Use GlobalProtect and Security Policies to Block Access to Quarantined Devices

You can prevent users from logging into GlobalProtect from a quarantined device by configuring gateway authentication. In addition, you can block a quarantined device from sending or receiving traffic in the network by specifying options in a security policy rule. Use the following tasks to block GlobalProtect users or manage network access for a quarantined device.
  • To block users from logging in to GlobalProtect from a quarantined device, configure GlobalProtect gateway authentication (
    Network
    GlobalProtect
    Gateways
    gateway-configuration
    Authentication
    ) and select
    Block login for quarantined devices
    .
    quarantine-block-login-for-quarantined-devices.png
    If a user attempts to log in from a quarantined device to a gateway that has
    Block login for quarantined devices
    enabled, the GlobalProtect app notifies the user that the device is quarantined and the user cannot log in from that device. If this setting is not enabled, the user receives the notification but is able to log in from that device.
  • To block access from a quarantined device using a security policy rule, specify
    Quarantine
    for either source or destination traffic; then, specify an action that blocks the quarantined device.
    Specifying
    Quarantine
    in a security policy rule means that the rule uses devices in the quarantine list as the match criteria, whether you specify
    Quarantine
    as the
    Source Device
    for
    Source
    traffic or the
    Destination Device
    for
    Destination
    traffic. The following example shows a source
    Device
    of
    Quarantine
    a destination IP address of the HQ server, and an action of
    Deny
    . With this security policy rule, any devices in the quarantine list will not be able to access the HQ server.
    quarantine-block-quarantined-devices-from-hq-server.png
    For a quarantined device to be valid in a policy on a firewall, a GlobalProtect user must successfully log in to GlobalProtect from the quarantined device, and the firewall must be aware of that login event. If the firewall is configured as a GlobalProtect gateway, the user can log in to that gateway from the quarantined device to validate the device in the policy. After a user successfully logs in to a gateway from a quarantined device, the gateway enforces the policy, and you can redistribute the quarantined device information and have it enforced in a policy on any firewall or gateway in your network. If the user is blocked from logging in to the gateway (for example, if you have selected
    Block login for quarantined devices
    in the gateway configuration), that login is not counted as a successful login.

Recommended For You