Network Security
Policy Object: Quarantine Device Lists
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Policy Object: Quarantine Device Lists
Identify and quarantine compromised devices that are connected with the GlobalProtect
app.
Prisma Access
allows you to identify and quarantine compromised devices
that are connected with the GlobalProtect app. You do this by either manually or automatically adding devices to a quarantine
list. After you quarantine the device, you can block the quarantined device from accessing
the network to ensure consistent policy.Each
Prisma Access
mobile user location sends and receives its quarantine information
between the Panorama that manages Prisma Access
and its nearest service connection. If
you have NGFWs or gateways, you should have the service connection redistribute the
quarantine list information to and from Panorama and the on-premises devices or
gateways. You should also redistribute the quarantine list information from Panorama to
the service connection to ensure consistent policy enforcement for all mobile user
locations (gateways) in Prisma Access
.A device appears in the quarantine list as a result of the following actions:
- The system administrator added the device to this list manually.
- The device was added to the quarantine list automatically.
- Using a log forwarding profile with a security rule whose match list had a built-in action set to Quarantine.
- Using HIP match log settings with built-in action set to Quarantine.
- The device was added to the quarantine list using an API.
- The quarantine list was received as a part of redistributed entry (the quarantine list was redistributed from another Panorama appliance).
Here's how to get started with Quarantine Device Lists.
Policy Object: Quarantine Device Lists (Strata Cloud Manager)
Configure the quarantine list feature for Strata Cloud Manager Managed
Prisma Access
mobile user (GlobalProtect) deployments.Prisma Access
allows you to identify and quarantine compromised
devices with the GlobalProtect app. You can either manually or automatically
(based on auto-tags) add devices to a quarantine list. You can block
quarantined devices from accessing the network or restrict the device
traffic based on a security rule.To get started, set up a
Quarantined Device List. Then use the list as part of identity redistribution.
Set Up a Quarantined Device List
The Quarantined Device List screen is where
you identify devices you want to block from accessing your network.
Follow
these steps to add a device to the Quarantined Device List:
- Select.ManageConfigurationNGFW andPrisma AccessObjectsQuarantined Device ListTheSharedconfiguration scope is already selected for you. Leave this option as is.
- SelectAdd Device.
- Fill in theHost IDandSerial Numberfields.
- SelectSave.
- Repeat steps 1-4 to add additional devices.
Configure Identity Redistribution
The Identity Redistribution screen is where
you configure how identity information is redistributed in the
Prisma Access
Infrastructure. Configure identity redistribution to use
the quarantined device list so that all devices on the network that
enforce policy know to block the compromised devices.Follow
these steps to configure identity redistribution to use the Quarantined Device
List you created:
- Select.ManageConfigurationNGFW andPrisma AccessIdentity ServicesIdentity Redistribution List
- Select the appropriate configuration scope, Shared or Mobile Users.You can ignore Service Connections for now because Service connections learn from mobile users, remote networks, or external redistribution agents, as shown in the diagram. If you’re unsure about which to select, see Global and Local Policy.Sharedis selected by default.
- SelectEditnext toMobile Users.
- Select the checkbox next to theQuarantined Device List.
- SelectSave.Learn more about Identity Redistribution.
Block Login for Quarantined Devices
Block quarantined devices from accessing the
network, or block users from logging into the network from devices
on the Quarantined Device List.
Follow these steps to configure
Authentication Settings to prevent users from logging into GlobalProtect
from a quarantined device:
- Select.WorkflowsPrisma AccessSetupGlobalProtect
- Scroll down toUser Authenticationsand selectAuthentication Settings.TheAuthentication Settingsscreen appears.
- Select the checkbox forBlock Login for Quarantined Devices.
- SelectSave.
Use Quarantine Device List for Security Policy Enforcement
Prevent quarantined devices from sending or
receiving traffic on the network by specifying options in a security rule.
Follow these steps to configure Security Policy
to use your Quarantined Device List to prevent quarantined devices
from sending or receiving traffic on the network:
- Selectfrom the sidebar.ManageConfigurationNGFW andPrisma AccessSecurity ServicesSecurity Policy
- Scroll down toSecurity Rulesand selectAdd Rule.TheAdd Security Policy Rulescreen appears.
- Scroll down toDEVICESunder eitherSourceorDestinationand selectMatch Quarantined Devices.This tells your rule to use devices in the quarantine list as the match criteria, whether you specify Quarantine as the Source Device for Source traffic or the Destination Device for Destination traffic.
- UnderAction and Advanced Inspection, specify an action that blocks the quarantined device, such asDenyas required by your rule.
- SelectSave.
Policy Object: Quarantine Device Lists (PAN-OS & Panorama)
Configure the quarantine list feature for Panorama Managed
Prisma Access
mobile user
(GlobalProtect) deployments.To redistribute quarantine information to and from service connections, the Panorama
that manages
Prisma Access
, and next-generation firewalls, complete the following
steps.- Make sure that the Panorama management IP address is able to communicate with the User-ID agent address for all service connections to which you want to redistribute quarantine list information.Communication between the User-ID Agent address of the service connection and the management IP address of Panorama is required forPrisma Accessto send and receive quarantine list information between Panorama and the service connections.
- To find theUser-ID Agent Address, select.PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address
- To find the management IP address of the Panorama that managesPrisma Access, note the IP address that displays in the web browser when you access Panorama.
- AllowPrisma Accessto redistribute quarantine list information.
- In Panorama, select.PanoramaCloud ServicesConfigurationService Setup
- Click the gear icon to edit the settings.
- In theAdvancedtab, selectEnable Quarantine List Redistribution.Enabling quarantine list redistribution allowsPrisma Accessto redistribute the quarantine list information received from one or more mobile user locations (gateways) to service connections.
- CommitandPushyour changes.
- Configure Panorama to receive quarantine list information fromPrisma Accessby configuring management interface settings.
- In the Panorama that managesPrisma Access, select.PanoramaSetupInterfaces
- Select theManagementinterface.
- SelectUser-ID.
- Configure a data redistribution agent that redistributes quarantine list information from the service connections to Panorama.
- From the Panorama that managesPrisma Access, select.PanoramaCloud ServicesStatusNetwork DetailsService Connection
- Make a note of theUser-ID Agent Address() for each service connection.PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address
- Select.PanoramaData RedistributionAgents
- Adda Data Redistribution agent, give it aNameand selectEnabled.
- Enter theUser-ID Agent Addressof the service connection as theHostand 5007 as thePort.Make sure that your network does not block access to this port between Panorama andPrisma Access.
- (Optional) If you have configured this service connection as a Collector (), enter theDeviceData RedistributionCollector SettingsCollector NameandCollector Pre-Shared Key
- SelectQuarantine List; then, clickOK.
- Repeat Step 5 for all the service connections in yourPrisma Accessdeployment.
- Selectto save your changes locally on the Panorama that managesCommitCommit to PanoramaPrisma Access.
- Configure a data redistribution agent that redistributes quarantine list information from Panorama to the service connections.
- Find the management IP address of the Panorama that managesPrisma Access.This address displays by in the web browser address bar when you access Panorama.
- Make sure that you are in theService_Conn_Templatetemplate, then select.DeviceData RedistributionAgents
- Adda Data Redistribution agent, give it aNameand selectEnabled.
- Enter the management IP address of the Panorama appliance. as theHostand 5007 as thePort.
- SelectQuarantine List; then, clickOK.
- Configure a data redistribution agent that redistributes quarantine list information from the service connections to mobile user gateways.
- From the Panorama that managesPrisma Access, select.PanoramaCloud ServicesStatusNetwork DetailsService Connection
- Make a note of theUser-ID Agent Addressof the service connection from which you want to redistribute quarantine list information.Since all service connections have the same redistributed quarantine list information, choose any service connection. You can also configure more than one service connection.
- Make sure that you are in theMobile_User_Template, then select.DeviceData RedistributionAgents
- Adda Data Redistribution agent, give it aName, and selectEnabled.
- Enter theUser-ID Agent Addressof the service connection as the Host and5007as the Port.Make sure that your network does not block access to this port between Panorama andPrisma Access.
- (Optional) If you have configured this service connection as a Collector (), enter theDeviceData RedistributionCollector SettingsCollector NameandCollector Pre-Shared Key.
- SelectQuarantine List; then, clickOK.
- Commit and Pushyour changes.
- View your quarantine list information by selecting.PanoramaDevice QuarantineSee View Quarantined Device Information in the GlobalProtect Administrator’s Guide for details.