Cisco Community
English
Register
Congratulate December's Spotlight Awardees. CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Community November 2020 Spotlight Award Winners

How To: Rapid Threat Containment (RTC) with Cisco FireSIGHT and ISE

9192
Views
5
Helpful
6
Comments
thomas
Cisco Employee
‎06-27-2016 10:26 PM
edited on: ‎06-27-2016 ‎10:26 PM

May 2016

This document is for intended for Cisco engineers and customers who are interested in deploying FireSIGHT Management Center (5.4) with Cisco Identity Service Engine (ISE 1.3 or higher) using (platform exchange Grid) pxGrid’s Adaptive Network Control (ANC) mitigation actions to take action on the endpoint. Please note that this is for FireSIGHT Management Center 5.4 only and not for FireSIGHT Management Center 6.0.

This document provides details on the configuration of FireSIGHT Management Center using ISE in a stand-alone environment using self-signed certificates and also using Certificate Authority (CA)-signed certificates with pxGrid enabled. The pxGrid remediation module, pxGrid agent installation and configuration details are covered. The pxGrid remediation module provides the pxGrid ANC mitigation features: quarantine, portbounce, portshut, reauthenticate, terminate and unquarantine. The pxGrid agent provides the certificate information and ISE pxGrid node connection information between the FireSIGHT Management Center and the ISE pxGrid node. Correlation policies, rules, remediation types are defined for each ANC mitigation action type.

The reader should have some familiarity with the FireSIGHT Management Center and the Identity Service Engine (ISE) access control system. It is assumed that FireSIGHT Management Center 5.4 and a standalone ISE 1.3 or ISE 1.4 environment is installed. FireSIGHT Management Center 5.4 was also tested on ISE 2.0.

The following software versions were used for the testing of this document:

  • FireSIGHT Management Center 5.4
  • FireSIGHT Appliance Virtual Sensor 5.4
  • Cisco Identity Services Engine ISE 1.3 and ISE 1.4
  • FireSIGHT pxGrid remediation module 1.0
  • FireSIGHT pxGrid Agent 1.0
  • Microsoft CA 2008 R2 Enterprise

For configuring ISE pxGrid in a Distributed ISE environment, please see the link in the References section. Also included are links to How-To Deployment guides using CA-signed certificates and self-signed certificates using a MAC as a pxGrid client as reference.

Comments
jeffrbul
Cisco Employee
Cisco Employee
‎10-20-2016 08:35 AM
‎10-20-2016 08:35 AM

Thanks for the reference! Huge help... but I could use a current version of the guide covering FMC 6.x and ISE 2.x. Do we have one available?

jeppich
Cisco Employee
Cisco Employee
‎10-20-2016 11:55 AM
‎10-20-2016 11:55 AM

Hey Jeffrey,

I'm currently working on updating for FMC 6.1 and ISE 2.1. The biggest change is that everything is integrated there is no more pxGrid connection agent and remediation module to upload.  For now, you can use the How-to for FMC 6.0How To: Integrate Firepower Management Center (FMC) 6.0 with ISE and TrustSec through pxGrid for the initial setup (pxGrid remediation IS NOT supported in FMC 6.0, IS supported in FMC 6.1), you can use the FireSIGHT RTC guide to setup your correlation policies and assign remediation types.

Thanks,

John

jeppich@cisco.com

jeffrbul
Cisco Employee
Cisco Employee
‎10-20-2016 02:27 PM
‎10-20-2016 02:27 PM

Thanks again John! Really a big help.

matteodapozzo
Contributor
Contributor
‎03-20-2017 03:44 PM
‎03-20-2017 03:44 PM

Hi,

Thanks for the detailed How-To.

Is the integration also supported in version 6.2 ?

Thanks!

Matteo

jeppich
Cisco Employee
Cisco Employee
‎03-20-2017 07:04 PM
‎03-20-2017 07:04 PM

Hey Matteo,

Yup, this integration is supported in FMC 6.2,

In the process of writing a more in-depth how-to

In the meanwhile, here's a how-to to integrate FMC 6.2 with ISE 2.2 Internal CA

https://communities.cisco.com/docs/DOC-71928- Using ISE 2.2 Internal Certificate Authority (CA) to Deploy Certificates to Cisco Platform Exchange Grid (pxGrid) Clients


Thanks,

John

jeppich@cisco.com

matteodapozzo
Contributor
Contributor
‎03-27-2017 01:10 AM
‎03-27-2017 01:10 AM

Thank you John!

Latest Contents
Run fx-os commands while in expert mode, Firepower 4100?
Created by junktoka28817 on 01-15-2021 10:43 AM
0
0
0
0
Hello to anyone who stumbles across this post, and thanks for any insight in advance. I was wondering if there was anyway to run default fx-os commands (like show version, show blocks, show cpu, show memory, show snort statistics) while in expert mod... view more
Where do I block domains or email senders.
Created by NinoRenzi66429 on 01-15-2021 09:55 AM
0
5
0
5
where is the simple place to block email addresses/domains.  Used to be really easy in Barracuda where you have a tab that said block/accept and then just add the address or domain.
MAB not working
Created by Stefan E. on 01-15-2021 08:58 AM
1
5
1
5
Hello,we are using 802.1x to authenticate our Clients.As a fallback and for foreign devices we are using MAB.Now we often met the issue, that also MAB is not working.The authentication session does not start at all and there is no MAC Address visible.As s... view more
Classic License in FMC
Created by hurricane05 on 01-15-2021 08:27 AM
0
0
0
0
I haven't applied a classic license in the Cisco FMC before but I'll need to install a new one as we have one of our license that will be expiring in 3 months. When I install the new Classic license which is for url, does it update the existing license or... view more
'URL_filtering' Quarantine issue
Created by kostasthedelegate on 01-15-2021 07:54 AM
1
5
1
5
Hello  Is there a way to know a mail that goes to quarantine for which URL it goes for? Are there any logs indicating the exact reason for a quarantined email? Regards, Konstantinos
Content for Community-Ad