses pxGrid 1.0 and uses: Sesion:EPSstatus:Quarantine for the ANC policy.

Thanks,

John

jeppich@cisco.com

View solution in original post

Jason Kunst · ‎06-18-2019

I will forward to our SME. Any sample code would likely live in the devnet zone at http://cs.co/ise-api

jeppich · ‎06-18-2019

Hey Jorgen,

Email me directly to discuss. Firepower uses pxGrid 1.0 and uses: Sesion:EPSstatus:Quarantine for the ANC policy.

Thanks,

John

jeppich@cisco.com

Chess Norris · ‎06-19-2019

@jeppich wrote:
Hey Jorgen,

Email me directly to discuss. Firepower uses pxGrid 1.0 and uses: Sesion:EPSstatus:Quarantine for the ANC policy.

Thanks,
John
jeppich@cisco.com

Email sent :)