Verifying Remediation

The following section provides the steps to verify if the remediation process is successful.

Verify Remediation

Because remediations can fail for various reasons, perform the following steps to verify that a remediation is successful.

Procedure

Step 1

After the remediation module is triggered by an associated correlation rule, check the status of the remediation execution. In the FMC web interface, navigate to Analysis > Correlation > Status.

Step 2

In the Remediation Status table, find the row for your policy and view the result message.
Step 3

Once the remediation is complete, perform the following steps:

  1. In the Secure Workload user interface, navigate to Visibility > Inventory Search.

  2. Enter the IP address of the infected hosts, and click Search.

  3. In User Annotations, you should see quarantine = yes annotated to the IP address of the infected hosts.

What to do next

Once you clean the quarantined host and it is no longer infected, you can perform either of the following actions to remove the quarantine annotation:

  • (Recommended) Use Secure Workload to change the quarantine = yes annotation back to quarantine = no.

    1. For example, if the quarantined host that is no longer infected is 172.21.208.11 and within the Default scope, create a CSV file such as: 

      IP,VRF,quarantine
172.21.208.11,Default,no

    2. Navigate to Applications > Inventory Upload, and then upload the CSV file to Secure Workload. For more information on how to upload a CSV file to Secure Workload, see the Related Documentation section.

  • Use FMC Remediation Module to remove the quarantine annotation.


    Important
    This method is not recommended in production networks due to security concerns.

    1. (In the Configure section, see Step 1) Add a new remediation that uses the un-quarantine type of remediation. Edit the same instance, and under Configured Remediations, select and add the un-quarantine type of remediation (in this example, unquarantine-fmc).

    2. (In the Configure section, see Step 2) Add an access control rule (For example, remove-tag) to the same policy (For example, rem-policy) which can be used to trigger the un-quarantine remediation.

    3. (In the Configure section, see Step 3) Add a correlation rule (For example, unquaran-rule1) that uses the access control rule (in this example, remove-tag).

    4. (In the Configure section, see Step 4ß) Assign the un-quarantine response (For example, un-quaran-rem) to the correlation rule (For example, unquaran-rule1).

    5. After the rule is matched, the un-quarantine remediation will be triggered to remove the quarantine annotation.