About the Remediation Module
With the Cisco Firepower Management Center Remediation Module for ACI, when an attack on your network is detected by the FMC, the offending endpoint can be completely quarantined in the Application Policy Infrastructure Controller (APIC) so that no further traffic is allowed to go in or out of that endpoint. The following figure shows the relationship between the FMC and the APIC when the remediation module is installed.
Compatibility
The following table shows the compatibility between the Cisco Firepower Management Center Remediation Module for ACI, FMC, and APIC.
Remediation module version compatible with.... |
FMC version |
APIC version |
---|---|---|
2.0.1 |
6.7 and later |
5.1(1h) |
Infected endpoint
The following figure shows how the Cisco Firepower Management Center Remediation Module for ACI reacts when an infected endpoint is detected.
The process is as follows:
-
An endpoint with an infected application in an endpoint group (endpoint group on the left) launches an attack on another endpoint in Database EPG. The attack is blocked inline by a managed device (such as a physical or virtual device running Firepower Threat Defense).
-
An attack event is generated and sent to the FMC. The attack event includes information about the infected endpoint.
-
The attack event triggers the remediation module for APIC, which used the APIC northbound (NB) API to contain the infected endpoint in the ACI fabric.
-
The APIC quickly contains or quarantines the infected application workload into an isolated microsegment (uSeg) EPG.
Because App2 is not infected, it can still communicate on the network.
You can quarantine a source endpoint, a destination endpoint, or both, as the next section shows.