Solved: Re: FP 6.0 / ISE 2.0 pxGrid Remediation Module

gimendoz · ‎01-31-2016

I was wondering if anyone knows if the pxGrid Remediation Module v1.0 is compatible with Firepower Management Center 6.0 and ISE 2.0.

Sourcefire Support Site: "Threat Containment" section

https://support.sourcefire.com/sections/4/sub_sections/67

FireSIGHT pxGrid Remediation Module 1.0

pxGrid_Mitigation_Remediation_v1.0.tgz

Cisco FireSIGHT and ISE Rapid Threat Containment Solution Secure Access How-To Guide PDF

how-to-pxgrid_sourcefire_draft_1013_je.pdf

What I have working:

1. FMC 6.0 / ISE 2.0 Identity Source Integration - Native pxGrid Support, with ISE and FMC using trusted CA Signed Certs.

2. Correlation Rules that match on various events, such as IPS Signatures or Malware events.

3. Connection, IPS, Malware, and Correlation events all show user identity from ISE.

What is not working:

- Remediation actions.

I’ve installed the mitigation / remediation module package (v1.0), and created corresponding remediation actions for correlated events. (e.g. Quarantine, Port Bounce, etc). They seem to install okay, but no actions are sent to ISE.

Syslog on FMC shows a possible problem, but don’t know if it’s verbose enough to troubleshoot:

Jan 31 2016 14:56:30 fmc01 SF-IMS[8756]: pxgrid_mitigation.pl:fatal [WARN] Unable to open Unix socket

I am going to attempt to try the same setup with FMC 5.4, but I was hoping to know if anyone else has this working with 6.0. Any takers?

Many thanks!

howon · ‎02-01-2016

Gilbert, remediation is not supported on 6.0. From the release note:

Firepower System Release Notes, Version 6.0 - Cisco

"The integration with Cisco ISE enhances the user identity data available to the system to use in analysis and policy control. By subscribing to Cisco’s Platform Exchange Grid (PxGrid), the Firepower Management Center is able to download additional user data, device type data, device location data, and Security Group Tags (SGTs —a method used by ISE to provide network access control). Beyond the added visibility into the users on your network, this data is also actionable intelligence because it extends the control you can provide by creating policies based on SGTs, or on device type, or any of the other information provided by ISE.

Note: In Version 6.0, you cannot use ISE to automatically quarantine an infected endpoint. This functionality will be added in a later release."

Hosuk

View solution in original post

Dennis Perto · ‎02-01-2016

You could try with a new remediation module. I have not testet this.

ISE 1.2 Remediation Beta 1.3.19 | Firepower / FireSIGHT System | Cisco Support Community | 12249536 | 12415276

howon · ‎02-01-2016

Gilbert, remediation is not supported on 6.0. From the release note:

Firepower System Release Notes, Version 6.0 - Cisco

"The integration with Cisco ISE enhances the user identity data available to the system to use in analysis and policy control. By subscribing to Cisco’s Platform Exchange Grid (PxGrid), the Firepower Management Center is able to download additional user data, device type data, device location data, and Security Group Tags (SGTs —a method used by ISE to provide network access control). Beyond the added visibility into the users on your network, this data is also actionable intelligence because it extends the control you can provide by creating policies based on SGTs, or on device type, or any of the other information provided by ISE.

Note: In Version 6.0, you cannot use ISE to automatically quarantine an infected endpoint. This functionality will be added in a later release."

Hosuk

gimendoz · ‎02-01-2016

Thank you, Hosuk.

I did actually read that, but was hoping that it would be the same as it was with 5.4, which also didn't have the remediation actions available until installing the mitigation module and pxGrid scripts.

In any case, bummer!! Hehe.

Thanks again.

Gilbert

thantzinsoe87 · ‎01-01-2017

Hi Gilibert,

Now, FMC6.1 is now released. Is remediation action supported in version 6.1. I couldn't find it online.

Thanks

sjarchung · ‎01-27-2017

Remediation is not only supported in 6.1, but the modules are built in now. I have this successfully working to automatically remediate wireless users (using Cisco WLC). Next steps are to get this working for Anyconnect and wired users..