Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6467
Views
5
Helpful
10
Replies

Cisco ISE - purge inactive endpoints

Go to solution
milos_p
Level 1
Level 1

‎05-23-2022 03:29 AM

Hi guys,

 

Do you have any recommendation/best practice how to purge inactive endpoints from the database, in order to keep it clean and tidy, let's say, anything inactive for more then 100 days?

 

 I am running Cisco ISE 3.1 with Essential licensing.

 

Thanks a lot!

Milos

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP

‎05-23-2022 07:19 PM

Hi @milos_p ,

 I prefer to use a combination of Conditions in a Purge rule, for examples:

NotRegistered-Inactivity:

(EndpointPurge.DeviceRegistrationStatus Equals NotRegistered) AND (EndpointPurge.InactiveDays GreaterThan 30)

 I also use the ElapsedDays in some cases, for example:

Portal-Test

(Portal-Test) AND (EndpointPurge.ElapsedDays GreaterThan 1)

Note:

1. at Context Visibility > Endpoints > Authentications you are able to check the Dashboard - Inactive Endpoints.

2. at Operations > Report > Reports > Audit > Endpoints Purge Activities, you are able to check your Purge rules.

 

Hope this helps !!!

View solution in original post

10 Replies 10

Go to solution
marce1000
VIP
VIP

‎05-23-2022 03:38 AM

 

 - FYI : https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_maintain_monitor.html#concept_0776B37A2C3542189950F5DFB1961FA2

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Go to solution
milos_p
Level 1
Level 1

‎05-23-2022 03:55 AM

Hi marc1000,

 

Thanks for reply, just referring to the manual is not very helpful in this case.

 

I would like to see some real world examples for this, if someone is using any purge policy effectively in their deployment for purging inactive endpoints.

Go to solution
Jonatan Jonasson
Level 4
Level 4
In response to milos_p

‎05-23-2022 07:19 AM

It may be somewhat different between environments and how the groups are effectively used, how they are initially populated (dynamic vs static), and how quickly they grow.

For example I've frequently seen deployments where the purge policy for guest endpoints is set to purge after 30 days (sometimes less).

I know of an environment where group that's primarily used to identify devices being staged, and the purge policy on that group is only a few days. (Since effectively the endpoint should have been moved into another group post staging anyway.)

60/90/120 inactive-days is what I frequently run into for different groups/use cases, but I also see an even longer time and/or combination with "never purge" for certain groups.

It really is an "it depends". 

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP

‎05-23-2022 07:19 PM

Hi @milos_p ,

 I prefer to use a combination of Conditions in a Purge rule, for examples:

NotRegistered-Inactivity:

(EndpointPurge.DeviceRegistrationStatus Equals NotRegistered) AND (EndpointPurge.InactiveDays GreaterThan 30)

 I also use the ElapsedDays in some cases, for example:

Portal-Test

(Portal-Test) AND (EndpointPurge.ElapsedDays GreaterThan 1)

Note:

1. at Context Visibility > Endpoints > Authentications you are able to check the Dashboard - Inactive Endpoints.

2. at Operations > Report > Reports > Audit > Endpoints Purge Activities, you are able to check your Purge rules.

 

Hope this helps !!!

Go to solution
milos_p
Level 1
Level 1
In response to Marcelo Morais

‎05-24-2022 12:27 AM

Hi Marcelo,

 

This is super useful, especially report for Endpoint Purge Activities, thanks a lot!

 

Do you know some easy way to display all endpoints with Inactive days larger then X (let's say, I want to see all endpoints with inactive days more than 30 etc.).

 

I found a way to export all endpoints to CSV and find it from there, but a view/report from ISE GUI would be more useful.

 

Regards,

Milos

Go to solution
Marcelo Morais
VIP
VIP
In response to milos_p

‎05-24-2022 06:12 AM

Hi @milos_p ,

 at Context Visibility > Endpoints > Authentication > Inactive Endpoints dashboard, you are able to see and select (like a filter) the Inactive Endpoints:

InactiveEndpoints.png

 After selecting, the list of Inactive Endpoints (23723 in the example above) will be listed bellow (this is a way "to see all endpoints with inactive days more than").

 

Hope this helps !!!

0 Helpful

Go to solution
milos_p
Level 1
Level 1
In response to Marcelo Morais

‎05-24-2022 06:30 AM

Hi Marcelo,

 

I am still not sure if that "INACTIVE ENDPOINTS" chart will present all inactive endpoints, or just for certain amount of time, as it looks like chart is divided in 30 columns, so I guess it will show for last 30 days.

 

Now, clicking on the chart on certain date will put in the filter "Inactive since X days" and show endpoints only for that date, not also before or after, I tested it.

You can try to click on your chart on a bar before or after the one with 23723 endpoints, and see if it will bring you 23723+X or just endpoints from that day.

 

For me, it shows only for the day that I clicked on the chart.

 

Thanks a lot!

Milos

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to milos_p

‎05-24-2022 02:51 PM

Hi @milos_p ,

 yes, your understanding is correct.

 When you click on the column the filter is applied to all Endpoint that are inactive for exactly X days:

InactiveEndpoints - 01.png

 

Regards

0 Helpful

Go to solution
milos_p
Level 1
Level 1
In response to Marcelo Morais

‎05-24-2022 03:06 PM

Hi Marcelo,

 

Great, so I understood it good, it's exactly for X days.

 

Is there a trick so I can see endpoints inactive for more than X days?

 

Regards,

Milos

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to milos_p

‎05-24-2022 07:33 PM

Hi @milos_p ,

 sorry, not that I know.

 

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents