>
    Policy Object: Quarantine Device Lists
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Policy Objects
    5. Policy Object: Quarantine Device Lists
    Download PDF
    Network Security

    Policy Object: Quarantine Device Lists

    Table of Contents

    Policy Object: Quarantine Device Lists

    Identify and quarantine compromised devices that are connected with the GlobalProtect app.
    Where Can I Use This?What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS & Panorama Managed)
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    Check for any license or role requirements for the products you're using.
    Prisma Access allows you to identify and quarantine compromised devices that are connected with the GlobalProtect app. You do this by either manually or automatically adding devices to a quarantine list. After you quarantine the device, you can block the quarantined device from accessing the network to ensure consistent policy.
    Each Prisma Access mobile user location sends and receives its quarantine information between the Panorama that manages Prisma Access and its nearest service connection. If you have NGFWs or gateways, you should have the service connection redistribute the quarantine list information to and from Panorama and the on-premises devices or gateways. You should also redistribute the quarantine list information from Panorama to the service connection to ensure consistent policy enforcement for all mobile user locations (gateways) in Prisma Access.
    A device appears in the quarantine list as a result of the following actions:
    • The system administrator added the device to this list manually.
    • The device was added to the quarantine list automatically.
      • Using a log forwarding profile with a security rule whose match list had a built-in action set to Quarantine.
      • Using HIP match log settings with built-in action set to Quarantine.
    • The device was added to the quarantine list using an API.
    • The quarantine list was received as a part of redistributed entry (the quarantine list was redistributed from another Panorama appliance).
    Here's how to get started with Quarantine Device Lists.

    Policy Object: Quarantine Device Lists (Strata Cloud Manager)

    Configure the quarantine list feature for Strata Cloud Manager Managed Prisma Access mobile user (GlobalProtect) deployments.
    Prisma Access allows you to identify and quarantine compromised devices with the GlobalProtect app. You can either manually or automatically (based on auto-tags) add devices to a quarantine list. You can block quarantined devices from accessing the network or restrict the device traffic based on a security rule.
    To get started, set up a Quarantined Device List. Then use the list as part of identity redistribution.

    Set Up a Quarantined Device List

    The Quarantined Device List screen is where you identify devices you want to block from accessing your network.
    Follow these steps to add a device to the Quarantined Device List:
    1. Select Manage ConfigurationNGFW and Prisma AccessObjectsQuarantined Device List.
      The Shared configuration scope is already selected for you. Leave this option as is.
    2. Select Add Device.
    3. Fill in the Host ID and Serial Number fields.
    4. Select Save.
    5. Repeat steps 1-4 to add additional devices.

    Configure Identity Redistribution

    The Identity Redistribution screen is where you configure how identity information is redistributed in the Prisma Access Infrastructure. Configure identity redistribution to use the quarantined device list so that all devices on the network that enforce policy know to block the compromised devices.
    Follow these steps to configure identity redistribution to use the Quarantined Device List you created:
    1. Select Manage ConfigurationNGFW and Prisma AccessIdentity ServicesIdentity Redistribution List.
    2. Select the appropriate configuration scope, Shared or Mobile Users.
      You can ignore Service Connections for now because Service connections learn from mobile users, remote networks, or external redistribution agents, as shown in the diagram. If you’re unsure about which to select, see Global and Local Policy. Shared is selected by default.
    3. Select Edit next to Mobile Users.
    4. Select the checkbox next to the Quarantined Device List.
    5. Select Save.
      Learn more about Identity Redistribution.

    Block Login for Quarantined Devices

    Block quarantined devices from accessing the network, or block users from logging into the network from devices on the Quarantined Device List.
    Follow these steps to configure Authentication Settings to prevent users from logging into GlobalProtect from a quarantined device:
    1. Select WorkflowsPrisma Access SetupGlobalProtect.
    2. Scroll down to User Authentications and select Authentication Settings.
      The Authentication Settings screen appears.
    3. Select the checkbox for Block Login for Quarantined Devices.
    4. Select Save.

    Use Quarantine Device List for Security Policy Enforcement

    Prevent quarantined devices from sending or receiving traffic on the network by specifying options in a security rule.
    Follow these steps to configure Security Policy to use your Quarantined Device List to prevent quarantined devices from sending or receiving traffic on the network:
    1. Select Manage ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy from the sidebar.
    2. Scroll down to Security Rules and select Add Rule.
      The Add Security Policy Rule screen appears.
    3. Scroll down to DEVICES under either Source or Destination and select Match Quarantined Devices.
      This tells your rule to use devices in the quarantine list as the match criteria, whether you specify Quarantine as the Source Device for Source traffic or the Destination Device for Destination traffic.
    4. Under Action and Advanced Inspection, specify an action that blocks the quarantined device, such as Deny as required by your rule.
    5. Select Save.

    Policy Object: Quarantine Device Lists (PAN-OS & Panorama)

    Configure the quarantine list feature for Panorama Managed Prisma Access mobile user (GlobalProtect) deployments.
    To redistribute quarantine information to and from service connections, the Panorama that manages Prisma Access, and next-generation firewalls, complete the following steps.
    1. Make sure that the Panorama management IP address is able to communicate with the User-ID agent address for all service connections to which you want to redistribute quarantine list information.
      Communication between the User-ID Agent address of the service connection and the management IP address of Panorama is required for Prisma Access to send and receive quarantine list information between Panorama and the service connections.
      • To find the User-ID Agent Address, select PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address.
      • To find the management IP address of the Panorama that manages Prisma Access, note the IP address that displays in the web browser when you access Panorama.
    2. Allow Prisma Access to redistribute quarantine list information.
      1. In Panorama, select PanoramaCloud ServicesConfigurationService Setup.
      2. Click the gear icon to edit the settings.
      3. In the Advanced tab, select Enable Quarantine List Redistribution.
        Enabling quarantine list redistribution allows Prisma Access to redistribute the quarantine list information received from one or more mobile user locations (gateways) to service connections.
    3. Commit and Push your changes.
    4. Configure Panorama to receive quarantine list information from Prisma Access by configuring management interface settings.
      1. In the Panorama that manages Prisma Access, select PanoramaSetupInterfaces.
      2. Select the Management interface.
      3. Select User-ID.
    5. Configure a data redistribution agent that redistributes quarantine list information from the service connections to Panorama.
      1. From the Panorama that manages Prisma Access, select PanoramaCloud ServicesStatusNetwork DetailsService Connection.
      2. Make a note of the User-ID Agent Address (PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address) for each service connection.
      3. Select PanoramaData RedistributionAgents.
      4. Add a Data Redistribution agent, give it a Name and select Enabled.
      5. Enter the User-ID Agent Address of the service connection as the Host and 5007 as the Port.
        Make sure that your network does not block access to this port between Panorama and Prisma Access.
      6. (Optional) If you have configured this service connection as a Collector (DeviceData RedistributionCollector Settings), enter the Collector Name and Collector Pre-Shared Key
      7. Select Quarantine List; then, click OK.
      8. Repeat Step 5 for all the service connections in your Prisma Access deployment.
    6. Select CommitCommit to Panorama to save your changes locally on the Panorama that manages Prisma Access.
    7. Configure a data redistribution agent that redistributes quarantine list information from Panorama to the service connections.
      1. Find the management IP address of the Panorama that manages Prisma Access.
        This address displays by in the web browser address bar when you access Panorama.
      2. Make sure that you are in the Service_Conn_Template template, then select DeviceData RedistributionAgents.
      3. Add a Data Redistribution agent, give it a Name and select Enabled.
      4. Enter the management IP address of the Panorama appliance. as the Host and 5007 as the Port.
      5. Select Quarantine List; then, click OK.
    8. Configure a data redistribution agent that redistributes quarantine list information from the service connections to mobile user gateways.
      1. From the Panorama that manages Prisma Access, select PanoramaCloud ServicesStatusNetwork DetailsService Connection.
      2. Make a note of the User-ID Agent Address of the service connection from which you want to redistribute quarantine list information.
        Since all service connections have the same redistributed quarantine list information, choose any service connection. You can also configure more than one service connection.
      3. Make sure that you are in the Mobile_User_Template, then select DeviceData RedistributionAgents.
      4. Add a Data Redistribution agent, give it a Name, and select Enabled.
      5. Enter the User-ID Agent Address of the service connection as the Host and 5007 as the Port.
        Make sure that your network does not block access to this port between Panorama and Prisma Access.
      6. (Optional) If you have configured this service connection as a Collector (DeviceData RedistributionCollector Settings), enter the Collector Name and Collector Pre-Shared Key.
      7. Select Quarantine List; then, click OK.
      8. Commit and Push your changes.
    9. View your quarantine list information by selecting PanoramaDevice Quarantine.
      See View Quarantined Device Information in the GlobalProtect Administrator’s Guide for details.

    © 2025 Palo Alto Networks, Inc. All rights reserved.