Insight Agent Quarantine Action Configuration

The Insight Agent allows you to quarantine an asset in InsightIDR until you are able to resolve the investigation. This isolates the asset from all other network connections, except for connections to the Insight Platform and trusted services, such as DHCP. To ensure your quarantine actions are successful, you must properly configure your operating systems:

Linux/Unix Operating Systems

For Linux/Unix systems, you must enable iptables.

Windows Operating Systems

The Insight Agent uses the operating system’s local firewall service for the quarantine actions. To ensure that Insight Agent quarantine actions run successfully for Windows assets, the Insight Agent must be able to use the Windows Firewall service. Review the Firewall Group Policy settings for your organization to verify that you do not have the Windows Firewall service disabled. If you do have the Windows Firewall service disabled, you will need to set it to either Not Configured or On to be able to quarantine an asset with the Insight Agent.

Required Windows Firewall Settings for Insight Agent Quarantine Actions

These are the required Firewall Group Policy settings for all Domain/Private/Public/Standard profiles:

  • Firewall State - Not Configured or On
  • Allow local rule merge - Not configured or Yes

You do not need to change the firewall settings for Inbound Connections or Outbound Connections.

Group Policy Management of Windows Firewall

Windows Firewall Service must be enabled and properly configured to ensure that the Insight Agent quarantine actions run successfully. If you have not previously configured Windows Firewall group policy for your domain, the quarantine will succeed. However, if your Windows Firewall Domain Policy is configured to turn the service off, the Agent quarantine will fail. To verify your Group Policy Management settings for Windows Firewall and Windows Defender Firewall, follow the instructions below.

Group Policy Management of Windows Firewall with Advanced Security

Verify your group policy settings for Windows Firewall follow the requirements mentioned above. Use the tool you normally use to manage your global group policies to verify these settings.

  1. Open the Group Policy Management tool. Find the policy that you use to apply settings for the Windows Firewall service in your organization and edit the policy.
  2. Click Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security Settings folder > Windows Firewall with Advanced Security Settings.
  3. Click Windows Firewall Properties.
  4. Verify that the Firewall state is set to Not Configured or On for each profile: Domain/Private/Public/Standard.
  5. Under Settings, click Customize.
  6. Verify that “Apply local firewall rules” is set to Not Configured or Yes.
    • Click Ok.
  7. Click Apply.

Group Policy Management of Windows Defender Firewall

Verify your group policy settings for Windows Defender Firewall follow the requirements mentioned above. Ensure that all profiles are set to either Not Configured or Enabled.

  1. Open the Group Policy Management console.
  2. Click Policies > Administrative Templates > Network > Network Connections > Windows (Defender) Firewall > Domain/Private/Public/Standard Profile.
  3. Click Windows Firewall: Protect all network connections.
  4. Ensure that either Not Configured or Enabled are selected.