Identification and Quarantine of Compromised Devices Overview and
License Requirements
Learn about how you can quarantine devices using GlobalProtect
and block users from logging in to them on your network.
GlobalProtect makes it easier for you to block compromised
devices from your network by identifying a compromised device with
its
Host ID and,
optionally, serial number instead of its source IP address. This
ability can be preferable to blocking a compromised endpoint from
a network based on its IP address, because if a device’s IP address
changes (for example, if a user moves their endpoint from a work
location to their home), security policies based on IP addresses
could allow the endpoint back on the network.
After you identify a device as compromised (for example, if a
device has been infected with malware and is performing command
and control actions), you can manually add the device’s Host ID
to a quarantine list and configure GlobalProtect to prevent users
from connecting to the GlobalProtect gateway from a quarantined device.
You can also automatically quarantine the device using
log forwarding profiles with
security policies or
HIP Match log settings.
Starting with Android 8.0 version, GlobalProtect app is
unable to retrieve device serial number as GlobalProtect app is
not device owner app or profile owner app. In this case, you can
use ANDROID_ID as the device serial number. ANDROID_ID is application
specific on an Android device and the ID may change when resetting
your Android device to factory settings.
Before you begin to quarantine devices, make sure that your GlobalProtect users
are running a minimum GlobalProtect app version of 5.1. In addition,
make sure that a valid GlobalProtect subscription license is present
on the firewall in order for the firewall to be able to add compromised
devices to the quarantine list. The GlobalProtect subscription license
requirements for this feature are enforced as described in the following
list.
The firewall requires a GlobalProtect subscription license
to manually or automatically add devices to the quarantine list.
You receive the following error message if you attempt to add a
device without a license: The device cannot be quarantined. You must have a valid GlobalProtect subscription to add the device to the quarantine list.
However,
you can delete quarantined devices from the quarantine list without
a license.
If your GlobalProtect subscription license expires, the quarantine
list is retained and not deleted.
GlobalProtect performs a
license check hourly.
If you do not have a valid GlobalProtect license and one
of the following conditions is true, your firewall or Panorama displays
a warning message when you commit the change:
