Because remediations can fail for various reasons, perform the following steps to verify that a remediation is successful:
Once the remediation module is triggered by an associated correlation rule, check the status of the remediation execution in the FMC GUI.
In the Remediation Status table, find the row for your policy and view the result message.
Once the remediation is complete, go to the TA GUI:
What to do next
Once you clean the quarantined host and it is no longer infected, you can either use Tetration (recommended) to change the quarantine = yes annotation back to quarantine = no as follows:
For example, if the quarantined host that is no longer infected is 172.21.208.11 and within the Default scope, create a CSV file such as:
Navigate to. For instructions on how to upload your CSV file to Tetration, see the online help user guide on your Tetration server:
Or, use the FMC remediation module to remove the quarantine (not recommended in production networks due to security concerns) as follows:
(See Configure: Step 1) Add a new remediation that uses the un-quarantine type of remediation. Edit the same instance, and under Configured Remediations, select and add the un-quarantine type of remediation (in this example, un-quaran-rem).
(See Configure: Step 2) Add an access control rule (in this example, remove-tag) to the same policy (in this example, rem-policy) which can be used to trigger the un-quarantine remediation.
(See Configure: Step 3) Add a correlation rule (in this example, unquaran-rule1) that uses the access control rule (in this example, remove-tag).
(See Configure: Step 4) Assign the un-quarantine response (in this example, un-quaran-rem) to the correlation rule (in this example, unquaran-rule1).
Once that rule is matched, the un-quarantine remediation will be triggered to remove the quarantine annotation.