Day 85 – Cisco ISE Mastery Training: Threat Response Automation with pxGrid

[Day 85] Cisco ISE Mastery Training: Threat Response Automation with pxGrid

Post Views: 3

Table of Contents

Introduction

“Today we wire real-time threat response: when FMC/FTD, Secure Endpoint (AMP), or Stealthwatch flags a compromised host, ISE auto-quarantines it over the network. We’ll use pxGrid for secure event and identity exchange, and ANC for enforcement (dACL / SGT / VLAN). You’ll leave with a repeatable runbook: detect → decide → quarantine → verify → rollback.”

You will implement three automation paths:

  1. FMC → ISE via pxGrid (RTC): IPS/malware events trigger ANC Quarantine.
  2. SecureX Orchestration → ISE ERS/ANC: vendor-neutral playbook (REST) using pxGrid context.
  3. Stealthwatch (SNA) → ISE via pxGrid: high Host Threat Score triggers ANC.

Outcomes we verify (live):

  • pxGrid client trust, topic subscriptions (Sessions / TrustSec / ANC)
  • Automatic ANC application to the endpoint
  • Enforcement on switch/WLC/FTD
  • Auditable logs across ISE/FMC/Stealthwatch/SecureX
  • One-click rollback (Unquarantine)

Problem Statement (what breaks in real networks)

Manual containment is slow and inconsistent. Firewall teams see an IP, NAC teams see a MAC/user; signals are siloed. Threats move faster than tickets. You need cryptographically trusted, bidirectional, near-real-time automation to quarantine the right device, at the right time, with proof.

Solution Overview (pxGrid + ANC pipeline you’ll deploy)

Event source (FMC / AMP / Stealthwatch) → publishes or signals a compromise
pxGrid shares context (user, IP, MAC, SGT)
ISE evaluates Automation Rules (or receives ANC request)
→ ISE applies ANC policy (dACL / VLAN / SGT Quarantine)
Network (Catalyst/WLC/FTD) enforces
Logs confirm detection → action → effect
Operator unquarantines after remediation.

Sample Lab Topology (VMware/EVE-NG)

Platform: VMware ESXi/Workstation or EVE-NG

Nodes

  • ISE 3.2/3.3 (PAN+MnT+PSN; pxGrid persona on PSN)
  • FMC 7.x managing FTD 7.x (intrusion/malware events)
  • Secure Endpoint (AMP) Cloud (policy & event source)
  • Stealthwatch/Secure Network Analytics (optional)
  • Catalyst 9300 (17.x) as access switch (802.1X/MAB/CoA/CTS)
  • WLC 9800-CL (wireless validation)
  • AD DS
  • Endpoints: Win10/11, Linux

Topology Layout:

Pre-req checklist (must be green before automation):

  • DNS A/PTR for ISE/FMC/FTD; NTP aligned everywhere
  • ISE policy set authc/authz working (wired; wireless optional)
  • pxGrid persona enabled + cert with pxGrid usage bound
  • TCP 8910 open between FMC/Stealthwatch ↔ ISE
  • FTD traffic path for enforcement validated

Step-by-Step GUI Configuration Guide (with CLI + screenshots)

Target versions used in examples: ISE 3.2/3.3, FMC/FTD 7.x
Replace FQDNs/IPs to match your lab.

Phase 0 — Quick health checks

ISE CLI

show ntp
show application status ise | include pxGrid
tail -n 50 /var/log/ise/pxgrid/pxgrid.log

FMC UISystem > Health > Monitor (FMC, FTD healthy)
Ping/TCP: FMC ↔ ISE: TCP 8910 open

Phase 1 — ISE: pxGrid & ANC foundation

  1. Enable pxGrid persona
    GUI: Administration > System > Deployment > Node > Edit → check pxGrid (and Controller if applicable) → Save
  1. Bind pxGrid certificate
    GUI: Administration > System > Certificates > System Certificates → Import/Bind cert with pxGrid Usage
  1. Enable pxGrid topics
    GUI: Administration > pxGrid Services > Settings → enable Session Directory, TrustSec, ANC
  2. Create ANC policies
    GUI: Work Centers > Policy > Policy Elements > Results > ANC Policies
    • ANC-QUAR-VLAN (moves to VLAN 999)
    • ANC-QUAR-dACL (downloadable ACL “deny-all-except-IT”)
    • ANC-QUAR-SGT (assign SGT = Quarantine)
  1. Map ANC to Authorization (for CoA enforcement)
    GUI: Policy > Policy Sets > (Your set) > Authorization
    • Top rule: UseCase == ANC-Quarantine → Result = QUAR-(your method)

ISE CLI (validate)

tail -f /var/log/ise/pxgrid/pxgrid.log | egrep -i "anc|publish|session"

Phase 2 — FMC: integrate with ISE (pxGrid + RTC)

  1. Trust ISE CA chain
    FMC GUI: Objects > Object Management > PKI > Trusted CAsAdd (paste Base64 ISE CA chain)
  2. Add ISE as Identity Source via pxGrid
    FMC GUI: System > Integration > Identity Sources > Identity Services EngineAdd
  3. Enable Rapid Threat Containment workflow (FMC)
    FMC GUI: Policies > Correlation > Rule ManagementCreate
    • Condition: Intrusion Event High/Critical OR Malware Detected

FMC validation (event-to-action)

  • Trigger a test intrusion malware event (EICAR or test IPS rule).
  • FMC Analysis > Correlation > Events → action shows Quarantine Host in ISE
  • ISE Operations > RADIUS > Live LogsCoA and AuthZ = QUAR-xxx

Phase 3 — SecureX Orchestration (vendor-neutral playbook using ISE ERS/ANC)

Use this when a 3rd-party SIEM/XDR must trigger ISE. SecureX pulls pxGrid context (or ISE ERS lookup), then calls ISE ERS ANC.

  1. SecureX Orchestration: build flow
    • Trigger: HTTPS webhook or email/SIEM event
    • Step 1: Get session (ISE ERS: /ers/config/endpoint?... or pxGrid query)
    • Step 2: Parse MAC/IP, choose ANC policy
    • Step 3: POST to ISE ERS: /ers/config/ancendpoint/apply with MAC + ANC policy
    • Step 4: Post back ticket/comment with result

Validation

  • ISE Operations > Adaptive Network Control shows new ANC entry

Phase 4 — Stealthwatch (SNA) → ISE Quarantine via pxGrid

  1. Register Stealthwatch as pxGrid client (similar to FMC)
    • Trust ISE CA, client cert on SNA appliance/Flow Collector
  2. SNA Policy: If Host Threat Score ≥ 90 or C2 communication

Validation:

  • SNA event → ISE ANC entry → CoA → switch/WLC/FTD blockade.

Phase 5 — Enforcement & Telemetry Validation (end-to-end)

A) ISE confirms session & ANC

  • GUI: Operations > Sessions → find endpoint (User, IP, MAC, SGT)

B) Switch (Catalyst 9300)

show authentication sessions interface Gi1/0/10 details
show cts role-based sessions interface Gi1/0/10
show ip access-lists | include QUAR

Expect re-auth/CoA, SGT=Quarantine or dACL applied or VLAN change.

C) WLC 9800 (if wireless)

show wireless client mac <MAC> detail
show wireless client summary | i <MAC>

Expect Quarantine policy/VLAN/ACL.

D) FTD (optional enforcement path)

> show users
> show access-control-config
> show conn address <endpoint_ip>

Expect identity/SGT recognized; connections blocked by Quarantine rule.

E) FMC Analytics

  • Analysis > ConnectionsRule Hit = Block_Quarantine
  • Analysis > Correlation > Events → show Quarantine Host in ISE action

Phase 6 — Rollback & Graceful Unquarantine

ISE GUI: Operations > Adaptive Network Control → select endpoint → Remove ANC
ISE Live Logs: observe CoAnormal AuthZ
Switch/WLC CLI: dACL/SGT/VLAN reverted
FMC/FTD: traffic allowed; rule no longer hits.

Phase 7 — Troubleshooting quick hits (when automation doesn’t fire)

  • No pxGrid connection:
    • ISE: show application status ise | include pxGrid
    • pxgrid.log: unknown_ca, handshake → fix CA trust / FQDN SAN
  • FMC correlation fired but no ANC:
    • ISE pxGrid Clients → FMC must be Approved & Connected; ANC topic enabled
    • FMC Action set to Quarantine in ISE (not Notify)
  • ANC applied but no enforcement:
    • Check ISE AuthZ rule for UseCase == ANC-Quarantine at top
    • Confirm CoA success in Live Logs
    • Switch: show auth sess … confirms dACL/SGT/VLAN update
  • Slow or missed updates: fix NTP, reduce log noise, ensure multiple pxGrid nodes for scale.

Threat Response Automation with pxGrid

Add-On 1: Troubleshooting Workbook Section

1. pxGrid Connection Failure (FMC not registering with ISE)

  • Symptom: FMC GUI shows Connection Failed, ISE pxGrid logs show: pxGrid: Node <FMC> not authorized, invalid certificate.
  • Root Cause: FMC certificate not signed by trusted CA on ISE.
  • Fix:
    1. Export FMC pxGrid certificate.
    2. Import into ISE (Administration → Certificates → Trusted Certificates → Import).
    3. Ensure “Trust for pxGrid” is enabled.

2. Threat Context Not Updating in FMC

  • Symptom: FMC shows old or no ISE session information.
  • Check Logs on ISE: ise-admin-1/admin# show logging application pxgrid Error: Unable to publish context updates to subscriber
  • Fix:
    • Verify FMC is subscribed to correct ISE session directory topics.
    • On ISE GUI: Administration → pxGrid Services → Client → FMC → Subscribe Topics → ise:session:updates.

3. Automation Playbook Not Triggering

  • Symptom: No quarantine action triggered in ISE after FMC detects malware.
  • Check in ISE Policy Logs: Enforcement policy not matched for endpoint <MAC>.
  • Fix:
    • Verify FMC is sending Adaptive Network Control (ANC) requests to ISE.
    • Confirm ISE has ANC policies configured under Policy → Policy Sets → ANC Rules.

4. pxGrid Node Shows “Pending” Forever

  • Symptom: On ISE GUI → pxGrid Clients → FMC shows Pending.
  • Fix:
    • Approve manually: Administration → pxGrid Services → Clients → FMC → Approve.
    • Ensure auto-approval is enabled if desired.

5. CLI Verification Checklist

  • Check pxGrid services are running: ise-admin-1/admin# show application status ise | include pxGrid pxGrid Infrastructure Server running pxGrid Publisher Subscriber running
  • Check ANC policy hits in ISE: ise-admin-1/admin# show logging application ise-psc.log | include ANC
  • Check FMC API connectivity: curl -k -u admin:<pwd> https://<FMC-IP>/api/fmc_platform/v1/info/serverversion

Add-On 2: Lab Validation Checklist

Before leaving lab, confirm these 10 validation points:

  1. pxGrid Services Running on all ISE nodes (show application status ise).
  2. FMC Registered as pxGrid Client (ISE GUI → pxGrid Clients shows FMC → Approved).
  3. ISE Sessions Visible in FMC (Devices → ISE pxGrid tab).
  4. Malware Event on Endpoint Detected in FMC (Security → Events).
  5. FMC Sends ANC Quarantine Request (Monitor ISE live logs).
  6. ISE Enforcement Policy Matches (Policy → Live Logs → ANC applied).
  7. Endpoint Quarantined VLAN/SGT Applied (check switch CLI: show authentication sessions interface X).
  8. Endpoint Connectivity Dropped/Restricted as per policy.
  9. ISE pxGrid Logs Show Success Publish/Subscribe.
  10. FMC → ISE Threat Automation Works in Both Directions (test unquarantine flow too).

Add-On 3: Instructor Talking Points

When teaching this Day 85 lecture, here’s how you can present live:

  1. Kickoff:
    • “Team, today we are stepping into the SOC side of ISE — where NAC meets Threat Hunting. Imagine your firewall, AMP, and ISE talking in real-time. That’s what pxGrid gives you.”
  2. Engagement Question:
    • “What happens when AMP detects malware on an endpoint? Without pxGrid, how do you isolate it? … Correct, manual work. With pxGrid, automation kicks in.”
  3. Demo Narration:
    • “Watch this — I’ll simulate a malware detection in FMC. Notice how within seconds, ISE automatically applies ANC quarantine. No human touched the keyboard.”
  4. Knowledge Drop:
    • “Remember: pxGrid is publish/subscribe. FMC subscribes to ISE’s live session data. ISE subscribes to FMC’s threat intel. That’s the beauty — both sides feed each other.”
  5. Wrap Up Message:
    • “In the SOC, speed = security. Threat Response Automation with pxGrid reduces incident response time from hours to seconds. That’s the power of ISE in enterprise security.”

Troubleshooting:

Section 1 – Common Errors & Fixes by Integration

ISE ↔ FMC

  1. FMC not registering with ISE
    • Error: “Invalid certificate” in ISE pxGrid logs.
    • Fix: Import FMC cert into ISE (Trusted → tick pxGrid).
  2. ISE context not showing in FMC
    • Error: No ISE sessions in FMC GUI.
    • Fix: FMC must subscribe to ise:session:updates.
  3. Quarantine request not applied
    • Error: ANC rule not triggered.
    • Fix: Verify ANC policy in ISE + check FMC automation playbook.

ISE ↔ pxGrid

  1. pxGrid node stuck in PENDING
    • Fix: Approve client manually (Admin → pxGrid Services).
  2. pxGrid Subscriber fails
    • Error: Error: Unable to publish context updates
    • Fix: Verify topic subscription + restart pxGrid service.
  3. pxGrid service down
    • CLI: show application status ise | include pxGrid
    • Fix: Restart pxGrid Infrastructure.

ISE ↔ AMP/Threat Response Automation

  1. Threat not quarantining endpoint
    • Fix: Confirm FMC → ISE ANC API call allowed.
    • CLI: show logging application ise-psc.log | include ANC
  2. Unquarantine not working
    • Fix: Ensure “Revert Policy” exists in ISE.

Section 2 – CLI Verification Commands

On ISE

show application status ise | include pxGrid
show logging application pxgrid
show logging application ise-psc.log
show authentication sessions interface Gi1/0/10

On Switch/WLC

show authentication sessions
show access-session mac <endpoint-mac>

On FMC

curl -k -u admin:<pwd> https://<FMC-IP>/api/fmc_platform/v1/info/serverversion

Section 3 – Log Sample Library

Include real-world log snippets so students recognize them instantly:

  • pxGrid Cert Error (ISE): pxGrid: Node <FMC> not authorized, invalid certificate.
  • ANC Success (ISE): ANC applied on endpoint 00:11:22:33:44:55 → Policy: Quarantine
  • FMC API Error: 401 Unauthorized – Token not valid for ANC requests

Section 4 – Validation Checklist

  • ISE pxGrid services are running.
  • All integration clients (FMC, AMP, Threat Response) show Approved in ISE GUI.
  • ISE sessions appear in FMC dashboard.
  • Threat events trigger ANC quarantine in ISE.
  • Switch CLI shows endpoint quarantined VLAN/SGT.
  • Unquarantine flow restores access.

Section 5 – Instructor Pro Tips

  • Always start by checking cert trust → 80% issues come from missing trust.
  • Use show logging application pxgrid as your first stop when integration fails.
  • In labs, simulate malware by forcing ANC from FMC to validate automation flow.
  • Teach students “ISE ≠ NAC only” → it’s SOC automation engine with pxGrid.

FAQs – Threat Response Automation with pxGrid

1. What exactly is pxGrid Threat Response Automation, and why do we need it in a SOC environment?

  • pxGrid allows ISE to share real-time session/context data with security platforms (like FMC, AMP, Threat Response, SIEMs).
  • Threat Response Automation goes further — it lets security platforms trigger policy actions (e.g., ANC quarantine) back into ISE.
  • Why important? Instead of waiting for a human to manually block/quarantine, pxGrid automation lets SOC tools cut down Mean Time To Respond (MTTR) from hours to seconds.

2. Which ISE licenses are required for Threat Response Automation with pxGrid?

  • At minimum:
    • Base license → For authentication.
    • Plus license → For ANC (Adaptive Network Control).
    • Apex license → Required for pxGrid services & integrations.
  • Without Apex, pxGrid automation (ANC API calls from FMC/AMP) will not work.

3. How do I validate if pxGrid services are running properly in ISE?

  • GUI → Administration → pxGrid Services → Deployment → Ensure node shows Online.
  • CLI check: show application status ise | include pxGrid Expected output: pxGrid Infrastructure running pxGrid Publisher Subscriber running

4. How do I confirm that FMC or Threat Response is successfully integrated with ISE over pxGrid?

  • GUI on ISE:
    • Administration → pxGrid Services → Clients.
    • Status should show Approved and Online for FMC.
  • CLI check on FMC: tail -f /var/log/messages | grep pxgrid You should see pxGrid connection established logs.

5. How can I test ANC policy automation (quarantine) end-to-end?

  1. Ensure ANC policies exist in ISE (Work Centers → Policy → Policy Elements → Results → ANC Policies).
  2. Trigger test: From FMC, select endpoint → quarantine via ISE ANC API.
  3. Validate in ISE logs: ANC applied on endpoint <MAC> → Policy: Quarantine
  4. Validate on switch CLI: show authentication sessions interface Gi1/0/10 → Should display Quarantine VLAN/SGT.

6. What are the most common certificate issues with pxGrid automation?

  • FMC/Threat Response does not trust ISE pxGrid cert → must be imported into FMC.
  • ISE does not trust FMC cert → must be imported into ISE (Trusted for pxGrid).
  • pxGrid clients stuck in PENDING → approve them manually in ISE GUI.

7. What happens if pxGrid services crash or are down — will automation still work?

  • No. If pxGrid is down, FMC/AMP cannot push ANC actions.
  • CLI fix: application stop ise application start ise
  • Always check disk/CPU memory, since pxGrid infra can crash on overloaded lab nodes.

8. Can I simulate malware detection to test automation without a real virus sample?

Yes, you don’t need a live virus:

  • Use FMC → Create custom correlation policy (trigger when endpoint IP = X).
  • Action → Push ANC “Quarantine” to ISE.
  • Validate that the endpoint is quarantined.
    This is safe and SOC teams often do it for tabletop exercises.

9. How do I troubleshoot if FMC sends the quarantine request but endpoint isn’t blocked?

  • Check if ANC API call was successful:
    • ISE CLI: show logging application ise-psc.log | include ANC → Look for “ANC Request Received”.
  • Verify switch supports CoA (Change of Authorization). Without CoA, quarantine will not apply dynamically.

10. Can pxGrid automation also unquarantine endpoints automatically once threat is cleared?

  • Yes.
  • FMC/AMP/Threat Response can send an “Unquarantine” ANC request via pxGrid.
  • Requirement:
    • A Revert Policy must be preconfigured in ISE.
  • Validation: Switch CLI should again show Authorized, normal VLAN.

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

[NEW COURSE ALERT] CISCO ISE (Identity Service Engine) by Sagar Dhawan
CCIE Security v6.1 Training – Ticket#1 Discussed
CCIE Security v6.1 – MAC Authentication Bypass (MAB) in Cisco ISE
CCNP to CCIE SECURITY v6.1 – New Online Batch

Closing Notes

  • Automation = trust + telemetry + enforcement. Keep certificates/NTP/DNS immaculate.
  • Always prove automation with a quarantine drill and rollback in your change window.
  • Standardize your playbooks (FMC correlation, SecureX flow, SNA threshold) and add exclusions to prevent collateral damage.
  • Log everything. Your audit trail is your confidence.

Upgrade Your Skills – Start Today

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes.

Fast-Track to Cisco ISE Mastery Pro — (4-month live cohort).

  • Full labs: Threat-Centric NAC, pxGrid 2.0, TrustSec/SGT, Wired/Wireless, Posture, FMC/SIEM/Stealthwatch/SecureX integrations
  • Automation playbooks + troubleshooting
    Course outline & enrollment: https://course.networkjourney.com/ccie-security/

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088

Trainer Sagar Dhawan
Hi all, Good to see you here. I'm your Trainer for CCIE, CCNP, CCNA, Firewall batches and many more courses coming up! Stay tuned for latest updates! Keep me posted over Whatsapp/Email about your experience learning from us. Thanks for being part of - "Network Journey - A journey towards packet-life!!!"

Related Posts

Day 45 – Cisco ISE Mastery Training: Wireless Guest Access Flow

[Day 45] Cisco ISE Mastery Training: Wireless Guest Access Flow

  • Posted on
    • Day 60 – Cisco ISE Mastery Training: Wireless Endpoint Troubleshooting

    [Day 60] Cisco ISE Mastery Training: Wireless Endpoint Troubleshooting

  • Posted on
    • EIGRP Metric Calculation – Understand the Brain Behind Route Selection. [CCNP ENTERPRISE]

    EIGRP Metric Calculation – Understand the Brain Behind Route Selection. [CCNP ENTERPRISE]

  • Posted on