Block Device Access

In the event that a user loses a device that provides GlobalProtect access to your network, that device is stolen, or a user leaves your organization, you can block the device from gaining access to the network by placing the device in a block list.
A block list is local to a logical network location (vsys, 1 for example) and can contain a maximum of 1,000 devices per location. Therefore, you can create separate device block lists for each location hosting a GlobalProtect deployments.
  1. Identify the host ID for the endpoints you want to block.
    The host ID is a unique ID that GlobalProtect assigns to identify the host. The host ID value varies by device type:
    • Windows—Machine GUID stored in the Windows registry (HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid)
    • macOS—MAC address of the first built-in physical network interface
    • Android—Android ID
    • iOS—UDID
    • Chrome—GlobalProtect assigned unique alphanumeric string with length of 32 characters
    If you do not know the host ID, you can correlate the user-ID to the host ID in the HIP Match logs:
    1. Select
      Monitor
      Logs
      HIP Match
      .
    2. Filter the HIP match logs for the source user associated with the device.
    3. Open the HIP match log and identify the host ID under
      OS
      Host ID
      and optionally the hostname under
      Host Information
      Machine Name
      .
      hip-match-log-details.png
  2. Create a device block list.
    You cannot use Panorama templates to push a device block list to firewalls.
    1. Select
      Network
      GlobalProtect
      Device Block List
      and
      Add
      a device block list.
    2. Enter a descriptive
      Name
      for the list.
    3. For a firewall with more than one virtual system (vsys), select the
      Location
      (vsys or
      Shared
      ) where the profile is available.
  3. Add a device to a block list.
    device-block-list.png
    1. Add
      devices. Enter the host ID (
      required
      ) and hostname (
      optional
      ) for a device you need to block.
    2. Add
      additional devices, if needed.
    3. Click
      OK
      to save and activate the block list.
      The device list does not require a commit and is immediately active.

Related Documentation