10-10-2022 03:12 AM
hi, so i'm integrated my firepower with ISE, and i have a rule that will quarantine user that try to access something dangerous. The quarantine option come from ISE, but Firepower is the one that trigger the action.
I want to ask, if user get block into quarantine. Which technology responsible for it? Firepower or ISE?
10-10-2022 03:26 AM - edited 10-10-2022 03:28 AM
@raymondluis13 ISE is the brains, when you quarantine it sends a CoA to reauthorise the session and can assign a different TrustSec SGT. The firepower device or switches, routers, WSA etc can all block traffic based on the SGT.
10-10-2022 03:35 AM
Is the identity source ISE, then ISE will have blocked user for this case i guess.
10-10-2022 05:42 AM
As @Rob Ingram mentioned, ISE is the brain. It is essentially going to instruct the network device(s) with what action should be applied to the endpoint session that triggered the violation, the network device itself won't be able to do that, this is why we need the integration with ISE. For example, with Secure Network Analytics (Stealthwatch) you can configure the violation rules, then when and endpoint triggers a rule, Secure Network Analytics will share that with ISE, ISE will then trigger the reauthentication of that session and will instruct the switch (where the endpoint is connected) to reject the traffic from that endpoint.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide