04-13-2019 04:19 AM
Hi
I'm currently trying to setup RTC between FMC & ISE which looks like it is failing on the ISE side.
To simplify things I'm trying to manually implement device quarantine using 'Session:EPSStatus equals Quarantine' as a condition under global exceptions which is linked to an authorization profile that will place the device into a VLAN - this doesn't work. However, if I use 'Session:ANC equals QUARANTINE' (QUARANTINE being a policy with an ANC action of QUARANTINE) it works as expected.
When I then test the RTC setup with either the EPS or ANC options (or even both with an OR statement) it doesn't work. On the FMC I can see the triggered event listed under 'Analysis > Correlation Events' and I can see the pxgrid connection under 'System > Syslog'.
On ISE under 'Administration > pxGrid Services > All Clients' I can see the 'iseagent' client online with 'ANC,EPS' listed under 'Client Group(s)'.
A few questions:
- I'm running ISE version 2.3 - is the 'EPSStatus' condition supported with 2.3?
- My understanding is that FMC - ISE RTC only supports EPS and not ANC - is this correct?
- If both the answers to the above are yes - does anyone have an idea why the manual quarantine option using 'EPSStatus' may not be working?
Kind Regards
T
Solved! Go to Solution.
04-14-2019 06:06 PM
Hey Terry,
What version of Cisco Firepower are you using?
Do you have your pxGrid remediaton instance configured on Firepower, have you setup your quarantine by source ip address remediation policies and assigned them to your Firepower quarantine policies and configured your Firepower quarantine rules?
Firepower will trigger an automated mitigation action via pxGrid, you will want to have your Session:EPSStatus:Quarantine ISE authorization policy configured.
Both ISE authz Session:EPSStatus:Quarantine rules and ISE ANC policies (port-shut, port-bounce, quarantine) are Adaptive Network Control (ANC) mitigation actions. Session:EPSStatus:Quarantine is considered ANC 1.0, Firepower subscribes the pxGrid EndpointProtection Service Topic to perform this mitigation action. ISE ANC policies are considered ANC 2.0, pxGrid clients like Stealthwatch 7.0 subscribe to the pxGrid AdaptiveNetworkControl topic to perform these mitigation actions.. Firepower, even though, they also subscribe to the pxGrid AdaptiveNetworkControl, DO NOT use ISE ANC policies, they still use Session:EPSSTATUS:Quarantine policies.
Firepower 6.0 does not support ANC mitigations via pxGrid.
If you have additional questions, please email me directly.
Thanks,
John
jeppich@cisco.com
04-14-2019 06:06 PM
Hey Terry,
What version of Cisco Firepower are you using?
Do you have your pxGrid remediaton instance configured on Firepower, have you setup your quarantine by source ip address remediation policies and assigned them to your Firepower quarantine policies and configured your Firepower quarantine rules?
Firepower will trigger an automated mitigation action via pxGrid, you will want to have your Session:EPSStatus:Quarantine ISE authorization policy configured.
Both ISE authz Session:EPSStatus:Quarantine rules and ISE ANC policies (port-shut, port-bounce, quarantine) are Adaptive Network Control (ANC) mitigation actions. Session:EPSStatus:Quarantine is considered ANC 1.0, Firepower subscribes the pxGrid EndpointProtection Service Topic to perform this mitigation action. ISE ANC policies are considered ANC 2.0, pxGrid clients like Stealthwatch 7.0 subscribe to the pxGrid AdaptiveNetworkControl topic to perform these mitigation actions.. Firepower, even though, they also subscribe to the pxGrid AdaptiveNetworkControl, DO NOT use ISE ANC policies, they still use Session:EPSSTATUS:Quarantine policies.
Firepower 6.0 does not support ANC mitigations via pxGrid.
If you have additional questions, please email me directly.
Thanks,
John
jeppich@cisco.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide