Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3363
Views
10
Helpful
4
Replies

Cisco ISE AMP for endpoints Integration

Go to solution
dijeshkeloth
Level 1
Level 1

‎01-17-2021 01:35 AM

Hi,

 

The cisco ISE 2.7 is integrated to amp for endpoints. I would like to block endpoints that are compromised. I can see compromised endpoints in ISE with severity level as painful. Is there anyway to block these endpoints in ISE?

 

Thanks,

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-18-2021 05:10 AM

Yes. The feature is known as Threat-Centric NAC or TC-NAC. It requires Apex licensing but is otherwise relatively easy to setup. Please see the following section of the admin guide:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_threat_containment.html

There are some other resources in the following as well:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200550-Configure-ISE-2-1-Threat-Centric-NAC-TC.html

https://www.youtube.com/watch?v=VhfAM7KXOl0

 

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dijeshkeloth

‎01-18-2021 06:03 AM

If you combine Rapid Threat Containment (RTC) with Adaptive Network Control (ANC) it can automatically quarantine the endpoint in ISE upon receipt of an AMP event.

Here's an example:

https://github.com/chrivand/cisco_rapid_threat_containment

View solution in original post

4 Replies 4

Go to solution
dijeshkeloth
Level 1
Level 1

‎01-18-2021 12:54 AM

Is there anyway to do automatic quarantine rather than manual in cisco ISE?

 

Thanks,

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-18-2021 05:10 AM

Yes. The feature is known as Threat-Centric NAC or TC-NAC. It requires Apex licensing but is otherwise relatively easy to setup. Please see the following section of the admin guide:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_threat_containment.html

There are some other resources in the following as well:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200550-Configure-ISE-2-1-Threat-Centric-NAC-TC.html

https://www.youtube.com/watch?v=VhfAM7KXOl0

 

0 Helpful

Go to solution
dijeshkeloth
Level 1
Level 1
In response to Marvin Rhoads

‎01-18-2021 05:32 AM

Thanks for your resources. It does not quarantine any compromised endpoint automatically. It needs to be done manually. Is there anyway to do automatic quarantine with ISE policy?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dijeshkeloth

‎01-18-2021 06:03 AM

If you combine Rapid Threat Containment (RTC) with Adaptive Network Control (ANC) it can automatically quarantine the endpoint in ISE upon receipt of an AMP event.

Here's an example:

https://github.com/chrivand/cisco_rapid_threat_containment

Customers Also Viewed These Support Documents