In the event that a user loses an endpoint
that provides GlobalProtect access to your network, that endpoint
is stolen, or a user leaves your organization, you can block the
endpoint from gaining access to the network by placing the endpoint
in a block list.
A block list is local to a logical network
location (vsys, 1 for example) and can contain a maximum of 1,000
endpoints per location. Therefore, you can create separate block
lists for each location hosting a GlobalProtect deployment.
Identify the host ID for the endpoints you want
The host ID is a unique ID that GlobalProtect assigns to
identify the host. The host ID value varies by endpoint type:
Windows—Machine GUID stored in the Windows registry (HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid)
macOS—MAC address of the first built-in physical network
Chrome—GlobalProtect assigned unique alphanumeric string
with length of 32 characters
If you do not know
the host ID, you can correlate the user-ID to the host ID in the
HIP Match logs:
Filter the HIP match logs for the source user associated
with the endpoint.
Open the HIP match log and identify the host ID under
optionally the hostname under
Create a device block list.
You cannot use Panorama templates to push a device
block list to firewalls.
Device Block List
device block list.
Enter a descriptive
For a firewall with more than one virtual system (vsys),
the profile is available.
Add a device to a block list.
the host ID (
) and hostname (
for the endpoint that you need to block.
additional endpoints, if needed.
to save and activate
the block list.
The device block list does not require a commit and
is immediately active.