>
    Strata Copilot
    Configure Quarantine List Redistribution in Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Advanced Deployments
    5. Prisma Access Mobile Users—GlobalProtect Advanced Deployments
    6. Redistribute Quarantine List Information
    7. Configure Quarantine List Redistribution in Prisma Access
    Download PDF
    Prisma Access

    Configure Quarantine List Redistribution in Prisma Access

    Table of Contents

    Configure Quarantine List Redistribution in Prisma Access

    Configure the quarantine list feature for Panorama Managed Prisma Access mobile user (GlobalProtect) deployments.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama)
    • Prisma Access (Managed by Strata Cloud Manager)
    To redistribute quarantine list information, complete the following steps.
    • For Prisma Access (Managed by Strata Cloud Manager) deployments:
      View the redistribution diagram and, if required, Edit it in Strata Cloud Manager by going to ConfigurationNGFW and Prisma AccessIdentity ServicesIdentity Redistribution and setting the Configuration Scope to Prisma Access.
      • To change the mobile user-to-service connection redistribution and the remote networks-to-service connection redistribution, click Edit to edit the default changes.
        The changes you make here apply to both mobile user-to-service connection and remote network-to-service connection redistribution.
        Be sure not to configure any redistribution loops during configuration. For example, the service connection redistributes quarantined device information to the mobile users; if you configure quarantine list information to be sent from mobile users to service connections; you introduce a loop that could cause memory issues and slowness in the Prisma Access infrastructure.
      • To change the service connection-to-mobile user redistribution, click Edit to edit the default changes and then Edit to add or remove the Quarantined Device List information redistribution.
        Note that the Configuration Scope changes to Mobile Users Networks.
      • To change the service connection-to-remote network redistribution; click Edit to edit the default changes and then Edit to add or remove the HIP (Host Information Profile) or IP to Users information redistribution. Quarantine List redistribution is not available to redistribute for mobile users.
        Note that the Configuration Scope changes to Remote Networks.
    • For Prisma Access (Managed by Panorama) deployments:
      1. Make sure that the Panorama management IP address is able to communicate with the User-ID agent address for all service connections to which you want to redistribute quarantine list information.
        Communication between the User-ID Agent address of the service connection and the management IP address of Panorama is required for Prisma Access to send and receive quarantine list information between Panorama and the service connections.
        • To find the User-ID Agent Address, select PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address.
        • To find the management IP address of the Panorama that manages Prisma Access, note the IP address that displays in the web browser when you access Panorama.
      2. Allow Prisma Access to redistribute quarantine list information.
        1. In Panorama, select PanoramaCloud ServicesConfigurationService Setup.
        2. Click the gear icon to edit the settings.
        3. In the Advanced tab, select Enable Quarantine List Redistribution.
          Enabling quarantine list redistribution allows Prisma Access to redistribute the quarantine list information received from one or more mobile user locations (gateways) to service connections.
      3. Commit and Push your changes.
      4. Configure Panorama to receive quarantine list information from Prisma Access by configuring management interface settings.
        1. In the Panorama that manages Prisma Access, select PanoramaSetupInterfaces.
        2. Select the Management interface.
        3. Select User-ID.
      5. Configure a data redistribution agent that redistributes quarantine list information from the service connections to Panorama.
        1. From the Panorama that manages Prisma Access, select PanoramaCloud ServicesStatusNetwork DetailsService Connection.
        2. Make a note of the User-ID Agent Address (PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address) for each service connection.
        3. Select PanoramaData RedistributionAgents.
        4. Add a Data Redistribution agent, give it a Name and select Enabled.
        5. Enter the User-ID Agent Address of the service connection as the Host and 5007 as the Port.
          Make sure that your network does not block access to this port between Panorama and Prisma Access.
        6. (Optional) If you have configured this service connection as a Collector (DeviceData RedistributionCollector Settings), enter the Collector Name and Collector Pre-Shared Key.
        7. Select Quarantine List; then, click OK.
        8. Repeat the previous step for all the service connections in your Prisma Access deployment.
      6. Select CommitCommit to Panorama to save your changes locally on the Panorama that manages Prisma Access.
      7. Configure a data redistribution agent that redistributes quarantine list information from Panorama to the service connections.
        1. Find the management IP address of the Panorama that manages Prisma Access.
          This address displays by in the web browser address bar when you access Panorama.
        2. Make sure that you are in the Service_Conn_Template template, then select DeviceData RedistributionAgents.
        3. Add a Data Redistribution agent, give it a Name and select Enabled.
        4. Enter the management IP address of the Panorama appliance as the Host and 5007 as the Port.
        5. Select Quarantine List; then, click OK.
      8. Configure a data redistribution agent that redistributes quarantine list information from the service connections to mobile user gateways.
        1. From the Panorama that manages Prisma Access, select PanoramaCloud ServicesStatusNetwork DetailsService Connection.
        2. Make a note of the User-ID Agent Address of the service connection from which you want to redistribute quarantine list information.
          Since all service connections have the same redistributed quarantine list information, choose any service connection. You can also configure more than one service connection.
        3. Make sure that you are in the Mobile_User_Template, then select DeviceData RedistributionAgents.
        4. Add a Data Redistribution agent, give it a Name, and select Enabled.
        5. Enter the User-ID Agent Address of the service connection as the Host and 5007 as the Port.
          Make sure that your network does not block access to this port between Panorama and Prisma Access.
        6. (Optional) If you have configured this service connection as a Collector (DeviceData RedistributionCollector Settings), enter the Collector Name and Collector Pre-Shared Key.
        7. Select Quarantine List; then, click OK.
        8. Commit and Push your changes.
      9. View your quarantine list information by selecting PanoramaDevice Quarantine.
        See View Quarantined Device Information in the GlobalProtect Administrator’s Guide for details.

    © 2026 Palo Alto Networks, Inc. All rights reserved.