After you configure a NAC, you can configure how endpoints are quarantined. You can set up automated rules to quarantine based on the results of a saved question on a computer group, or you can select individual IP or MAC addresses.
Automated rules use saved questions to query a computer group for a set of conditions. If an endpoint meets the conditions, it is added to the list of violations. From the violations page, you can choose to quarantine the endpoint by MAC address.
With automated rules, you can block by MAC Address using an ISE NAC. You cannot use automated rules with Palo Alto Networks Layer 3 Firewall blocking by IP address.
Add saved questions to Network Quarantine content set
Before you configure automated rules, you must decide on a saved question with which you are going to select the endpoints to quarantine. For example, you might create a saved question that returns endpoints that do not have a certain patch installed.
The saved question you use for a rule must meet the following requirements:
- Be in the Network Quarantine Content Set content set
- Return columns for the Computer Name and MAC Address sensors
- Be accessible by the service account user that you configured for the Network Quarantine service
To add saved question to the Network Quarantine Content Set, you can either choose the content set when you create the saved question, or you can edit a saved question to add it to the content set. For more information, see Tanium Core Platform User Guide: Edit a saved question.
Create an automated rule
- From the Network Quarantine menu, click Automated Rules > Add rule.
- Enter a name for the rule, and choose the saved question on which you want to base the rule.
- Select Enabled to enable the rule to be run on the specified frequency.
- Choose targets for the rule. Configure one or more computer groups on which you want to target. For each computer group, indicate which configured NAC you want to use for the quarantine method.
- Click Save.
- Rules are run on the configured frequency. To run all of the rules now, open the Network Quarantine menu and go to Automated Rules > Run Now.
View and act on violations
After the rules have been run, a list of computers that meet the conditions of the saved questions are returned. To view all violations, go to the Network Quarantine menu and click Violations.
- To approve the quarantine of a device that is violating a defined rule, select the endpoints and click Approve.
- To keep the endpoint connected, select the endpoints and click Deny.
- To generate a CSV list of endpoints, select the endpoints and click Export.
Configure global rule settings
By default, rules are evaluated every 6 hours, and if more than 100 endpoints are returned for a rule, an event is generated. To change these global settings from the Network Quarantine home page, click Settings , then the Automated Rules tab.
- From the Network Quarantine menu, click Quarantined > Create Quarantine.
- Use the available options to quarantine endpoints:
- To quarantine endpoints with a Palo Alto Dynamic Address Group (DAG) NAC, enter a list of IP addresses on which to apply the quarantine and choose the DAG tag that you want to apply.
- To quarantine endpoints with a Cisco Identity Services Engine (ISE) pxGrid NAC, enter a list of MAC addresses on which to apply the quarantine and choose the ANC policy to use. The Adaptive Network Control (ANC) policies are configured in ISE.
- Click Save.
- The IP or MAC addresses that you indicated are listed on the Quarantined page. To disable the quarantine on the endpoint, select the IP or MAC address and click Remove Quarantine.
If you have Tanium Discover installed, you can also quarantine and remove quarantine for an IP or MAC address. Go to an Interfaces page and select the rows that relate to the endpoints that you want to quarantine, then click Quarantine and choose the NAC that you want to use to quarantine the endpoint.
Quarantined MAC or IP addresses are marked as Blocked.
For more information, see Tanium Discover User Guide.
Last updated: 12/18/2018 1:48 PM | Feedback