Identify and Quarantine Compromised Devices

Prisma Access allows you to identify and quarantine compromised devices with the GlobalProtect app. You can either manually or automatically (based on auto-tags) add devices to a quarantine list. You can block quarantined devices from accessing the network or restrict the device traffic based on a security rule.
To get started, set up a Quarantined Device List. Then use the list as part of identity redistribution.

Set Up a Quarantined Device List

The Quarantined Device List screen is where you identify devices you want to block from accessing your network.
Follow these steps to add a device to the Quarantined Device List:
  1. Select
    Manage
    Configuration
    Objects
    Quarantined Device List
    from the sidebar.
    The
    Shared
    configuration scope is already selected for you. Leave this option as is.
  2. Select
    Add Device
    .
  3. Fill in the
    Host ID
    and
    Serial Number
    fields.
  4. Select
    Save
    .
  5. Repeat steps 1-4 to add additional devices.

Configure Identity Redistribution

The Identity Redistribution screen is where you configure how identity information is redistributed in the Prisma Access Infrastructure. Configure identity redistribution to use the quarantined device list so that all devices on the network that enforce policy know to block the compromised devices.
Follow these steps to configure identity redistribution to use the Quarantined Device List you created:
  1. Select
    Manage
    Configuration
    Identity Services
    Identity Redistribution List
    from the sidebar.
  2. Select the appropriate configuration scope, Shared or Mobile Users.
    You can ignore Service Connections for now because Service connections learn from mobile users, remote networks, or external redistribution agents, as shown in the diagram. If you’re unsure about which to select, see Global and Local Policy.
    Shared
    is selected by default.
  3. Select
    Edit
    next to
    Mobile Users
    .
  4. Select the checkbox next to the
    Quarantined Device List
    .
  5. Select
    Save
    .
    Learn more about Identity Redistribution. See Identification and Quarantine of Compromised Devices With Prisma Access to learn about specific use cases. This topic is for Panorama administrators, but the concept applies to Prisma Access in general.

Block Login for Quarantined Devices

Block quarantined devices from accessing the network, or block users from logging into the network from devices on the Quarantined Device List.
Follow these steps to configure Authentication Settings to prevent users from logging into GlobalProtect from a quarantined device:
  1. Select
    Manage
    Setup
    GlobalProtect
    from the sidebar.
  2. Scroll down to
    User Authentications
    and select
    Authentication Settings
    .
    The
    Authentication Settings
    screen appears.
  3. Select the checkbox for
    Block Login for Quarantined Devices
    .
  4. Select
    Save
    .

Use Quarantine Device List for Security Policy Enforcement

Prevent quarantined devices from sending or receiving traffic on the network by specifying options in a security policy rule.
Follow these steps to configure Security Policy to use your Quarantined Device List to prevent quarantined devices from sending or receiving traffic on the network:
  1. Select
    Manage
    Configuration
    Security Services
    Security Policy
    from the sidebar.
  2. Scroll down to
    Security Policy Rules
    and select
    Add Rule
    .
    The
    Add Security Policy Rule
    screen appears.
  3. Scroll down to
    DEVICES
    under either
    Source
    or
    Destination
    and select
    Match Quarantined Devices
    .
    This tells your rule to use devices in the quarantine list as the match criteria, whether you specify Quarantine as the Source Device for Source traffic or the Destination Device for Destination traffic.
  4. Under
    Action and Advanced Inspection
    , specify an action that blocks the quarantined device, such as
    Deny
    as required by your rule.
  5. Select
    Save
    .

Recommended For You