Staff

Technical Tip: Isolating Hosts that no longer have a communicating Persistent Agent

Description

This article describes how to isolate hosts with the Persistent Agent that have lost contact with the appliance.

Scope

Version: 8.x.

Solution

Option 1: Isolate host with option to reinstall the agent.

This option will…

Isolate the violating hosts to the VLAN for Quarantine (Remediation).
Allow for the re-installation of the persistent agent. Once the agent is installed and communication is restored, the host will be allowed back onto the network.

Option 2: Isolate host (no option for reinstalling the agent).

This option will isolate the violating hosts by assigning a the 'Dead End' VLAN. The users are not offered a method for self-remediation.

Navigate to Logs -> Event to Alarm Mappings.
Add or double-click to modify.
Select the enabled checkbox.
Select a severity from the drop-down box (Critical).
Select Clear on Event and select (Regained Contact with Persistent Agent).
Select Trigger Rule and set to Event Frequency (4 events occurring within 1 hours).
Check the checkbox for Action.
Select Host Role Action in the drop-down box.
Select the Dead End role in the Primary Task drop down.

Navigate to Policy -> Policy Configuration -> Network Access Policy -> Add.
Give the Network Access Policy a name (Lost Contact with Persistent Agent).
Select the Add icon under User Host Profile.
Give the User Host Profile a name (Lost Contact with Persistent Agent).
Select Add in Who/What by Attribute.
Select the host tab.
Select the checkbox for the role under Policy -> Access.
Type in Dead End.
Select OK.
Select the add icon under Network Access Configuration.
Give the Network Access Configuration a name (Lost Contact with Persistent Agent).
Type in the Dead End VLAN number.
Select OK.
Set the rank of the Network Access Policy as needed.

Related articles:

Technical Tip: Troubleshooting the Persistent Agent

Sign up