This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect bricks machine with Carbon Black quarantine

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect bricks machine with Carbon Black quarantine

ErinWest
L2 Linker

‎11-07-2024 08:18 AM

We have been having an ongoing issue for several months (and we have had monthly Windows updates since as well as moved to GP 6.2.5) where if we use the quarantine function in Carbon Black, that the NIC card gets turned off, the machine is bricked basically and un-quarantine will not work-ie is loses all capability to communicate even if you plug in an ethernet cord. PA gave use an allow list for CB policies but a machine is still bricked off until you remove GP and then magically everything starts working again. 

0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎11-11-2024 02:18 PM

@ErinWest,

I'm not sure how Carbon Black is handling a quarantine, but you generally won't expect to see an EDR tool actually turn off the NIC. Generally what happens is that the EDR essentially creates essentially NULL routes for anything but it's own communication and not actually disabling the NIC. That way releasing the device from quarantine can actually process properly.

 

Couple Questions:

  • Can you verify exactly what you mean by it disabling the NIC?
  • Are you enforcing a GlobalProtect connection for network access?

 

If you're enforcing a GlobalProtect connection for network access, you'll need to make an exception on the Carbon Black side of things so that quarantined devices can still communicate to your GlobalProtect portal/gateway(s). Otherwise you'll need to setup GlobalProtect enforcement exclusions and hope that you always keep Carbon Blacks requirements updated. In my experience, 10X easier to setup a quarantine exception so that your quarantined clients can still connect to GlobalProtect.

0 Likes Likes

ErinWest
L2 Linker

‎11-12-2024 08:15 AM

Its not the EDR turning off the NIC. GP has been doing that for us in a variety of scenarios; ie the networking card is turned off completely, ethernet, wifi nothing works until GP is removed and the computer rebooted. We already have Carbon Black on exception if GP is not running but since the NIC is turned off, it cannot communicate with anything that we have on exception. Also we have GP and ADEM whitelisting on the CB side as recommended but its still not working. 

0 Likes Likes
  • 191 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks