08-11-2016 09:49 AM
In the "Splunk & pxGrid Adaptive Network Control (ANC) Mitigation Workflow Actions" document, there is only an unquarantine workflow action for an IP address. In my testing, I am using 802.1x (Machine Auth) and was able to Quarantine by FramedIP. But I am not able to unquarantine because the "unQuarantine by IP address" event action does not recognize the Framed IP. Is there a method to unQuarantine based upon Framed IP? Or do I need to write a transform on Splunk to create a new data field called IP Address to match the included unQuarantine by IP address method?
Endpoint known as Framed-IP-Address=1.2.3.100
XML Parsing Error: no element found
Location: https://10.100.100.100/admin/API/eps/unQuarantineByIP/1.2.3.100
Line Number 1, Column 1:
Solved! Go to Solution.
08-11-2016 10:40 AM
Hi,
You will need duplicate the Unquarantine by IP Address workflow action. Then selected the duplicated workflow action and replace the $IPAddress$ variable under "label" with $Framed_IP_Address$. Also you will want to replace the $IPAddress$ with $Framed_IP_Address$ under "Apply only to the following fields". Replace $IPAddress$ with $Framed_IP_Addess$ under "URI". Also as Hsing-Tsu suggested "UnQuarantineByIP" is case-sensitive under "URI"
If you still have issues, please email me.
Thanks,
John
08-11-2016 10:02 AM
https: //(ISE MnT ipaddress)/admin/API/eps/UnQuarantineByIP/{endpoint IP}
Try Capitalizing UnQuarantineByIP or reach out to John.
08-11-2016 10:40 AM
Hi,
You will need duplicate the Unquarantine by IP Address workflow action. Then selected the duplicated workflow action and replace the $IPAddress$ variable under "label" with $Framed_IP_Address$. Also you will want to replace the $IPAddress$ with $Framed_IP_Address$ under "Apply only to the following fields". Replace $IPAddress$ with $Framed_IP_Addess$ under "URI". Also as Hsing-Tsu suggested "UnQuarantineByIP" is case-sensitive under "URI"
If you still have issues, please email me.
Thanks,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide