cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

444
Views
10
Helpful
4
Replies
Highlighted
Beginner

Cisco ISE AMP for endpoints Integration

Hi,

 

The cisco ISE 2.7 is integrated to amp for endpoints. I would like to block endpoints that are compromised. I can see compromised endpoints in ISE with severity level as painful. Is there anyway to block these endpoints in ISE?

 

Thanks,

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Hall of Fame Guru

Yes. The feature is known as Threat-Centric NAC or TC-NAC. It requires Apex licensing but is otherwise relatively easy to setup. Please see the following section of the admin guide:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_threat_containment.html

There are some other resources in the following as well:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200550-Configure-ISE-2-1-Threat-Centric-NAC-TC.html

https://www.youtube.com/watch?v=VhfAM7KXOl0

 

View solution in original post

Threat Centric Network Access Control with Cisco ISE. Learn how to gain greater visibility and control with the ISE and Advanced Malware Protection (AMP) for...
Highlighted

If you combine Rapid Threat Containment (RTC) with Adaptive Network Control (ANC) it can automatically quarantine the endpoint in ISE upon receipt of an AMP event.

Here's an example:

https://github.com/chrivand/cisco_rapid_threat_containment

View solution in original post

4 REPLIES 4
Highlighted
Beginner

Is there anyway to do automatic quarantine rather than manual in cisco ISE?

 

Thanks,

Highlighted
Hall of Fame Guru

Yes. The feature is known as Threat-Centric NAC or TC-NAC. It requires Apex licensing but is otherwise relatively easy to setup. Please see the following section of the admin guide:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_threat_containment.html

There are some other resources in the following as well:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200550-Configure-ISE-2-1-Threat-Centric-NAC-TC.html

https://www.youtube.com/watch?v=VhfAM7KXOl0

 

View solution in original post

Threat Centric Network Access Control with Cisco ISE. Learn how to gain greater visibility and control with the ISE and Advanced Malware Protection (AMP) for...
Highlighted

Thanks for your resources. It does not quarantine any compromised endpoint automatically. It needs to be done manually. Is there anyway to do automatic quarantine with ISE policy?

Highlighted

If you combine Rapid Threat Containment (RTC) with Adaptive Network Control (ANC) it can automatically quarantine the endpoint in ISE upon receipt of an AMP event.

Here's an example:

https://github.com/chrivand/cisco_rapid_threat_containment

View solution in original post

Content for Community-Ad