Configuring NACs

Configure Palo Alto Networks Layer 3 Firewall DAG NAC or Cisco Identity Services Engine (ISE) pxGrid NAC. After a NAC is configured, you can begin to quarantine endpoints.

To create or edit NAC configurations, you must have the Network Quarantine Administrator role. See User role requirements.

Palo Alto Networks Layer 3 Firewall DAG NAC

If you have Palo Alto Networks Dynamic Address Group (DAG), Network Quarantine can send a request to Palo Alto to block network access for an IP address.

Palo Alto Networks Panorama is not supported.

Before you begin

Before you configure the Palo Alto DAG NAC in Network Quarantine, you must have: 

  • The host name, user name, and password for the firewall.
  • The tags that you want to apply to the quarantined endpoints configured on the firewall.
  • The necessary certificates configured. You must have the server certificate for the firewall to add to the Network Quarantine configuration. See PAN documentation: Certificate Management.

Configure Palo Alto Networks Firewall API access

Create a user in the PAN Firewall that has Administrator user with API access. Specify this user when you configure NAC settings in Network Quarantine.

  1. Log in to the PAN Firewall as an Administrator.
  2. Create an Admin role with no WebUI permissions. For XML API permissions, select only Operational Requests and UserID-Agent.
  3. Add a new Administrator user and password. Set the Profile to the admin role that you created to the new user.
  4. Click Commit to save the changes.
  5. Get an API key for the user. See PAN documentation: Get Your API Key.

Configure certificates in Network Quarantine

  1. Download the firewall certificate.
  2. From the Network Quarantine menu, go to Configuration > Certificates > Create Certificate.
  3. Specify a name for the certificate.
  4. For Certificate Type, select Server Certificate / Certificate Chain.
  5. Upload the certificate. Click Save.

Configure Palo Alto DAG tagger

  1. From the Network Quarantine menu, go to Configuration > NACs > Create NAC.

  2. Specify a display name.
  3. For the NAC Type, select Palo Alto DAG Tagger.
  4. In the Options section, select Start on Service Startup to restart the NAC when the Network Quarantine service restarts. Select Enabled to enable and start the NAC.
  5. Specify the Palo Alto DAG NAC connection details.
    1. Enter the PAN API user name and password that you configured.
    2. Specify the host name for the firewall.
    3. Specify the list of tags that you want to send to the NAC.
    4. If you are using a self-signed certificate, clear Check Server Identity.
    5. (Optional) Select the certificate that you uploaded to Network Quarantine.
    6. (Optional) Update the HTTP Timeout and Refresh Interval settings.
    7. Click Save.
  6. Start the NAC. Select the NAC from the list and click Start.

To edit NAC settings, you must stop the NAC first.

Cisco Identity Services Engine (ISE) pxGrid NAC

To configure a Cisco ISE pxGrid NAC, you can either use self-signed or server-signed certificates. After you configure the NAC, you can quarantine specific MAC addresses with the Adaptive Network Control (ANC) policies that are configured in ISE.

You can log in to ISE with the user interface, or with SSH.

Create server and client self-signed certificates

ISE can work with self-signed certificates for both server authentication and client authentication.

  1. Get a self-signed certificate from the server. In the ISE UI, go to Administration > Certificates > System Certificates. If you need the certificate, export the public certificate from the UI.
  2. Generate a self-signed certificate for the client.
    1. See Cisco Communities: Deploying Certificates with pxGrid.
    2. In the ISE UI, go to Administration > Certificates > System Certificates and upload the certificate into the Trusted Certificates section.
  3. If you changed pxGrid certificates, restart the ISE server. See Cisco ISE Client Commands: Start/stop commands.
  4. Make sure that you have the server certificate, client certificate, and client key to create the certificate configuration in Network Quarantine.

Generate a signed certificate

Generate a pxGrid certificate to provide as the certificate authority (CA) when you configure the NAC in Network Quarantine.

  1. In the pxGrid UI, go to Administration > pxGrid Services > Certificates. Generate a single certificate (without a certificate signing request). For the Common Name (CN), use any identifying value, such as IP address. Choose the PEM download format. Enter a password for the certificate.
  2. Click Create to download a ZIP file that contains the server certificate. Extract this ZIP file to get the server certificate that you need to configure in Network Quarantine.

Configure certificates in Network Quarantine

Create the client and server certificates in Network Quarantine.

  1. From the Network Quarantine menu, go to Configuration > Certificates.
  2. Create the client certificate.
    1. Click Create Certificate.
    2. Specify a name for the certificate.
    3. For Certificate Type, select Client Certificate.
    4. Upload the client certificate and key files.
    5. If required, provide the passphrase for the private key file.
    6. Click Save.
  3. Create the server certificate.
    1. Click Create Certificate.
    2. Specify a name for the certificate.
    3. For Certificate Type, select Server Certificate / Certificate Chain.
    4. Upload the pxGrid certificate that you created in the pxGrid web admin UI. Click Save.

Configure pxGrid NAC

  1. From the Network Quarantine menu, go to Configuration > NACs > Create NAC.

  2. Specify a display name.
  3. For the NAC Type, select Cisco ISE pxGrid NAC.
  4. In the Options section, select Start on Service Startup to restart the NAC when the Network Quarantine service restarts. Select Enabled to enable and start the NAC.
  5. Specify the Cisco ISE pxGrid NAC connection details.
    1. Specify the pxGrid User Name and pxGrid URI.

      Do not modify the default pxGrid Bind Resource, pxGrid Domain, or pxGrid Capabilities values without guidance from Tanium or Cisco Support.

    2. If you are using a self-signed certificate, clear Check Server Identity.
    3. For the Client Certificate, select the client certificate that you configured.
    4. For the Server Certificate Chain, select the server certificate that you configured.





  6. (Optional) Update the IQ Timeout and Refresh Interval settings.
  7. Start the NAC. Select the NAC from the list and click Start.

To edit NAC settings, you must stop the NAC first.

What to do next

After you configure a NAC in Network Quarantine, you can begin to quarantine endpoints. See Quarantining endpoints.