GlobalProtect quarantine

nikkikole — Fri, 24 Jun 2022 20:49:19 GMT

I am in the process of setting up HIP objects and profiles with the end result being a quarantine for devices that do not match for AV software and definitions along with Windows patch levels. I want to be able to automatically quarantine a device to allow it internet only so the user can fix the issue. I then want the device to be allowed back onto our network once the issue is fixed. I know I can automatically quarantine a device based on HIP objects and profiles but I can't figure out how to remove the device automatically from quarantine once it does match a HIP object and profile.

Re: GlobalProtect quarantine

BPry — Sat, 25 Jun 2022 03:05:14 GMT

@nikkikole,

Using the quarantine feature for this actually isn't what I would personally recommend. Rather than quarantine the device, why not create security rulebase entries around a corresponding HIP-Profile? Use the HIP Notification to alert the end-user that they have been restricted from accessing internal resources and why, and then use the HIP-Profile in the security rulebase to restrict matching endpoints from accessing internal resources and only allow them access to the internet. That way, as soon as the issue is corrected they can just re-submit their HIP data and the firewall will automatically start allowing traffic again once they no longer match the HIP Profile.

If you use the Device Quarantine feature, the firewall won't automatically remove these entries once the issue has been fixed. You'd have to build out a remediation detection method and script the automated removal yourself. Quarantine is really meant for a compromised endpoint, I'd use HIP Profiles for "minor" correctable infractions like failing an AV check.

topic GlobalProtect quarantine in GlobalProtect Discussions

GlobalProtect quarantine

Re: GlobalProtect quarantine