quarantine
This command instructs the Agent of "ProductID" to quarantine the endpoint by restricting its network access.
Quarantine can be enabled, using the action -bigfix, or disabled, using the action -off.
When enabled, the quarantine command closes existing network connections and blocks the creation of new connections including DNS lookups, with the exception of BigFix Parent Relay traffic and BigFix Detect traffic. BigFix runs the following steps to enforce quarantine:
- Resolves the addresses of the active relays specified in the variables _BESClient_RelaySelect_FailoverRelay and _BESClient_RelaySelect_FailoverRelayList into static IP addresses.
- Closes the existing network connections.
- Blocks network connections using DNS lookups.
- Makes the list of IP addresses of the available relays active for future relay selection to avoid DNS lookups.
When disabled, the quarantine command reverts the relay selection back to DNS-based lists and restores the original communications.
The list of error codes that might be returned by the quarantine command is available here.
The command is available on Windows systems starting from BigFix version 9.5.5.
| Version | Platforms |
|---|---|
| 9.5.5.0 | All |
Syntax
To enable quarantine:
quarantine "ProductID" -bigfixTo disable quarantine:
quarantine "ProductID" -offExamples
This command sets to quarantine the endpoint where the BigFix Detect agent is installed:
quarantine "EDR" -bigfix