Block Device Access

In the event that a user loses a device that provides GlobalProtect access to your network, that device is stolen, or a user leaves your organization, you can block the device from gaining access to the network by placing the device in a block list.
A block list is local to a logical network location (vsys, 1 for example) and can contain a maximum of 1,000 devices per location. Therefore, you can create separate device block lists for each location hosting a GlobalProtect deployments.
  1. Identify the host ID for the endpoints you want to block.
    The host ID is a unique ID that GlobalProtect assigns to identify the host. The host ID value varies by device type:
    • Windows—Machine GUID stored in the Windows registry (HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid)
    • macOS—MAC address of the first built-in physical network interface
    • Android—Android ID
    • iOS—UDID
    • Chrome—GlobalProtect assigned unique alphanumeric string with length of 32 characters
    If you do not know the host ID, you can correlate the user-ID to the host ID in the HIP Match logs:
    1. Select MonitorLogsHIP Match.
    2. Filter the HIP match logs for the source user associated with the device.
    3. Open the HIP match log and identify the host ID under OSHost ID and optionally the hostname under Host InformationMachine Name.
      hip-match-log-details.png
  2. Create a device block list.
    You cannot use Panorama templates to push a device block list to firewalls.
    1. Select NetworkGlobalProtectDevice Block List and Add a device block list.
    2. Enter a descriptive Name for the list.
    3. For a firewall with more than one virtual system (vsys), select the Location (vsys or Shared) where the profile is available.
  3. Add a device to a block list.
    device-block-list.png
    1. Add devices. Enter the host ID (required) and hostname (optional) for a device you need to block.
    2. Add additional devices, if needed.
    3. Click OK to save and activate the block list.
      The device list does not require a commit and is immediately active.

Related Documentation