Automatically Quarantine a Device

• To quarantine a device using a log forwarding profile, complete the following steps.

  1. select ObjectLog Forwarding and either Add a new log forwarding profile or select an existing profile to modify it.

  2. Add a Log Forwarding Profile Match List and, in the Built-in Actions section, select Quarantine.
     Specify a Log Type of GlobalProtect, Threat, or Traffic.
     If you specify a Log Type of Threat or Traffic, make sure that a Host ID is associated with a device by creating a security policy rule that has Quarantine as the Source Device for Source traffic, in order to add the Host ID. Without a Host ID, you cannot add a device to the quarantine list.
     The following example uses a Log Type of Threat and a severity of critical. After you add this profile to a security policy and these criteria are matched, the firewall adds devices from where this traffic originated to the quarantine list.
     After you add the match list, the log forwarding profile displays Quarantine under Built-In Actions.

  3. Select PoliciesSecurity and Add a security policy.
  4. Select Actions, then select the Log Forwarding profile you created.

• To automatically quarantine a device using HIP Match log settings, select DeviceLog SettingsHIP Match and Add a log setting with a Built-In Actions of Quarantine.

  The following log setting has a Filter that with a host ID of 08708f38-27de-94d1-b41f-10e48752567g. If the HIP Match logs find a match for that host ID, this log setting adds that device to the quarantine list. Unlike a log forwarding profile, you do not need to attach this log setting to a security policy for it to take effect.