Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1288
Views
6
Helpful
6
Replies

Bulk Unquarantine function

Go to solution
Chess Norris
Level 4
Level 4

‎01-22-2018 11:58 PM

Hello,

We have a Rapid Threat Containment solution with Firepower Threat Defense and ISE using pxGrid.

From Firepower we can send quarantine request to ISE, which will send a CoA to the switch and place the endpoint in a restricted VLAN.

This is working great, but we are looking for a function I ISE to un-quarantine those endpoints after they have been quarantined.  

I am aware of  the manual un-quarantine function in ISE, but removing each single endpoint from quarantine is not very convenient in an environment with 100 000+ endpoints.

Due to false positive detection, there is a possibility that a l large number of endpoints get quarantined and we are therefore looking for a function where we could select some or every endpoint that are currently in quarantine and do a bulk un-quarantine on the selected endpoints.

Is there some API calls available that could achieve this?


Best regards

/Jorgen

1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎01-23-2018 08:29 AM

Jorgen,

If you enable the ERS interface on your ISE deployment you can browse the REST APIs.  There is an API called ANC Endpoint that has a Clear call that can be made.  It looks like that is used to clear the ANC policy from an endpoint.  The API also has a Bulk Request.  With Bulk requests you can submit up to 500 commands of the same type at once.  So in theory you could Bulk Request 500 clears.  The Bulk Request will give you Bulk Request ID back.  You can use that ID to issue a Monitor Bulk Status query.

I haven't tested this particular API, but that is how I read the API documentation.

View solution in original post

6 Replies 6

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-23-2018 08:19 AM

Yes, there are. I will ask our SME to see whether he has a doc on this.

Go to solution
paul
Level 10
Level 10

‎01-23-2018 08:29 AM

Jorgen,

If you enable the ERS interface on your ISE deployment you can browse the REST APIs.  There is an API called ANC Endpoint that has a Clear call that can be made.  It looks like that is used to clear the ANC policy from an endpoint.  The API also has a Bulk Request.  With Bulk requests you can submit up to 500 commands of the same type at once.  So in theory you could Bulk Request 500 clears.  The Bulk Request will give you Bulk Request ID back.  You can use that ID to issue a Monitor Bulk Status query.

I haven't tested this particular API, but that is how I read the API documentation.

Go to solution
Chess Norris
Level 4
Level 4
In response to paul

‎01-24-2018 12:15 AM

Thank you for the answer. The customer I work with are running ISE version 2.0.1.330 and I cannot

find the ANC Endpoint API there. However, on my LAB ISE 2.3, the documentation for ANC Endpoint is available. Do you know which version of ISE the ANC Endpoint API is available on?

The customer has a quite large ISE setup with 12 nodes and 100 000+ endpoints running 802.1X in closed mode and are reluctant  to upgrade the ISE servers - at least not in the near future.

0 Helpful

Go to solution
jeppich
Cisco Employee
Cisco Employee
In response to Chess Norris

‎01-24-2018 03:11 AM

Hey Jorgan,

Using the ERS API's, you would have to unquarantine by IP.    You can possible create an unquarantine policy and associated unquarantine rule via Firepower 6.1+.  If you are looking for a bulk unquarantine button, in ISE, this would need to be a future request.

Thanks,

John

jeppich@cisco.com

Go to solution
Chess Norris
Level 4
Level 4
In response to jeppich

‎01-30-2018 05:12 AM

I have now been testing the ANC Endpoint apply and the ANC Endpoint clear REST API calls.

I can execute the ANC Endpoint apply API call from the postman client and it will match the ANC Policy and the correct Authorization Profile. As expected, the ANC Endpoint clear API call will then un-quarantine the client.

My issue is when I am using Firepower Management Center to trigger the quarantine event, the ANC Endpoint clear API call will not work and I receive the following error in Postman:

<message type="ERROR" code="CRUD operation exception">

<title>mac address is not associated with a policy</title>

Is this because FMC use EPS rather than ANC to do the quarantine through pxGrid?

I am aware that I can use an un-quarantine correlation rule in FMC, but I am struggle to find a reasonable use-case for this.


The customer is asking for a solution that would allow them to do the following:

  1. Automatically quarantine clients based on certain IPS signatures from Firepower
  2. Perform a antimalware/antivirus scan of the client
  3. When the quarantined client has been determined as clean, un-qurantine the client either manually from ISE or via a custom built portal, using REST API calls.
  4. Also have the possibility to bulk un-qurantine all clients in case of a false positive event that accidently put a lot of clients in quarantine.

While we have got automatic quarantine to work, do you have any suggestions on how we could achieve the un-quarantine part?

0 Helpful

Go to solution
jeppich
Cisco Employee
Cisco Employee
In response to Chess Norris

‎01-30-2018 05:49 AM

Hey Jorgen,

Yes, FMC is using EPS (ANC 1.0) with pxGrid and not using the enhanced EPS (ANC 2.0).  FMC does not use the ANC policies rather it uses Session:EPSStatus:Quarantine.  This is an FMC BU issue. 

Can you send me an email with the customer name.  I am at Cisco Live this week and will be back in the office Feb 5th.

Thanks,

John

jeppich@cisco.com

0 Helpful
Customers Also Viewed These Support Documents