Block Endpoint Access

In the event that a user loses an endpoint that provides GlobalProtect access to your network, that endpoint is stolen, or a user leaves your organization, you can block the endpoint from gaining access to the network by placing the endpoint in a block list.
A block list is local to a logical network location (vsys, 1 for example) and can contain a maximum of 1,000 endpoints per location. Therefore, you can create separate block lists for each location hosting a GlobalProtect deployment.
  1. Identify the host ID for the endpoints you want to block.
    The host ID is a unique ID that GlobalProtect assigns to identify the host. The host ID value varies by endpoint type:
    • Windows—Machine GUID stored in the Windows registry (HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid)
    • macOS—MAC address of the first built-in physical network interface
    • Android—Android ID
    • iOS—UDID
    • Chrome—GlobalProtect assigned unique alphanumeric string with length of 32 characters
    If you do not know the host ID, you can correlate the user-ID to the host ID in the HIP Match logs:
    1. Select MonitorLogsHIP Match.
    2. Filter the HIP match logs for the source user associated with the endpoint.
    3. Open the HIP match log and identify the host ID under OSHost ID and optionally the hostname under Host InformationMachine Name.
      hip-match-log-details.png
  2. Create a device block list.
    You cannot use Panorama templates to push a device block list to firewalls.
    1. Select NetworkGlobalProtectDevice Block List and Add a device block list.
    2. Enter a descriptive Name for the list.
    3. For a firewall with more than one virtual system (vsys), select the Location (vsys or Shared) where the profile is available.
  3. Add a device to a block list.
    device-block-list.png
    1. Add endpoints. Enter the host ID (required) and hostname (optional) for the endpoint that you need to block.
    2. Add additional endpoints, if needed.
    3. Click OK to save and activate the block list.
      The device block list does not require a commit and is immediately active.

Related Documentation