Identification and Quarantine of Compromised Devices Overview and
Learn about how you can quarantine devices using GlobalProtect
and block users from logging in to them on your network.
GlobalProtect makes it easier for you to block compromised
devices from your network by identifying a compromised device with
its Host ID and,
optionally, serial number instead of its source IP address. This
ability can be preferable to blocking a compromised endpoint from
a network based on its IP address, because if a device’s IP address
changes (for example, if a user moves their endpoint from a work
location to their home), security policies based on IP addresses
could allow the endpoint back on the network.
After you identify a device as compromised (for example, if a
device has been infected with malware and is performing command
and control actions), you can manually add the device’s Host ID
to a quarantine list and configure GlobalProtect to prevent users
from connecting to the GlobalProtect gateway from a quarantined device.
You can also automatically quarantine the device using log forwarding profiles with
security policies or HIP Matchlog settings.
Before you begin to quarantine devices, make sure that your GlobalProtect users
are running a minimum GlobalProtect app version of 5.1. In addition,
make sure that a valid GlobalProtect subscription license is present
on the firewall in order for the firewall to be able to add compromised
devices to the quarantine list. The GlobalProtect subscription license
requirements for this feature are enforced as described in the following
The firewall requires a GlobalProtect subscription license
to manually or automatically add devices to the quarantine list.
You receive the following error message if you attempt to add a
device without a license:
The device cannot be quarantined. You must have a valid GlobalProtect subscription to add the device to the quarantine list.
you can delete quarantined devices from the quarantine list without
If your GlobalProtect subscription license expires, the quarantine
list is retained and not deleted.
GlobalProtect performs a
license check hourly.
If you do not have a valid GlobalProtect license and one
of the following conditions is true, your firewall or Panorama displays
a warning message when you commit the change: