cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1618
Views
5
Helpful
1
Replies

ISE purging rules

Is there a way to set a purge rule based on when an object is added to an identity group?  Basically purge x days after added to group y?

What I am running into is I can create a rule that says in group x purge when elasped days greater than X.  Problem is some devices were already in ISE prior through profiling before added to that group so it sees that initial profile date as the date it uses to purge.

1 Reply 1

ajc
Level 7
Level 7

The answer is NO. I have been working with TAC trying to remove the significant amount of useless data in the Context Visibility and Oracle DB of ISE (both are not the same but they sync) and the only thing we can do is remove the entries x endpoint group based on the elapsed days.

 

There is also a 10,000 endpoint purge limit which is coded into ISE platform properties. This process runs continuously until the whole data matching the purge policy is deleted so it can take more than a hour.

 

grep 'Purge' platform.properties profiler.endPointsPurgeIntervalSec=300 <ucsSmall>.profiler.maxEndPointsPerPurge=10000 <ucsLarge>.profiler.maxEndPointsPerPurge=10000 <sns3515>.profiler.maxEndPointsPerPurge=10000 <sns3595>.profiler.maxEndPointsPerPurge=10000 <ibmSmallMedium>.profiler.maxEndPointsPerPurge=10000 <ibmLarge>.profiler.maxEndPointsPerPurge=10000