Re: Firepower or ISE that block access?

raymondluis13 · ‎10-10-2022

hi, so i'm integrated my firepower with ISE, and i have a rule that will quarantine user that try to access something dangerous. The quarantine option come from ISE, but Firepower is the one that trigger the action.

I want to ask, if user get block into quarantine. Which technology responsible for it? Firepower or ISE?

RL

Rob Ingram · ‎10-10-2022

@raymondluis13 ISE is the brains, when you quarantine it sends a CoA to reauthorise the session and can assign a different TrustSec SGT. The firepower device or switches, routers, WSA etc can all block traffic based on the SGT.

balaji.bandi · ‎10-10-2022

Is the identity source ISE, then ISE will have blocked user for this case i guess.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aref Alsouqi · ‎10-10-2022

As @Rob Ingram mentioned, ISE is the brain. It is essentially going to instruct the network device(s) with what action should be applied to the endpoint session that triggered the violation, the network device itself won't be able to do that, this is why we need the integration with ISE. For example, with Secure Network Analytics (Stealthwatch) you can configure the violation rules, then when and endpoint triggers a rule, Secure Network Analytics will share that with ISE, ISE will then trigger the reauthentication of that session and will instruct the switch (where the endpoint is connected) to reject the traffic from that endpoint.