cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1786
Views
5
Helpful
9
Replies

Rapid threat containment with FMC

lambay2000
Level 2
Level 2

Dears,

i have a FMC  and ISE in my network and i m planning to configure the threat containment , i don't have any internal CA , and planning to do with self signed CA of each others (FMC and ISE standalone) will it work ???

 

OR

 

CA server  is must for integration.

 

Thanks

1 Accepted Solution

Accepted Solutions

Hi, The server/client EKU basically indicate what the purposes the certificate can be used for.

 

If you have ISE 2.2 then this will be fine.

 

This document describes the steps, it's based on ISE 2.2

 

HTH

 

View solution in original post

9 Replies 9

Hi,

It's important that the certificate used for pxgrid integration has server and client authentication EKU. If you use ISE 2.2+, you can use it's internal CA to sign the certificate used for the FMC.

 

HTH

Dear

i would like thank u for reply.

 

can u elaborate more for client server authentication eku means ????

 

i m using 2.2 patch 7 i dont have any internal ca. If I build ise 2.2 patch 7 as a ca server will it work ???? or compulsory to have above 2.2 to build ise as a ca server.

 

so u r confirming that default signed certificates will not work.

 

thanks

 

 

 

 

Hi, The server/client EKU basically indicate what the purposes the certificate can be used for.

 

If you have ISE 2.2 then this will be fine.

 

This document describes the steps, it's based on ISE 2.2

 

HTH

 

Dear RJI,
My FMC is configured with user agent which is installed in AD which provides user to ip mapping , to use rapid threat containment is it necessary to go with ISE as type of user agent to GET user to IP mapping information.

Becz my FMC/FP is running live providing the user to ip information, i have to configure it in a proper maintenance window ???

Please confirm

Hi,

Yes, you need the ISE pxgrid integration with FMC in order to quarantine the users. Configuring the pxgrid with ISE and FMC shouldn't cause any downtime, it's up to you if you implement in a change window. Implementing this is only on the FMC not the FP sensor.

 

HTH

Please find the attached snapshot, as per the docs provided by u on pg 22

 

it is showing to use a Identity service engine instead of user agent, so if i move to ISE them all user to ip mapping will be provided by ISE, becz FMC will stop communicating with user agent and will start with ISE,

 

I have four cisco documents which are making me confuse to setup the pxgrid. i don't know which to follow:

  1. Deploying pxGrid in ISE Productional Environments
  2. Using ISE 2.2 Internal Certificate Authority (CA) to Deploy Certificates to Cisco Platform Exchange Grid (pxGrid) Clients ( this the one which you provided)
  3. Cisco FireSIGHT and ISE Rapid Threat Containment Solution
  4. How to Integrate Cisco Firepower Management Center 6.0 With ISE and TrustSec Through pxGrid

Thanks

Dears,
Awaiting your reply.
thanks

You will need to use pxgrid integration with ISE in order to quarantine (Threat Containment), the FMC User Agent won't allow you to do that.

 

This video might help in setting up integration

Dears

pxgrid services will benefit anything for fortigate firewalls ???
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: