GlobalProtect quarantine

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect quarantine

L0 Member

I am in the process of setting up HIP objects and profiles with the end result being a quarantine for devices that do not match for AV software and definitions along with Windows patch levels. I want to be able to automatically quarantine a device to allow it internet only so the user can fix the issue. I then want the device to be allowed back onto our network once the issue is fixed. I know I can automatically quarantine a device based on HIP objects and profiles but I can't figure out how to remove the device automatically from quarantine once it does match a HIP object and profile.

1 REPLY 1

Cyber Elite
Cyber Elite

@nikkikole,

Using the quarantine feature for this actually isn't what I would personally recommend. Rather than quarantine the device, why not create security rulebase entries around a corresponding HIP-Profile? Use the HIP Notification to alert the end-user that they have been restricted from accessing internal resources and why, and then use the HIP-Profile in the security rulebase to restrict matching endpoints from accessing internal resources and only allow them access to the internet. That way, as soon as the issue is corrected they can just re-submit their HIP data and the firewall will automatically start allowing traffic again once they no longer match the HIP Profile. 

If you use the Device Quarantine feature, the firewall won't automatically remove these entries once the issue has been fixed. You'd have to build out a remediation detection method and script the automated removal yourself. Quarantine is really meant for a compromised endpoint, I'd use HIP Profiles for "minor" correctable infractions like failing an AV check. 

  • 1741 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!