Technical Note: Isolating Hosts that no longer have a communicating Persistent Agent

•  Isolate the violating hosts to the VLAN for Quarantine (Remediation).
•  Allow for the re-installation of the persistent agent.  Once agent is installed and communication is restored, the host will be allowed back onto the network.

1.  Create a dead end role.

a.  Navigate to Policy > Roles > Add.
b.  Type in Dead End for the name.
c.  Click OK.

2.  Enable the Lost Contact with Persistent Agent Event to Alarm Mapping.

a.  Navigate to Logs > Event to Alarm Mappings.
b.  Add or double click to modify.
c.  Click the enabled checkbox.
d.  Select a severity from the drop-down box (Critical).
e.  Select Clear on Event and select (Regained Contact with Persistent Agent).
f.  Select Trigger Rule and set to Event Frequency (4 events occurring within 1 hours).
g.  Check the checkbox for Action.
h.  Select Host Role Action in the drop-down box.
i.  Select the Dead End role in the Primary Task drop down.

3.  Create a Network Access Policy to restrict hosts with the "Dead End" role.

a.  Navigate to Policy > Policy Configuration > Network Access Policy > Add.
b.  Give the Network Access Policy a name (Lost Contact with Persistent Agent).
c.  Click the Add icon under User Host Profile.
d.  Give the User Host Profile a name (Lost Contact with Persistent Agent).
e.  Click Add in Who/What by Attribute.
f.  Click on the host tab.
g.  Click the checkbox for role under Policy - Access.
h.  Type in Dead End
i.  Click OK.
j.  Click the add icon under Network Access Configuration.
k.  Give the Network Access Configuration a name (Lost Contact with Persistent Agent).
l.  Type in the Dead End VLAN number.
m.  Click OK.
n.  Set the rank of the Network Access Policy as needed.