For greater protection against unauthorized network access, you can now block device access to the network by adding the devices to a block list. Additionally, a new option enables you to block a session if the certificate for that session was not issued to the authenticating device, which is especially useful when a device is lost or stolen.
Block Device Access from an Unknown Device
Session blocking options enable you to validate the client certificate that GlobalProtect uses to authenticate users. The client certificate can be a pre-deployed client certificate or it can be a certificate that the GlobalProtect portal deploys to an end client. When any of the session blocking options are enabled, the GlobalProtect agent sends its client certificate and host ID (which contains the client serial number) for authentication when submitting a login request. Depending on the configuration of the certificate profile, GlobalProtect can block access when the Open Certificate Status Protocol (OCSP) or the certificate revocation list (CRL) service returns a certificate revocation status of unknown or when GlobalProtect registers an OCSP or CRL request timeout.
Additionally, a new option in a certificate profile Block session if the certificate was not issued to the authenticating device —now enables GlobalProtect to block access when the device that presents the certificate does not match the device to which the certificate was issued. Authentication cannot succeed when this option is enabled unless GlobalProtect can validate that the presented client certificate was issued to the device that presented the certificate during a login request.
Block Access from a Lost or Stolen Device
You can now block a device from gaining access to the network by placing the device in a block list. Reasons for blocking a device can be loss or theft of the device. You need to be able to block a missing device because the extended period of automatic, transparent logins that OTPs support create a possible risk.
A block list is local to a logical network location (vsys1 for example) and has a maximum of 1,000 devices per location. Therefore, an organization with many locations that are each hosting GlobalProtect deployments can support many device block lists.

Related Documentation