Release a Device from Quarantine Using Forescout
Table of Contents
Release a Device from Quarantine Using Forescout
Remove devices from quarantine through IoT Security integration
with Forescout.
Releasing a device from quarantine is the same procedure
as putting it in quarantine except
that you click on
the page.
This option is also available in the Action menu in the Alerts section
on a Device Details page.
Releasing a device from quarantine requires IoT Security
owner or administrator privileges.
The XSOAR engine sends Forescout the PanwIoTQuarantine host property
with the value set to off (PanwIoTQuarantine=off)
using the Forescout API:
https://<Forescout_IP_address>/fsapi/niCore/Hosts
The instance or instances that have an endpoint with a matching
MAC address take action based on how Forescout administrators choose
to use the host property. For example, if the Forescout administrators
use this host property to disconnect an impacted device and reassign
its VLAN, then Forescout would send another Disconnect-Request message
to the switch through which the device connects to the network.
This time when the device reconnects and requests network access,
Forescout accepts the device back onto the network and puts it in
its normally assigned VLAN.