Automatically Quarantine a Device

You can automatically quarantine a device using a log forwarding profile with a security policy rule or HIP match log settings.
  • To quarantine a device using a log forwarding profile, complete the following steps.
    1. select
      Object
      Log Forwarding
      and either
      Add
      a new log forwarding profile or select an existing profile to modify it.
      quarantine-log-forwarding-profile-start.png
    2. Add
      a
      Log Forwarding Profile Match List
      and, in the
      Built-in Actions
      section, select
      Quarantine
      .
      Specify a
      Log Type
      of
      GlobalProtect
      ,
      Threat
      , or
      Traffic
      .
      If you specify a
      Log Type
      of
      Threat
      or
      Traffic
      , make sure that a Host ID is associated with a device by creating a security policy rule that has
      Quarantine
      as the
      Source Device
      for
      Source
      traffic, in order to add the Host ID. Without a Host ID, you cannot add a device to the quarantine list.
      The following example uses a
      Log Type
      of
      Threat
      and a severity of critical. After you add this profile to a security policy and these criteria are matched, the firewall adds devices from where this traffic originated to the quarantine list.
      quarantine-log-forwarding-profile-built-in-action-quarantine.png
      After you add the match list, the log forwarding profile displays
      Quarantine
      under
      Built-In Actions
      .
      quarantine-log-forwarding-profile-complete.png
    3. Select
      Policies
      Security
      and
      Add
      a security policy.
    4. Select
      Actions
      , then select the
      Log Forwarding
      profile you created.
      quarantine-security-policy-with-lfp.png
  • To automatically quarantine a device using HIP Match log settings, select
    Device
    Log Settings
    HIP Match
    and
    Add
    a log setting with a
    Built-In Actions
    of
    Quarantine
    .
    The following log setting has a
    Filter
    that with a host ID of
    08708f38-27de-94d1-b41f-10e48752567g
    . If the HIP Match logs find a match for that host ID, this log setting adds that device to the quarantine list. Unlike a log forwarding profile, you do not need to attach this log setting to a security policy for it to take effect.
    quarantine-log-settings-hip-match.png

Recommended For You