auto blocking IP after alert/ event

paul-d · ‎01-12-2018

Hi,

Can firepower / firesight, auto block an IP address if the IP generates an event or an alert. So rather than constantly blocking the attack, i would like FP to actually block the a fending IP for a set period.

Marvin Rhoads · ‎01-17-2018

Not by itself it cannot.

If the offending host is internal and you have something like ISE you can create a correlation policy to have ISE quarantine the host or shutdown the switchport or kick it off the WLAN.

paul-d · ‎01-23-2018

Hi,

Thank you, i dont suppose you have any links to any sources? at all

kind regards

Chris.

Marvin Rhoads · ‎01-23-2018

You're welcome.

The Cisco solution is known as Rapid Threat Containment. More information can be found here:

https://www.cisco.com/c/en/us/solutions/enterprise-networks/rapid-threat-containment/index.html

Chess Norris · ‎01-30-2018

While the Rapid Threat Containment working fine for quarantine endpoints in ISE , I am struggling to find a good solution for un-quarantine. Do you know if is is possible to use the FMC REST API to un-quarantine an endpoint based on MAC or IP address?

Thanks

/Jorgen

Marvin Rhoads · ‎01-30-2018

Assuming ISE quarantined the endpoint, it can also unquarantine it and send a message via pxGrid for Firepower to do the same.

I'm not sure about using the API directly. Even if the documentation told me I could use the API, I would lab that up first.