Identification and Quarantine of Compromised Devices With Prisma Access
Focus
Focus

Identification and Quarantine of Compromised Devices With Prisma Access

Table of Contents

Identification and Quarantine of Compromised Devices With Prisma Access

Use the GlobalProtect feature to isolate and add compromised devices to a quarantine list.
Prisma Access allows you to identify and quarantine compromised devices that are connected with the GlobalProtect app. You do this by either manually or automatically adding devices to a quarantine list. After you quarantine the device, you can block the quarantined device from accessing the network to ensure consistent policy.

Quarantine List Redistribution Overview

Each Prisma Access mobile user location sends and receives its quarantine information between the Panorama that manages Prisma Access and its nearest service connection. If you have next-generation firewalls or gateways, you should have the service connection redistribute the quarantine list information to and from Panorama and the on-premise firewalls or gateways. You should also redistribute the quarantine list information from Panorama to the service connection to ensure consistent policy enforcement for all mobile user locations (gateways) in Prisma Access.

Use Cases for Quarantine List Redistribution

The following section describes some common Prisma Access deployments where quarantine list redistribution is useful for consistent policy enforcement for compromised devices.
  • Quarantine List Redistribution between Mobile User Locations Connected to Same Service Connection
    —In the following example, a GlobalProtect Mobile User who is connected to Mobile User Location 1 becomes compromised and is auto-quarantined. Prisma Access blocks or restricts the quarantined device per policy.
    A service connection (Service Connection 1 in this example) redistributes the quarantine list information between all mobile user locations to which it is connected. Since Mobile User Location 2 receives the redistributed quarantine list information by way of Service Connection 1, the GlobalProtect mobile user attempt to connect to Mobile User Location 2 is also blocked.
  • Quarantine List Redistribution between Mobile User Locations Connected to Different Service Connections
    —In the following example, there are two mobile user locations, but they connect to two different service connections. A GlobalProtect user attempted to connect to Mobile User Location 1. Mobile User Location 1 detects the GlobalProtect user endpoint as compromised and quarantines it.
    To redistribute the quarantine list information from Mobile User Location 1 to Mobile User Location 2, perform the following actions:
    • Redistribute the quarantine list information from Service Connection 1 to Panorama.
    • Redistribute the quarantine list information from Panorama to Service Connection 2.
    With this configuration, when the GlobalProtect user connects to Mobile User Location 1 and is quarantined, then the quarantine list information redistributes from Mobile User Location 1 to Mobile User Location 2 and any connection attempts to Mobile User Location 2 are blocked.
    This configuration is also valid if the GlobalProtect user connects to Mobile User Location 2 and is quarantined; the quarantine list information redistributes from Mobile User Location 2 to Mobile User Location 1.
  • Quarantine List Redistribution Between Prisma Access and a Next-Generation Firewall or Gateway
    —In the following example, A GlobalProtect user attempted to connect to Mobile User Location 1. Mobile User Location 1 detects the GlobalProtect user endpoint as compromised and quarantines it. The mobile user then goes to the company’s headquarters and attempts to log in again. The headquarters is protected with a next-generation firewall configured as a GlobalProtect gateway using Internal Host Detection.
    Mobile User Location 1 redistributes the quarantine list information to Panorama through Service Connection 1, and Panorama redistributes the quarantine list information to the on-premise internal gateway. When the user attempts to log in from the headquarters location, GlobalProtect detects that the on-premises gateway is configured as an internal gateway and connects to the gateway without a tunnel.
    Since the quarantine list information has been redistributed to the on-premises gateway, the user is blocked at the gateway based on the configured user policies.
    If you use a next-generation firewall or gateway with Prisma Access, you should configure Panorama to redistribute quarantine list information to the firewall or gateway, all service connections, and Panorama.
  • Administrator Manually Quarantines Mobile User at Panorama
    —In this example, the Prisma Access administrator has manually added a mobile user to the quarantine list at the Panorama appliance that manages Prisma Access. The administrator has set up redistribution between Panorama, the next-generation firewall, and the service connections. Panorama redistributes the updated quarantine list information to the firewall and the service connections. The service connections then redistribute the quarantine list information to the mobile user locations.
    The mobile user was connected to Mobile User Location 1. After Mobile User Location 1 receives the updated quarantine list information, the user is disconnected. If the user attempts to connect to Mobile User Location 2, the connection is blocked and the mobile user receives a quarantine notification.
  • Mobile User is Auto or Manually Quarantined at the On-Premises Gateway
    —In this example, there is a next-generation firewall that has been configured as an external gateway at the headquarters or data center location. The administrator has manually quarantined a mobile user at the external gateway. The external gateway redistributes the quarantine list information from the external gateway to Panorama.
    After Panorama has received the updated quarantine list information from the external gateway, it redistributes that information to Service Connections 1 and 2, which then redistributes it to Mobile User Locations 1 and 2. If a mobile user attempts to connect to either Mobile User Location 1 or 2, Prisma Access blocks the connection and the user receives a a quarantine notification.

Configure Quarantine List Redistribution in Prisma Access

To redistribute quarantine information to and from service connections, the Panorama that manages Prisma Access, and next-generation firewalls, complete the following steps.
  1. Make sure that the Panorama management IP address is able to communicate with the User-ID agent address for all service connections to which you want to redistribute quarantine list information.
    Communication between the User-ID Agent address of the service connection and the management IP address of Panorama is required for Prisma Access to send and receive quarantine list information between Panorama and the service connections.
    • To find the
      User-ID Agent Address
      , select
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      User-ID Agent Address
      .
    • To find the management IP address of the Panorama that manages Prisma Access, note the IP address that displays in the web browser when you access Panorama.
  2. Allow Prisma Access to redistribute quarantine list information.
    1. In Panorama, select
      Panorama
      Cloud Services
      Configuration
      Service Setup
      .
    2. Click the gear icon to edit the settings.
    3. In the
      Advanced
      tab, select
      Enable Quarantine List Redistribution
      .
      Enabling quarantine list redistribution allows Prisma Access to redistribute the quarantine list information received from one or more mobile user locations (gateways) to service connections.
  3. Commit
    and
    Push
    your changes.
  4. Configure Panorama to receive quarantine list information from Prisma Access by configuring management interface settings.
    1. In the Panorama that manages Prisma Access, select
      Panorama
      Setup
      Interfaces
      .
    2. Select the
      Management
      interface.
    3. Select
      User-ID
      .
  5. Configure a data redistribution agent that redistributes quarantine list information from the service connections to Panorama.
    1. From the Panorama that manages Prisma Access, select
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      .
    2. Make a note of the
      User-ID Agent Address
      (
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      User-ID Agent Address
      ) for each service connection.
    3. Select
      Panorama
      Data Redistribution
      Agents
      .
    4. Add
      a Data Redistribution agent, give it a
      Name
      and select
      Enabled
      .
    5. Enter the
      User-ID Agent Address
      of the service connection as the
      Host
      and 5007 as the
      Port
      .
      Make sure that your network does not block access to this port between Panorama and Prisma Access.
    6. (
      Optional
      ) If you have configured this service connection as a Collector (
      Device
      Data Redistribution
      Collector Settings
      ), enter the
      Collector Name
      and
      Collector Pre-Shared Key
    7. Select
      Quarantine List
      ; then, click
      OK
      .
    8. Repeat Step 5 for all the service connections in your Prisma Access deployment.
  6. Select
    Commit
    Commit to Panorama
    to save your changes locally on the Panorama that manages Prisma Access.
  7. Configure a data redistribution agent that redistributes quarantine list information from Panorama to the service connections.
    1. Find the management IP address of the Panorama that manages Prisma Access.
      This address displays by in the web browser address bar when you access Panorama.
    2. Make sure that you are in the
      Service_Conn_Template
      template, then select
      Device
      Data Redistribution
      Agents
      .
    3. Add
      a Data Redistribution agent, give it a
      Name
      and select
      Enabled
      .
    4. Enter the management IP address of the Panorama appliance. as the
      Host
      and 5007 as the
      Port
      .
    5. Select
      Quarantine List
      ; then, click
      OK
      .
  8. Configure a data redistribution agent that redistributes quarantine list information from the service connections to mobile user gateways.
    1. From the Panorama that manages Prisma Access, select
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      .
    2. Make a note of the
      User-ID Agent Address
      of the service connection from which you want to redistribute quarantine list information.
      Since all service connections have the same redistributed quarantine list information, choose any service connection. You can also configure more than one service connection.
    3. Make sure that you are in the
      Mobile_User_Template
      , then select
      Device
      Data Redistribution
      Agents
      .
    4. Add
      a Data Redistribution agent, give it a
      Name
      , and select
      Enabled
      .
    5. Enter the
      User-ID Agent Address
      of the service connection as the Host and
      5007
      as the Port.
      Make sure that your network does not block access to this port between Panorama and Prisma Access.
    6. (
      Optional
      ) If you have configured this service connection as a Collector (
      Device
      Data Redistribution
      Collector Settings
      ), enter the
      Collector Name
      and
      Collector Pre-Shared Key
      .
    7. Select
      Quarantine List
      ; then, click
      OK
      .
    8. Commit and Push
      your changes.
  9. View your quarantine list information by selecting
    Panorama
    Device Quarantine
    .

Recommended For You