GlobalProtect
Block Endpoint Access
Table of Contents
Block Endpoint Access
In the event that a user loses an endpoint
that provides GlobalProtect access to your network, that endpoint
is stolen, or a user leaves your organization, you can block the
endpoint from gaining access to the network by placing the endpoint
in a block list.
A block list is local to a logical network
location (vsys, 1 for example) and can contain a maximum of 1,000
endpoints per location. Therefore, you can create separate block
lists for each location hosting a GlobalProtect deployment.
- Identify the host ID for the endpoints you want
to block.The host ID is a unique ID that GlobalProtect assigns to identify the host. The host ID value varies by endpoint type:
- Windows—Machine GUID stored in the Windows registry (HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid)
- macOS—MAC address of the first built-in physical network interface
- Android—Android ID
- iOS—UDID
- Chrome—GlobalProtect assigned unique alphanumeric string with length of 32 characters
If you do not know the host ID, you can correlate the user-ID to the host ID in the HIP Match logs:- Select .
- Filter the HIP match logs for the source user associated with the endpoint.
- Open the HIP match log and identify the host ID under and
optionally the hostname under .
- Create a device block list.You cannot use Panorama templates to push a device block list to firewalls.
- Select and Add a device block list.
- Enter a descriptive Name for the list.
- For a firewall with more than one virtual system (vsys), select the Location (vsys or Shared) where the profile is available.
- Add a device to a block list.
- Add endpoints. Enter the host ID (required) and hostname (optional) for the endpoint that you need to block.
- Add additional endpoints, if needed.
- Click OK to save and activate
the block list.The device block list does not require a commit and is immediately active.
