1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex® XDR™ Prevent Administrator’s Guide
    5. Endpoint Security
    6. Hardened Endpoint Security
    7. Device Control

    Device Control

    Protect your Windows endpoints from connecting to malicious USB-connected removable devices.
    By default, all external USB devices are allowed to connect to your
    Cortex
    XDR
     endpoints. To protect endpoints from connecting USB-connected removable devices—such as disk drives, CD-ROM drives, floppy disk drives, and other portable devices—that can contain malicious files,
    Cortex
    XDR
     provides device control.
    For example, with device control, you can:
    • Block all supported USB-connected devices for an endpoint group.
    • Block a USB device type but add to your allow list a specific vendor from that list that will be accessible from the endpoint.
    • Temporarily block only some USB device types on an endpoint.
    Depending on your defined user scope permissions, creating device profiles, policies, exceptions, and violations may be disabled.
    The following are prerequisites to enforce device control policy rules on your endpoints:
    Platform
    Requirements and Limitations
    Windows
    Cortex
    XDR
     agent 7.0 or a later release.
    For VDI—
    • Cortex
      XDR
       agent 7.3 or a later release.
    • Virtual environments leverage different stacks that might not be subject to the Device Control policy rules that are enforced by the
      Cortex
      XDR
       agent and, therefore, could lead to USB devices that are allowed to connect to the VDI instance in contrast to the configured policy rules.
    • The
      Cortex
      XDR
       agent provides best-effort enforcement of the Device Control policy rules on VDI instances that are running on physical endpoints where a
      Cortex
      XDR
       agent is not deployed.
    • For Citrix Virtual Apps and Desktops,
      Cortex
      XDR
       Device Control is supported on generic virtual channels only.
    • For VMWare Horizon, you must disable
      Sharing
      Allow access to removable storage
       in your VMWare horizon client settings.
    Mac
    • Cortex
      XDR
       agent 7.2 or a later release.
    • Device Control policy rules do not take effect on Android devices.
    Linux
    Not supported.
    If you are running
    Cortex
    XDR
     agents 7.3 or earlier releases, device control rules take effect on your endpoint only after the
    Cortex
    XDR
     agent deploys the policy. If you already had a USB device connected to the endpoint, you have to disconnect it and connect it again for the policy to take effect.

    Device Control Profiles

    To apply device control in your organization, define device control profiles that determine which device types
    Cortex
    XDR
     blocks and which it permits. There are two types of profiles:
    Profile
    Description
    Configuration Profile
    Allow or block these USB-connected device type groups:
    • Disk Drives
    • CD-Rom Drives
    • Floppy Disk Drives
    • (
      Windows only
      ) Windows Portable Devices
    Cortex
    XDR
     relies on the device class assigned by the operating system.
    The
    Cortex
    XDR
     agent relies on the device class assigned by the operating system. For Windows endpoints only, you can configure additional device classes.
    Exceptions Profile
    Allow specific devices according to device types and vendor. You can further specify a specific product and/or product serial number.
    Device Configuration and Device Exceptions profiles are set for each operating system separately. After you configure a device control profile, Apply Device Control Profiles to Your Endpoints.

    Add a New Configuration Profile

    1. Log in to
      Cortex
      XDR
       .
      Go to
      Endpoints
      Policy management
      Extension
      Profiles
       and select
      + New Profile
       or
      Import from File
      .
    2. Select
      Platform
       and click
      Device Configuration
      Next
      .
    3. Fill in the General Information.
      Assign the profile
      Name
       and add an optional
      Description
      . The profile Type and Platform are set by
      Cortex
      XDR
       .
    4. Configure the Device Configuration.
      For each group of device types, select whether to
      Allow
       or
      Block
       them on the endpoints. For Disk Drives only, you can also choose to allow to connect in
      Read-only
       mode. To use the default option defined by Palo Alto Networks, leave
      Use Default
       selected.
      Currently, the default is set to Use Default (Allow) however Palo Alto Networks may change the default definition at any time.
    5. Save your profile.
      When you’re done,
      Create
       your device profile definitions.
      If needed, you can edit, delete, or duplicate your profiles.
      You cannot edit or delete the default profiles pre-defined in
      Cortex
      XDR
       .
    6. (
      Optional
      ) To define exceptions to your Device Configuration profile, Add a New Exceptions Profile.

    Add a New Exceptions Profile

    1. Log in to
      Cortex
      XDR
      .
      Go to
      Endpoints
      Policy management
      Extension
      Profiles
       and select
      + New Profile
       or
      Import from File
      .
    2. Select
      Platform
       and click
      Device Exceptions
      Next
    3. Fill in the General Information.
      Assign the profile
      Name
       and add an optional
      Description
      . The profile
      Type
       and
      Platform
       are set by the system.
    4. Configure Device Exceptions.
      You can add devices to your allow list according to different sets of identifiers-vendor, product, and serial numbers.
      • (
        Disk Drives only
        )
        Permission
        —Select the permissions you want to grant:
        Read only
         or
        Read/Write
        .
      • Type
        —Select the Device Type you want to add to the allow list (Disk Drives, CD-Rom, Portable, or Floppy Disk).
      • Vendor
        —Select a specific vendor from the list or enter the vendor ID in hexadecimal code.
      • (
        Optional
        )
        Product
        —Select a specific product (filtered by the selected vendor) to add to your allow list, or add your product ID in hexadecimal code.
      • (
        Optional
        )
        Serial Number
        —Enter a specific serial number (pertaining to the selected product) to add to your allow list. Only devices with this serial number are included in the allow list.
    5. Save your profile.
      When you’re done,
      Create
       your device exceptions profile.
      If needed, you can later edit, delete, or duplicate your profiles.
      You cannot edit or delete the predefined profiles in
      Cortex
      XDR
       .

    Apply Device Control Profiles to Your Endpoints

    After you define the required profiles for Device Configuration and Exceptions, you must configure Device Control Policies and enforce them on your endpoints.
    Cortex
    XDR
     applies Device Control policies on endpoints from top to bottom, as you’ve ordered them on the page. The first policy that matches the endpoint is applied. If no policies match, the default policy that enables all devices is applied.
    1. Log in to
      Cortex
      XDR
       .
      Go to
      Endpoints
      Policy management
      Extension
      Policy Rules
       and select
      + New Policy
       or
      Import from File
      .
      When importing a policy, select whether to enable the associated policy targets. Rules within the imported policy are managed as follows:
      • New rules are added to top of the list.
      • Default rules override the default rule in the target tenant.
      • Rules without a defined target are disabled until target is specified.
    2. Configure settings for the Device Control policy.
      1. Assign a policy name and select the platform. You can add a description.
        The platform will automatically be assigned to Windows.
      2. Assign the Device Type profile you want to use in this rule.
      3. Click
        Next
        .
      4. Select the target endpoints on which to enforce the policy.
        Use filters or manual endpoint selection to define the exact target endpoints of the policy rules. If exists, the
        Group Name
         is filtered according to the groups within your defined user scope.
      5. Click
        Done
        .
    3. Configure policy hierarchy.
      Drag and drop the policies in the desired order of execution. The default policy that enables all devices on all endpoints is always the last one on the page and is applied to endpoints that don’t match the criteria in the other policies.
    4. Save
       the policy hierarchy.
      After the policy is saved and applied to the agents,
      Cortex
      XDR
       enforces the device control policies on your environment.
    5. (
      Optional
      ) Manage your policy rules.
      In the
      Protection Policy Rules
       table: you can view and edit the policy you created and the policy hierarchy.
      1. View your policy hierarchy.
      2. Right-click to
        View Policy Details
        ,
        Edit
        ,
        Save as New
        ,
        Disable
        , and
        Delete
        .
      3. Select one ore more policies, right-click and select
        Export Policies
        . You can choose to include the associated
        Policy Targets
        ,
        Global Exceptions
        , and endpoint groups.
    6. Monitor device control violations.
      After you apply Device Control rules in your environment, use the
      Endpoints
      Device Control Violations
       page to monitor all instances where end users attempted to connect restricted USB-connected devices and
      Cortex
      XDR
       blocked them on the endpoint. All violation logs are displayed on the page. You can sort the results, and use the filters menu to narrow down the results. For each violation event
      Cortex
      XDR
       logs the event details, the platform, and the device details that are available.
      If you see a violation for which you’d like to define an exception on the device that triggered it, right-click the violation and select one of the following options:
      • Add device to permanent exceptions
        —To ensure this device is always allowed in your network, select this option to add the device to the Device Permanent Exceptions list.
      • Add device to temporary exceptions
        —To allow this device only temporarily on the selected endpoint or on all endpoints, select this option and set the allowed time frame for the device.
      • Allow device to a profile exception
        —Select this option to allow the device within an existing Device Exceptions profile.
    7. Tune your device control exceptions.
      To better deploy device control in your network and allow further granularity, you can add devices on your network to your allow list and grant them access to your endpoints. Device control exceptions are configured per device and you must select the device category, vendor, and type of permission that you want to allow on the endpoint. Optionally, to limit the exception to a specific device, you can also include the product and/or serial number.
      Cortex
      XDR
       enables you to configure the following exceptions:
      Exception Name
      Description
      Permanent Exceptions
      Permanent exceptions approve the device in your network across all Device Control policies and profiles. You can create them directly from the violation event that blocked the device, or through the Permanent Exceptions list.
      Permanent exceptions apply across platforms, allowing the devices on all operating systems.
      Temporary Exceptions
      Temporary exceptions approve the device for a specific time period up to 30 days. You create a temporary exception directly from the violation event that blocked the device.
      Profile Exceptions
      Profile exceptions approve the device in an existing exceptions profile. You create a profile exception directly from the violation event that blocked the device.
      1. Create a Permanent Exception.
        Permanent device control exceptions are managed in the Permanent Exception list and are applied to all devices regardless of the endpoint platform.
        • If you know in advance which device you’d like to allow throughout your network, create a general exception from the list:
          1. Go to
            Endpoints
            Policy Management
            Extensions
             and select
            Device Permanent Exceptions
             on the left menu. The list of existing Permanent Exceptions is displayed.
          2. Select:
            Type
            ,
            Permission
            , and
            Vendor
            .
          3. (
            Optional
            ) Select a specific product and/or enter a specific serial number for the device.
          4. Click the adjacent arrow and
            Save
            . The exception is added to the Permanent Exceptions list and will be applied in the next heartbeat.
        • Otherwise, you can create a permanent exception directly from the violation event that blocked the device in your network:
          1. On the
            Device Control Violations
             page, right-click the violation event triggered by the device you want to permanently allow.
          2. Select
            Add device to permanent exceptions
            . Review the exception data and change the defaults if necessary.
          3. Click
            Save
            .
      2. Create a Temporary Exception.
        1. On the
          Device Control Violations
           page, right-click the violation event triggered by the device you want to temporarily allow.
        2. Select
          Add device to temporary exceptions
          . Review the exception data and change the defaults if necessary. For example, you can configure the exception to this endpoint only or to all endpoints in your network, or set which device identifiers will be included in the exception.
        3. Configure the exception
          TIME FRAME
           by defining the number of days or number of hours during which the exception will be applied, up to 30 days.
        4. Click
          Save
          . The exception is added to the Device Temporary Exceptions list and will be applied in the next heartbeat.
      3. Create an Exception within a Profile.
        1. On the
          Device Control Violations
           page, right-click the violation event triggered by the device you want to add to a Device Exceptions profile.
        2. Select the
          PROFILE
           from the list.
        3. Click
          Save
          . The exception is added to the Exceptions Profile and will be applied in the next heartbeat.

    Add a Custom Device Class

    (
    Windows only
    ) You can include custom USB-connected device classes beyond Disk Drive, CD-ROM, Windows Portable Devices and Floppy Disk Drives, such as USB connected network adapters. When you create a custom device class, you must supply
    Cortex
    XDR
     the official ClassGuid identifier used by Microsoft. Alternatively, if you configured a GUID value to a specific USB connected device, you must use this value for the new device class. After you add a custom device class, you can view it in Device Management and enforce any device control rules and exceptions on this device class.
    To create a custom USB-connected device class:
    1. Go to
      Endpoints
      Policy Management
      Settings
      Device Management
      .
      This is the list of all your custom USB-connected devices.
    2. Create the new device class.
      Select
      +New Device
      . Set a
      Name
       for the new device class, supply a valid and unique GUID
      Identifier
      . For each GUID value you can define one class type only.
    3. Save.
      The new device class is now available in
      Cortex
      XDR
       as all other device classes.

    Add a Custom User Notification

    (
    Requires a
    Cortex
    XDR
     agent 7.5 or a later release for Windows
    ) You can personalize the
    Cortex
    XDR
     notification pop-up on the endpoint when the user attempts to connect a USB device that is either blocked on the endpoint or allowed in read-only mode. To edit the notifications, refer to the Agent Settings Profile.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo