Identification and Quarantine of Compromised Devices
GlobalProtect now makes it easier for you
to block compromised devices from
your network by allowing you to track compromised devices using
unique attributes, such as the hardware serial number of the device
and unique host information. This ability can be preferable to blocking
a compromised endpoint from a network based on its IP address, because
if a device’s IP address changed (for example, if a user moved their
endpoint from a work location to their home), security policies
based on IP addresses could allow the endpoint back on the network.
GlobalProtect identifies a device as compromised (for example, if
GlobalProtect detects that a device has been infected with malware
and is performing command and control actions), it can add the device
to a quarantine list and permanently block it from accessing the network.
You can set security policies to quarantine the device or manually
add it to a quarantine list.
Enhanced Logging for the Selected GlobalProtect Gateway
To help you to determine the reason for
choosing the specific gateway to which to connect, the GlobalProtect
app now collects and reports information to identify gateway selection criteria and
latency between the gateway and the endpoint. After you enable the
Gateway Selection Criteria
option that is available
as an app setting in the
the GlobalProtect app sends the logs about the gateway selection
criteria to the firewall. With the additional GlobalProtect log
fields, you can easily identify the priority and response time of
the selected gateway, the list of gateway connection attempts, and
statistics about the pre-tunnel and post-tunnel network latency.