Network Quarantine requirements

Review the requirements before you install and use Network Quarantine.

Tanium dependencies

Component	Requirement
Tanium™ Core Platform	Version 7.2 or later
License	Network Quarantine is included with Tanium Connect. For information about licensing, contact your Technical Account Manager (TAM).
Tanium™ Connect	(Optional) Version 4.7.4 or later
Tanium™ Discover	(Optional) Version 2.7.0 or later

Tanium Module Server

Network Quarantine is installed and runs as a service on the Module Server host computer. The impact on Module Server is minimal and depends on usage.

Endpoints

Supported operating systems

Same as Tanium Client support. See Tanium Client User Guide: Host system requirements.

Third-party software

Cisco Identity Services Engine (ISE) 2.2 or later with pxGrid installed
Palo Alto Networks OS 7.1 or later
Palo Alto Networks Panorama is not supported

Host and network security requirements

Specific ports and processes are needed to run Network Quarantine.

Ports

The following ports are required for Network Quarantine communication.

Component	Port	Direction	Purpose
Module Server	17467	Loopback	Internal purposes; not externally accessible.
	5222	Outbound	Access to Cisco ISE, unless specified otherwise.
	443	Outbound	Access to Palo Alto Networks firewall, unless specified otherwise.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

User role requirements

Table 1: Network Quarantine user role permissions
Permission	Network Quarantine Administrator	Network Quarantine Approver	Network Quarantine Rule Author	Network Quarantine User	Network Quarantine Read Only User	Network Quarantine Service Account
Show Networkquarantine View Network Quarantine shared service
Network Quarantine Certificates Read View configured certificates
Network Quarantine Certificates Write Add or update configured certificates
Network Quarantine Nacs Read View configured NACs
Network Quarantine Nacs Write Add or update configured NACs
Network Quarantine Quarantines Read View quarantined endpoints
Network Quarantine Quarantines Write Quarantine or unquarantine endpoints
Network Quarantine Rules Evaluate Use service account to evaluate rules
Network Quarantine Settings Read View service settings
Network Quarantine Settings Write Configure service settings
Network Quarantine Nacauditlog Read View audit log
Network Quarantine Rules Run Start rule evaluation process
Network Quarantine Rules Read View rules and targets
Network Quarantine Rules Write Edit rules and targets
Network Quarantine Requests Read View quarantine requests
Network Quarantine Requests Approve Approve quarantine requests
Network Quarantine Requests Deny Deny quarantine requests
Network Quarantine Runs Read View rule evaluation runs

Table 2: Provided Network Quarantine micro admin and advanced user role permissions
Permission	Role type	Content set for permission
Read User	Micro Admin
Read Computer Group	Micro Admin
Execute Plugin	Advanced	Network Quarantine Content Set
Read Plugin	Advanced	Network Quarantine Content Set
Read Saved Question	Advanced	Network Quarantine Content Set
Read Sensor	Advanced	Reserved, Default, Base, Network Quarantine Content Set
Write saved question	Advanced	Network Quarantine Content Set

Table 3: Optional roles for Network Quarantine
Role	Enables
Connect User	For signed in user: Configure connections for Network Quarantine event notifications For service account: Send Network Quarantine event notifications

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.