Isolating Hosts from Network

Note: By default, the network isolation option is disabled in the policy, and you cannot view options mentioned in this section. To enable network isolation, in the policy configuration, select Enabled in the Network Isolation option under Response Action Settings. For more information, see the NetWitness Endpoint Configuration Guide.

To isolate a host from the network:

  1. Go to Hosts and do one of the following:

    • Select a host and select Network Isolation > Isolate from Network from the right-click context menu, or from the More drop-down list in the toolbar.

      netisolatehosts_755x365.png

    • Select the hostname to open the host details, click netwitness_moreicon.png (More) beside the hostname, and select Network Isolation > Isolate from Network.

      network_isolation_isolation_from_network_endpoint_551x224.png

  2. In the Isolate from Network dialog, by default, a set of IP addresses are excluded from isolation. For more information, see Network Isolation. To add IP addresses to the list, select the Add your IPs to Exclusion List checkbox. You can enter up to 100 IP addresses separated by comma.

    netwitness_isolate_388x420.png

  3. Enter comments.

  4. Click Isolate Host.

Note: When a host is isolated, the connection to the following IP addresses is allowed:
- Endpoint Server, Relay Server, DNS, DHCP, Gateways, 0.0.0.0, 255.255.255.255, and any other IP addresses that the agent connects with.
- Other IP addresses that you include in the exclusion list.

Edit Exclusion List

To edit the exclusion list:

  1. Go to Hosts and do one of the following:

    • Select a host and select Network Isolation > Edit Exclusion List from the right-click context menu, or from the More drop-down list in the toolbar.

      editisolation_761x362.png

    • Select the hostname to open the host details, click netwitness_moreicon.png (More) beside the hostname, and select Network Isolation > Edit Exclusion List.

      edit_exclusion_list_network_isolation_endpoint_466x223.png

  2. Add or modify the IP addresses in the list.

  3. Enter comments and click Save.

Release Isolated Hosts

Releasing the isolated host restores the network connection and removes IP addresses added to the Exclusion list. To release the host from isolation:

  1. Go to Hosts and do one of the following:

    • Select a host and select Network Isolation > Release from Isolation from the right-click context menu, or from the More drop-down list in the toolbar.

      releaseisolation1_720x347.png

    • Select the hostname to open the host details, click netwitness_moreicon.png (More) beside the hostname, and select Network Isolation > Release from Isolation.

      network_isolation_release_from_isolation_endpoint_446x208.png

  2. Enter comments and click Release Host.