IoT Security
Quarantine a Device Using Cisco ISE pxGrid
Table of Contents
Quarantine a Device Using Cisco ISE pxGrid
Use the IoT Security integration with Cisco ISE pxGrid to quarantine IoT devices of
concern.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of the following Cortex XSOAR setups:
|
As an IoT Security user, you can selectively quarantine devices through Cisco
ISE pxGrid. Cisco ISE quarantines impacted devices by applying a policy that
IoT Security generates in one of its exception rules.
Put a Device in Quarantine Using Cisco ISE pxGrid
Let’s say you want to quarantine a device because you saw an alert that concerns
you. In the IoT Security portal, use the
Quarantine via Cisco pxGrid option.
IoT Security sends a quarantine command through Cortex XSOAR, the
XSOAR engine, and pxGrid to ISE.
In response, ISE sends a
Disconnect-Request message to the switch through which the impacted
device accesses the network and disconnects it. When the device
reconnects, ISE checks the quarantine policy it received from IoT
Security, finds that it applies to the device requesting access,
and assigns it to a quarantine VLAN. The device remains in quarantine
while you investigate the cause of the alert. Once it’s resolved,
you can then use the Release via Cisco pxGrid option to return the device
to its regularly assigned VLAN.
For information about
creating an authorization profile and exception authorization policy
that assigns a quarantined device to a specific VLAN, see the
“Setup Adaptive Network Control”
chapter in the Cisco Identity Services Engine Administration Guide,
Release 2.2.
- (IoT Security) Click and select one of the alerts.This option is also available in the Action menu in the Risks and Alerts sections on the Device Details page.Click .
![]()
Add a comment.After you enter a comment, the Send button changes from gray to blue, indicating that you can proceed.![]()
Click Send.IoT Security automatically creates a policy called panw_iot_quarantine_anc_policy, assigns it to the device, and sends it through Cisco pxGrid to ISE. The policy appears in the ISE UI at .![]()
After you click Send, a link appears in the IoT Security portal. When you click it, a new browser window opens to the XSOAR playbook for this action.![]()
To confirm that the task was completed, click the link to the XSOAR playbook for this action.For the link in IoT Security to open the corresponding playbook in Cortex XSOAR, you must already be logged in to your XSOAR instance before clicking it.The green boxes in the playbook indicate that a particular step was successfully performed. Following the path through the playbook gives you feedback about whether an action was carried out successfully or, if not, where the process changed course.Release a Device from Quarantine Using Cisco ISE pxGrid
Remove devices from quarantine through the IoT Security integration with Cisco ISE pxGrid.Removing a device from quarantine is the same procedure as putting it in quarantine except that you select the alert on the page and then click . This option is also available in the Action menu in the Risks and Alerts sections on the Device Details page.![]()
IoT Security removes the device from the quarantine policy and sends ISE a command through Cortex XSOAR, the XSOAR engine, and pxGrid to reset authorization for the device. Cisco ISE sends another Disconnect-Request message to the switch, causing it to disconnect the device. This time when the device reconnects and requests network access, ISE does not find a policy match and accepts the device back onto the network, assigning it to its usual, unquarantined VLAN.
