Network Security
Policy Object: Quarantine Device Lists (PAN-OS & Panorama)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Policy Object: Quarantine Device Lists (PAN-OS & Panorama)
Configure the quarantine list feature for Panorama Managed
Prisma Access
mobile user
(GlobalProtect) deployments.To redistribute quarantine information to and from service connections, the Panorama
that manages
Prisma Access
, and next-generation firewalls, complete the following
steps.- Make sure that the Panorama management IP address is able to communicate with the User-ID agent address for all service connections to which you want to redistribute quarantine list information.Communication between the User-ID Agent address of the service connection and the management IP address of Panorama is required forPrisma Accessto send and receive quarantine list information between Panorama and the service connections.
- To find theUser-ID Agent Address, select.PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address
- To find the management IP address of the Panorama that managesPrisma Access, note the IP address that displays in the web browser when you access Panorama.
- AllowPrisma Accessto redistribute quarantine list information.
- In Panorama, select.PanoramaCloud ServicesConfigurationService Setup
- Click the gear icon to edit the settings.
- In theAdvancedtab, selectEnable Quarantine List Redistribution.Enabling quarantine list redistribution allowsPrisma Accessto redistribute the quarantine list information received from one or more mobile user locations (gateways) to service connections.
- CommitandPushyour changes.
- Configure Panorama to receive quarantine list information fromPrisma Accessby configuring management interface settings.
- In the Panorama that managesPrisma Access, select.PanoramaSetupInterfaces
- Select theManagementinterface.
- SelectUser-ID.
- Configure a data redistribution agent that redistributes quarantine list information from the service connections to Panorama.
- From the Panorama that managesPrisma Access, select.PanoramaCloud ServicesStatusNetwork DetailsService Connection
- Make a note of theUser-ID Agent Address() for each service connection.PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address
- Select.PanoramaData RedistributionAgents
- Adda Data Redistribution agent, give it aNameand selectEnabled.
- Enter theUser-ID Agent Addressof the service connection as theHostand 5007 as thePort.Make sure that your network does not block access to this port between Panorama andPrisma Access.
- (Optional) If you have configured this service connection as a Collector (), enter theDeviceData RedistributionCollector SettingsCollector NameandCollector Pre-Shared Key
- SelectQuarantine List; then, clickOK.
- Repeat Step 5 for all the service connections in yourPrisma Accessdeployment.
- Selectto save your changes locally on the Panorama that managesCommitCommit to PanoramaPrisma Access.
- Configure a data redistribution agent that redistributes quarantine list information from Panorama to the service connections.
- Find the management IP address of the Panorama that managesPrisma Access.This address displays by in the web browser address bar when you access Panorama.
- Make sure that you are in theService_Conn_Templatetemplate, then select.DeviceData RedistributionAgents
- Adda Data Redistribution agent, give it aNameand selectEnabled.
- Enter the management IP address of the Panorama appliance. as theHostand 5007 as thePort.
- SelectQuarantine List; then, clickOK.
- Configure a data redistribution agent that redistributes quarantine list information from the service connections to mobile user gateways.
- From the Panorama that managesPrisma Access, select.PanoramaCloud ServicesStatusNetwork DetailsService Connection
- Make a note of theUser-ID Agent Addressof the service connection from which you want to redistribute quarantine list information.Since all service connections have the same redistributed quarantine list information, choose any service connection. You can also configure more than one service connection.
- Make sure that you are in theMobile_User_Template, then select.DeviceData RedistributionAgents
- Adda Data Redistribution agent, give it aName, and selectEnabled.
- Enter theUser-ID Agent Addressof the service connection as the Host and5007as the Port.Make sure that your network does not block access to this port between Panorama andPrisma Access.
- (Optional) If you have configured this service connection as a Collector (), enter theDeviceData RedistributionCollector SettingsCollector NameandCollector Pre-Shared Key.
- SelectQuarantine List; then, clickOK.
- Commit and Pushyour changes.
- View your quarantine list information by selecting.PanoramaDevice QuarantineSee View Quarantined Device Information in the GlobalProtect Administrator’s Guide for details.