Solved: ISE 3.1 - Purge Rule for multiple endpoint groups

raymng · ‎12-22-2022

Hi there,

Read the Admin guide about the endpoint purge policy but can't find answer.

There are several endpoint groups that I want to purge endpoint older than 15 days.

I know about using the "ElapsedDays GREATHAN" conditions.

The "ask" is if I can put those groups in a single purge rule, or I have to build five individual rules?

When I try playing the condition, I got something like "Group-A and Group-B and ElapsedDays GREATHAN 15".

I am not sure if this condition would give me the expected result (i.e., (Group-A or Group-B) and ElapsedDays > 15)).

And the second question is if I can use wildcard for the group matching (i.e., Group*)?

Thanks.

MaxShantar · ‎12-22-2022

you can create a single endpoint purge rule that includes multiple endpoint groups and applies the "ElapsedDays GREATHAN 15" condition to all of them. To do this, you can use the "AND" operator to combine the conditions for each endpoint group, as in the following example:

Group-A AND Group-B AND Group-C AND ElapsedDays GREATHAN 15

This condition will apply to all endpoints that belong to any of the specified groups (Group-A, Group-B, or Group-C) and have been inactive for more than 15 days. The "AND" operator ensures that all of the conditions must be met in order for the rule to apply.

You can also use wildcards in the endpoint group names to include multiple groups in a single rule. For example, the following condition would apply to all endpoints that belong to any group with a name starting with "Group-":

Group-* AND ElapsedDays GREATHAN 15

Keep in mind that the endpoint purge rule will apply to all endpoints that meet the specified conditions, regardless of which endpoint group they belong to. If you need to apply different purge rules to different groups of endpoints, you will need to create separate rules for each group.

View solution in original post

MaxShantar · ‎12-22-2022

you can create a single endpoint purge rule that includes multiple endpoint groups and applies the "ElapsedDays GREATHAN 15" condition to all of them. To do this, you can use the "AND" operator to combine the conditions for each endpoint group, as in the following example:

Group-A AND Group-B AND Group-C AND ElapsedDays GREATHAN 15

This condition will apply to all endpoints that belong to any of the specified groups (Group-A, Group-B, or Group-C) and have been inactive for more than 15 days. The "AND" operator ensures that all of the conditions must be met in order for the rule to apply.

You can also use wildcards in the endpoint group names to include multiple groups in a single rule. For example, the following condition would apply to all endpoints that belong to any group with a name starting with "Group-":

Group-* AND ElapsedDays GREATHAN 15

Keep in mind that the endpoint purge rule will apply to all endpoints that meet the specified conditions, regardless of which endpoint group they belong to. If you need to apply different purge rules to different groups of endpoints, you will need to create separate rules for each group.

Damien Miller · ‎12-22-2022

I like to turn the purge logic upside down like this.

The main design includes putting macs/endpoints in statically assigned identity groups that start with "Static", like static-group1, static-group2 etc. The word or string you use for this just has to be unique and consistent.

From there, the rules below work like this;

Purge_all_30days = purge any endpoint not in a static identity group after 30 days of inactivity.
Purge_iPSK_180days = This purges any endpoint after 180 days of inactivity regardless if it was assigned to a static group or not.

This prevents static endpoints placed in identity groups from being indefinitely stale. If an endpoint hasn't been online in ~6 months then why do we still have it in a static identity group using up resources in ISE. If you don't have some sort of purging for your static groups then they will grow indefinitely and the usual reality is that no one cleans these up, this takes care of that.