Manually Add and Delete Devices From the Quarantine List
You can add a device manually from either
the quarantine pages, from the GlobalProtect, Threat, Traffic, or Unified logs, or by using
an API. You can also manually delete the device from the quarantine
pages, as shown in the following steps.
To manually add a device to the quarantine
list from the
of the device. GlobalProtect
uses the Host ID to identify the device.
) To add Host ID information
to the Traffic, Threat, and Unified logs, select
security policy rule; then, select
Host ID is required to add a device to the quarantine list. When
a user connects to the network with the GlobalProtect app, GlobalProtect
automatically adds Host ID information for the connected endpoint
to the GlobalProtect log. The host ID value varies by endpoint type:
Windows—Machine GUID stored in the Windows registry (HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid)
macOS—MAC address of the first built-in physical network
Chrome—GlobalProtect assigned unique alphanumeric string with
length of 32 characters.
If you do not know the
host ID, you can correlate the user-ID to the host ID in the HIP
Filter the HIP match logs for the source user associated
with the endpoint.
Open the HIP match log and identify the host ID under
optionally the hostname under
GlobalProtect to automatically add Host ID information to the Traffic, Threat,
or Unified logs, you must add a policy rule that has
for source traffic.
To make sure that you are adding the Host ID
for all devices you want to quarantine (either manually or automatically),
create a security policy that allows all traffic and specify
. It does not matter what
order you place this policy in the list of policies for it to work.
with the device and click
column does not display, select
the header of any column and then select the