Identification and Quarantine of Compromised Devices Overview and License Requirements

Learn about how you can quarantine devices using GlobalProtect and block users from logging in to them on your network.
GlobalProtect makes it easier for you to block compromised devices from your network by identifying a compromised device with its Host ID and, optionally, serial number instead of its source IP address. This ability can be preferable to blocking a compromised endpoint from a network based on its IP address, because if a device’s IP address changes (for example, if a user moves their endpoint from a work location to their home), security policies based on IP addresses could allow the endpoint back on the network.
After you identify a device as compromised (for example, if a device has been infected with malware and is performing command and control actions), you can manually add the device’s Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device. You can also automatically quarantine the device using log forwarding profiles with security policies or HIP Matchlog settings.
Before you begin to quarantine devices, make sure that your GlobalProtect users are running a minimum GlobalProtect app version of 5.1. In addition, make sure that a valid GlobalProtect subscription license is present on the firewall in order for the firewall to be able to add compromised devices to the quarantine list. The GlobalProtect subscription license requirements for this feature are enforced as described in the following list.
  • The firewall requires a GlobalProtect subscription license to manually or automatically add devices to the quarantine list. You receive the following error message if you attempt to add a device without a license:
    The device cannot be quarantined. You must have a valid GlobalProtect subscription to add the device to the quarantine list.
    However, you can delete quarantined devices from the quarantine list without a license.
  • If your GlobalProtect subscription license expires, the quarantine list is retained and not deleted.
    GlobalProtect performs a license check hourly.
  • If you do not have a valid GlobalProtect license and one of the following conditions is true, your firewall or Panorama displays a warning message when you commit the change:
    • You selected
      Quarantine List
      in a Data Redistribution Agent.
    • You selected
      Quarantine
      as a built-in action for a
      Log Forwarding Profile
      .

Recommended For You