the devices that are in the quarantine list. Devices appear in this
list as a result of the following actions:
The system administrator added the device to this list
and, optionally, the
of the device you need to quarantine.
The system administrator selected the Host ID column from
the Traffic, GlobalProtect, or Threat log, selected a device from
that column, and then selected
The device matched a Security policy rule that has a log
forwarding profile whose match list had a built-in action set to
Host ID displays in the GlobalProtect logs automatically. For the
Host ID to display in the Traffic, Threat, or Unified logs, the
Panorama appliance must have at least one security policy rule with
Without this setting in the security policy, Traffic, Threat or
Unified logs will not have the Host ID, and the log forwarding profile
will not take effect.
The device was added to the quarantine list using an API.
The Panorama appliance received the quarantine list as a
part of redistributed entry (the quarantine list was redistributed
from another Panorama appliance or firewall).
The Device Quarantine table includes the following fields.
The Host-ID of the host that is blocked.
The reason that the device is quarantined.
A reason of
means that an administrator manually
added the device to the table.
The time that the administrator or Security
policy rule added the device to the quarantine list.
The IP address of the Panorama, firewall, or
third-party app that added the device to the quarantine list.
) The serial number of the
quarantined device (if available).
) The username of the GlobalProtect
client user who was logged in to the device when it was quarantined.