Quarantine templates

A Quarantine template restricts communication to the inbound and outbound rules in the template. A rule in a Quarantine template is an 'allowed' set of IP subnets, range of ports and protocols, and domains for 'quarantined' workloads.

You must quarantine workloads when they exhibit suspicious activities that can propagate to other assets or when they are highly prone to be exploited for vulnerabilities. Quarantining workloads early in the threat cycle can stop the east-west propagation of suspicious activities in your network.

Quarantining in Xshield

  • When you quarantine a workload, the workload is put in the Quarantine mode and moved to an isolated, system-level workload group named quarantine group.

  • Traffic to and from the workloads in the quarantine group is limited to the rules in the Quarantine templates applied to the workloads. Other Xshield policies, including the Corporate policies, are temporarily deleted from the workloads.

  • When you fix the vulnerabilities or feel that the quarantined workloads can be introduced back into the respective workload groups, unquarantine the workloads. Xshield enforces the original policies (before they were moved to the Quarantine mode) and restores them to their original state.

Create Quarantine templates

Create Quarantine templates early in your asset-protection life cycle to mitigate threats in the early stages. Also, for continued infrastructure services to workloads (if needed), remember to assign rules for infrastructure services in the Quarantine templates.

  1. Go to Policies > Templates > Quarantine Templates.

  2. Click Create Quarantine Template.

  3. In the Name text box, enter a name for the Quarantine template.

  4. Add a useful description.

  5. In the Inbound listing, click Add and add an inbound rule.

    Click Add to add more inbound rules.

  6. In the Outbound listing, click Add, and add an outbound rule.

    Click Add to add more outbound rules.

  7. Click Save.

Quarantine workloads

Before you quarantine workloads, ensure that you have adequate fail-over measures to provide uninterrupted services from the Workload groups.

  1. Go to Assets.

  2. Click the suspicious workload.

  3. Click Quarantine in the fly panel.

  4. Select a quarantine template.

  5. Confirm that you want to quarantine; click Quarantine.

    The workload is moved to Quarantine mode in a few seconds.

    After the workload is in Quarantine mode, you will see a Red icon that reads 'Quarantined asset' when you hover over the workload.

Unquarantine workloads

  1. Go to Assets.

  2. Click the workload that you want to restore to its original state.

  3. Click Unquarantine in the fly panel.

  4. Confirm that you want to unquarantine; click Unquarantine.

    The workload is restored to its original state in a few seconds.

Next steps

  • Investigate flows to and from quarantined workloads to filter and analyze malicious traffic.

  • Between quarantining and unquarantining workloads, look at the fly panel for vulnerabilities and plug them with hotfixes, patches, and updates.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Related Articles