Focus

GlobalProtect

Manually Add and Delete Devices From the Quarantine List

Table of Contents

Filter

Expand All | Collapse All

GlobalProtect Docs

Administration
Version
- 10.1 & Later
- 9.1 (EoL)
User Guide
Version
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
New Feature
Version
- 6.1
- 6.0
- 5.1
Release Notes
Version
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1

View Quarantined Device Information

Automatically Quarantine a Device

Manually Add and Delete Devices From the Quarantine List

Learn how to manually add devices to the quarantine list from various pages or logs or using the Host ID to identify the device.

You can add a device manually from either the quarantine pages, from the GlobalProtect, Threat, Traffic, or Unified logs, or by using an API. You can also manually delete the device from the quarantine pages, as shown in the following steps.

To manually add a device to the quarantine list from the Device Quarantine page, select DeviceDevice Quarantine or PanoramaDevice Quarantine and Add the device.
Add the Host ID and, optionally, the Serial Number of the device. GlobalProtect uses the Host ID to identify the device.
To add a device to the quarantine list from the GlobalProtect, Threat, Traffic, or Unified logs, complete the following steps.
1. (Threat, Traffic, and Unified Logs Only) To add Host ID information to the Traffic, Threat, and Unified logs, select PoliciesSecurity and Add a security policy rule; then, select Quarantine as the Source Device for Source traffic.
  A Host ID is required to add a device to the quarantine list. When a user connects to the network with the GlobalProtect app, GlobalProtect automatically adds Host ID information for the connected endpoint to the GlobalProtect log. The host ID value varies by endpoint type:
  - Windows—Machine GUID stored in the Windows registry (HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid)
  - macOS—MAC address of the first built-in physical network interface
  - Android—Android ID
  - iOS—UDID
  - Chrome—GlobalProtect assigned unique alphanumeric string with length of 32 characters.
  If you do not know the host ID, you can correlate the user-ID to the host ID in the HIP Match logs:
  - Select MonitorLogsHIP Match.
  - Filter the HIP match logs for the source user associated with the endpoint.
  - Open the HIP match log and identify the host ID under OSHost ID and optionally the hostname under Host InformationMachine Name.
  For GlobalProtect to automatically add Host ID information to the Traffic, Threat, or Unified logs, you must add a policy rule that has Quarantine selected for source traffic.
  
  To make sure that you are adding the Host ID for all devices you want to quarantine (either manually or automatically), create a security policy that allows all traffic and specify Quarantine as the Source Device. It does not matter what order you place this policy in the list of policies for it to work.
2. Right-click the Host ID associated with the device and click Block Device.
  
  If the Host ID column does not display, select the header of any column and then select the Host ID field to display the Host ID.
To create an API to manually add the devices, see the instructions in the PAN-OS and Panorama API Usage Guide.
After your administrator has performed remediation on the device, you can delete it from the list by selecting DeviceDevice Quarantine for next-generation firewalls or PanoramaDevice Quarantine for Panorama appliances, selecting one or more devices, then selecting Delete.

View Quarantined Device Information

Automatically Quarantine a Device

GlobalProtect Docs

Manually Add and Delete Devices From the Quarantine List

GlobalProtect Docs

Manually Add and Delete Devices From the Quarantine List

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Experts Corner