Identification and Quarantine of Compromised Devices Overview and License Requirements
Focus
Focus
GlobalProtect

Identification and Quarantine of Compromised Devices Overview and License Requirements

Table of Contents

Identification and Quarantine of Compromised Devices Overview and License Requirements

Learn about how you can quarantine devices using GlobalProtect and block users from logging in to them on your network.
GlobalProtect makes it easier for you to block compromised devices from your network by identifying a compromised device with its Host ID and, optionally, serial number instead of its source IP address. This ability can be preferable to blocking a compromised endpoint from a network based on its IP address, because if a device’s IP address changes (for example, if a user moves their endpoint from a work location to their home), security policies based on IP addresses could allow the endpoint back on the network.
After you identify a device as compromised (for example, if a device has been infected with malware and is performing command and control actions), you can manually add the device’s Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device. You can also automatically quarantine the device using log forwarding profiles with security policies or HIP Match log settings.
Starting with Android 8.0 version, GlobalProtect app is unable to retrieve device serial number as GlobalProtect app is not device owner app or profile owner app. In this case, you can use ANDROID_ID as the device serial number. ANDROID_ID is application specific on an Android device and the ID may change when resetting your Android device to factory settings.
Before you begin to quarantine devices, make sure that your GlobalProtect users are running a minimum GlobalProtect app version of 5.1. In addition, make sure that a valid GlobalProtect subscription license is present on the firewall in order for the firewall to be able to add compromised devices to the quarantine list. The GlobalProtect subscription license requirements for this feature are enforced as described in the following list.
  • The firewall requires a GlobalProtect subscription license to manually or automatically add devices to the quarantine list. You receive the following error message if you attempt to add a device without a license: The device cannot be quarantined. You must have a valid GlobalProtect subscription to add the device to the quarantine list.
    However, you can delete quarantined devices from the quarantine list without a license.
  • If your GlobalProtect subscription license expires, the quarantine list is retained and not deleted.
    GlobalProtect performs a license check hourly.
  • If you do not have a valid GlobalProtect license and one of the following conditions is true, your firewall or Panorama displays a warning message when you commit the change:
    • You selected Quarantine List in a Data Redistribution Agent.
    • You selected Quarantine as a built-in action for a Log Forwarding Profile.