Policy Object: Quarantine Device Lists
Focus
Focus
Network Security

Policy Object: Quarantine Device Lists

Table of Contents

Policy Object: Quarantine Device Lists

Identify and quarantine compromised devices that are connected with the GlobalProtect app.
Where Can I Use This?
What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
Check for any license or role requirements for the products you're using.
Prisma Access
allows you to identify and quarantine compromised devices that are connected with the GlobalProtect app. You do this by either manually or automatically adding devices to a quarantine list. After you quarantine the device, you can block the quarantined device from accessing the network to ensure consistent policy.
Each
Prisma Access
mobile user location sends and receives its quarantine information between the Panorama that manages
Prisma Access
and its nearest service connection. If you have NGFWs or gateways, you should have the service connection redistribute the quarantine list information to and from Panorama and the on-premises devices or gateways. You should also redistribute the quarantine list information from Panorama to the service connection to ensure consistent policy enforcement for all mobile user locations (gateways) in
Prisma Access
.
A device appears in the quarantine list as a result of the following actions:
  • The system administrator added the device to this list manually.
  • The device was added to the quarantine list automatically.
    • Using a log forwarding profile with a security rule whose match list had a built-in action set to Quarantine.
    • Using HIP match log settings with built-in action set to Quarantine.
  • The device was added to the quarantine list using an API.
  • The quarantine list was received as a part of redistributed entry (the quarantine list was redistributed from another Panorama appliance).
Here's how to get started with Quarantine Device Lists.

Cloud Managed

Prisma Access
allows you to identify and quarantine compromised devices with the GlobalProtect app. You can either manually or automatically (based on auto-tags) add devices to a quarantine list. You can block quarantined devices from accessing the network or restrict the device traffic based on a security rule.
To get started, set up a Quarantined Device List. Then use the list as part of identity redistribution.

Set Up a Quarantined Device List

The Quarantined Device List screen is where you identify devices you want to block from accessing your network.
Follow these steps to add a device to the Quarantined Device List:
  1. Select
    Manage
    Configuration
    NGFW and
    Prisma Access
    Objects
    Quarantined Device List
    .
    The
    Shared
    configuration scope is already selected for you. Leave this option as is.
  2. Select
    Add Device
    .
  3. Fill in the
    Host ID
    and
    Serial Number
    fields.
  4. Select
    Save
    .
  5. Repeat steps 1-4 to add additional devices.

Configure Identity Redistribution

The Identity Redistribution screen is where you configure how identity information is redistributed in the
Prisma Access
Infrastructure. Configure identity redistribution to use the quarantined device list so that all devices on the network that enforce policy know to block the compromised devices.
Follow these steps to configure identity redistribution to use the Quarantined Device List you created:
  1. Select
    Manage
    Configuration
    NGFW and
    Prisma Access
    Identity Services
    Identity Redistribution List
    .
  2. Select the appropriate configuration scope, Shared or Mobile Users.
    You can ignore Service Connections for now because Service connections learn from mobile users, remote networks, or external redistribution agents, as shown in the diagram. If you’re unsure about which to select, see Global and Local Policy.
    Shared
    is selected by default.
  3. Select
    Edit
    next to
    Mobile Users
    .
  4. Select the checkbox next to the
    Quarantined Device List
    .
  5. Select
    Save
    .
    Learn more about Identity Redistribution.

Block Login for Quarantined Devices

Block quarantined devices from accessing the network, or block users from logging into the network from devices on the Quarantined Device List.
Follow these steps to configure Authentication Settings to prevent users from logging into GlobalProtect from a quarantined device:
  1. Select
    Workflows
    Prisma Access
    Setup
    GlobalProtect
    .
  2. Scroll down to
    User Authentications
    and select
    Authentication Settings
    .
    The
    Authentication Settings
    screen appears.
  3. Select the checkbox for
    Block Login for Quarantined Devices
    .
  4. Select
    Save
    .

Use Quarantine Device List for Security Policy Enforcement

Prevent quarantined devices from sending or receiving traffic on the network by specifying options in a security rule.
Follow these steps to configure Security Policy to use your Quarantined Device List to prevent quarantined devices from sending or receiving traffic on the network:
  1. Select
    Manage
    Configuration
    NGFW and
    Prisma Access
    Security Services
    Security Policy
    from the sidebar.
  2. Scroll down to
    Security Rules
    and select
    Add Rule
    .
    The
    Add Security Policy Rule
    screen appears.
  3. Scroll down to
    DEVICES
    under either
    Source
    or
    Destination
    and select
    Match Quarantined Devices
    .
    This tells your rule to use devices in the quarantine list as the match criteria, whether you specify Quarantine as the Source Device for Source traffic or the Destination Device for Destination traffic.
  4. Under
    Action and Advanced Inspection
    , specify an action that blocks the quarantined device, such as
    Deny
    as required by your rule.
  5. Select
    Save
    .

PAN-OS & Panorama

Configure the quarantine list feature for Panorama Managed
Prisma Access
mobile user (GlobalProtect) deployments.
To redistribute quarantine information to and from service connections, the Panorama that manages
Prisma Access
, and next-generation firewalls, complete the following steps.
  1. Make sure that the Panorama management IP address is able to communicate with the User-ID agent address for all service connections to which you want to redistribute quarantine list information.
    Communication between the User-ID Agent address of the service connection and the management IP address of Panorama is required for
    Prisma Access
    to send and receive quarantine list information between Panorama and the service connections.
    • To find the
      User-ID Agent Address
      , select
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      User-ID Agent Address
      .
    • To find the management IP address of the Panorama that manages
      Prisma Access
      , note the IP address that displays in the web browser when you access Panorama.
  2. Allow
    Prisma Access
    to redistribute quarantine list information.
    1. In Panorama, select
      Panorama
      Cloud Services
      Configuration
      Service Setup
      .
    2. Click the gear icon to edit the settings.
    3. In the
      Advanced
      tab, select
      Enable Quarantine List Redistribution
      .
      Enabling quarantine list redistribution allows
      Prisma Access
      to redistribute the quarantine list information received from one or more mobile user locations (gateways) to service connections.
  3. Commit
    and
    Push
    your changes.
  4. Configure Panorama to receive quarantine list information from
    Prisma Access
    by configuring management interface settings.
    1. In the Panorama that manages
      Prisma Access
      , select
      Panorama
      Setup
      Interfaces
      .
    2. Select the
      Management
      interface.
    3. Select
      User-ID
      .
  5. Configure a data redistribution agent that redistributes quarantine list information from the service connections to Panorama.
    1. From the Panorama that manages
      Prisma Access
      , select
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      .
    2. Make a note of the
      User-ID Agent Address
      (
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      User-ID Agent Address
      ) for each service connection.
    3. Select
      Panorama
      Data Redistribution
      Agents
      .
    4. Add
      a Data Redistribution agent, give it a
      Name
      and select
      Enabled
      .
    5. Enter the
      User-ID Agent Address
      of the service connection as the
      Host
      and 5007 as the
      Port
      .
      Make sure that your network does not block access to this port between Panorama and
      Prisma Access
      .
    6. (
      Optional
      ) If you have configured this service connection as a Collector (
      Device
      Data Redistribution
      Collector Settings
      ), enter the
      Collector Name
      and
      Collector Pre-Shared Key
    7. Select
      Quarantine List
      ; then, click
      OK
      .
    8. Repeat Step 5 for all the service connections in your
      Prisma Access
      deployment.
  6. Select
    Commit
    Commit to Panorama
    to save your changes locally on the Panorama that manages
    Prisma Access
    .
  7. Configure a data redistribution agent that redistributes quarantine list information from Panorama to the service connections.
    1. Find the management IP address of the Panorama that manages
      Prisma Access
      .
      This address displays by in the web browser address bar when you access Panorama.
    2. Make sure that you are in the
      Service_Conn_Template
      template, then select
      Device
      Data Redistribution
      Agents
      .
    3. Add
      a Data Redistribution agent, give it a
      Name
      and select
      Enabled
      .
    4. Enter the management IP address of the Panorama appliance. as the
      Host
      and 5007 as the
      Port
      .
    5. Select
      Quarantine List
      ; then, click
      OK
      .
  8. Configure a data redistribution agent that redistributes quarantine list information from the service connections to mobile user gateways.
    1. From the Panorama that manages
      Prisma Access
      , select
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      .
    2. Make a note of the
      User-ID Agent Address
      of the service connection from which you want to redistribute quarantine list information.
      Since all service connections have the same redistributed quarantine list information, choose any service connection. You can also configure more than one service connection.
    3. Make sure that you are in the
      Mobile_User_Template
      , then select
      Device
      Data Redistribution
      Agents
      .
    4. Add
      a Data Redistribution agent, give it a
      Name
      , and select
      Enabled
      .
    5. Enter the
      User-ID Agent Address
      of the service connection as the Host and
      5007
      as the Port.
      Make sure that your network does not block access to this port between Panorama and
      Prisma Access
      .
    6. (
      Optional
      ) If you have configured this service connection as a Collector (
      Device
      Data Redistribution
      Collector Settings
      ), enter the
      Collector Name
      and
      Collector Pre-Shared Key
      .
    7. Select
      Quarantine List
      ; then, click
      OK
      .
    8. Commit and Push
      your changes.
  9. View your quarantine list information by selecting
    Panorama
    Device Quarantine
    .

Recommended For You