Automatically Quarantine a Device

You can automatically quarantine a device using a log forwarding profile with a security policy rule or HIP match log settings.
  • To quarantine a device using a log forwarding profile, complete the following steps.
    1. select
      Object
      Log Forwarding
      and either
      Add
      a new log forwarding profile or select an existing profile to modify it.
    2. Add
      a
      Log Forwarding Profile Match List
      and, in the
      Built-in Actions
      section, select
      Quarantine
      .
      Specify a
      Log Type
      of
      GlobalProtect
      ,
      Threat
      , or
      Traffic
      .
      If you specify a
      Log Type
      of
      Threat
      or
      Traffic
      , make sure that a Host ID is associated with a device by creating a security policy rule that has
      Quarantine
      as the
      Source Device
      for
      Source
      traffic, in order to add the Host ID. Without a Host ID, you cannot add a device to the quarantine list.
      The following example uses a
      Log Type
      of
      Threat
      and a severity of critical. After you add this profile to a security policy and these criteria are matched, the firewall adds devices from where this traffic originated to the quarantine list.
      After you add the match list, the log forwarding profile displays
      Quarantine
      under
      Built-In Actions
      .
    3. Select
      Policies
      Security
      and
      Add
      a security policy.
    4. Select
      Actions
      , then select the
      Log Forwarding
      profile you created.
  • To automatically quarantine a device using HIP Match log settings, select
    Device
    Log Settings
    HIP Match
    and
    Add
    a log setting with a
    Built-In Actions
    of
    Quarantine
    .
    The following log setting has a
    Filter
    that with a host ID of
    08708f38-27de-94d1-b41f-10e48752567g
    . If the HIP Match logs find a match for that host ID, this log setting adds that device to the quarantine list. Unlike a log forwarding profile, you do not need to attach this log setting to a security policy for it to take effect.

Recommended For You