GlobalProtect
Manually Add and Delete Devices From the Quarantine List
Table of Contents
Manually Add and Delete Devices From the Quarantine List
Learn how to manually add devices to the quarantine list from various pages or logs
or using the Host ID to identify the device.
You can add a device manually from either
the quarantine pages, from the GlobalProtect, Threat, Traffic, or Unified logs, or by using
an API. You can also manually delete the device from the quarantine
pages, as shown in the following steps.
- To manually add a device to the quarantine list from theDevice Quarantinepage, select or andAddthe device.Add theHost IDand, optionally, theSerial Numberof the device. GlobalProtect uses the Host ID to identify the device.
- To add a device to the quarantine list from the GlobalProtect, Threat, Traffic, or Unified logs, complete the following steps.
- (Threat, Traffic, and Unified Logs Only) To add Host ID information to the Traffic, Threat, and Unified logs, select andAdda security policy rule; then, selectQuarantineas theSource DeviceforSourcetraffic.A Host ID is required to add a device to the quarantine list. When a user connects to the network with the GlobalProtect app, GlobalProtect automatically adds Host ID information for the connected endpoint to the GlobalProtect log. The host ID value varies by endpoint type:
- Windows—Machine GUID stored in the Windows registry (HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid)
- macOS—MAC address of the first built-in physical network interface
- Android—Android ID
- iOS—UDID
- Chrome—GlobalProtect assigned unique alphanumeric string with length of 32 characters.
If you do not know the host ID, you can correlate the user-ID to the host ID in the HIP Match logs:- Select .
- Filter the HIP match logs for the source user associated with the endpoint.
- Open the HIP match log and identify the host ID under and optionally the hostname under .
For GlobalProtect to automatically add Host ID information to the Traffic, Threat, or Unified logs, you must add a policy rule that hasQuarantineselected for source traffic.
To make sure that you are adding the Host ID for all devices you want to quarantine (either manually or automatically), create a security policy that allows all traffic and specifyQuarantineas theSource Device. It does not matter what order you place this policy in the list of policies for it to work.
- Right-click theHost IDassociated with the device and clickBlock Device.
If theHost IDcolumn does not display, select the header of any column and then select theHost IDfield to display the Host ID.
- To create an API to manually add the devices, see the instructions in the PAN-OS and Panorama API Usage Guide.
- After your administrator has performed remediation on the device, you can delete it from the list by selecting for next-generation firewalls or for Panorama appliances, selecting one or more devices, then selectingDelete.