Quarantine Icon

PAN-OS: GlobalProtect Device Quarantine

Starting with PAN-OS version 10.2 , Palo Alto Networks introduced a native feature allowing administrators to automatically quarantine devices attempting to connect via GlobalProtect. This provides a powerful mechanism to restrict access for potentially compromised or non-compliant endpoints.

How Device Quarantine Works

The core mechanism relies on the unique Host ID collected by the GlobalProtect agent from each connecting endpoint. The process involves:

  • Identifying Devices: Devices are identified by their unique Host ID.
  • Creating a Quarantine List: Administrators (or automated processes) add the Host IDs of devices needing quarantine to a dedicated list on the firewall or Panorama ( Device > Quarantine Device ).
  • Enforcing Quarantine via GlobalProtect Gateway: The GlobalProtect Gateway configuration is modified to check incoming connection requests against the quarantine list. If a connecting device's Host ID matches an entry on the list, the connection is blocked.
Key Point: The quarantine action is enforced by configuring the GlobalProtect Gateway to reference the Device Quarantine list and block connections from devices whose Host ID is present on that list.

Automating Quarantine

While devices can be manually added to the quarantine list, the true power comes from automation:

  • Log Forwarding Profiles: Configure profiles to monitor specific logs (e.g., Threat logs showing high-severity malware, URL logs showing visits to malicious sites, Authentication logs showing repeated failures).
  • Correlation Objects (Prior to PAN-OS 11.1) / Log Settings (PAN-OS 11.1+): Define criteria within the profile or settings that trigger an action when matched in the logs.
  • Built-in Action ("Add to Quarantine Device List"): Set the action to automatically add the Source Host ID (obtained from the GlobalProtect Host Information Profile data associated with the log) to the Device Quarantine list when the filter criteria are met.
  • (Optional) Timeout: Configure a timeout within the log forwarding action to automatically remove the Host ID from the quarantine list after a specified period.

This allows the firewall to automatically restrict access for devices exhibiting suspicious behavior based on logged events.

Why Other Approaches Are Not the Primary Mechanism

  • Exporting to PDF/CSV + XSOAR: While you *can* export the list and potentially use XSOAR for complex orchestration or external integrations, this is not how the *native*, *built-in* automatic quarantine feature is configured and enforced directly by the firewall/Panorama and GlobalProtect gateway.
  • Using only Security Policies, Log Forwarding, and Log Settings: These components are part of the *triggering* mechanism for *automated* quarantine, but they don't perform the quarantine action itself. The action relies specifically on adding the Host ID to the quarantine list which the GlobalProtect Gateway then enforces. Simply blocking via a Security Policy based on IP/User doesn't utilize the Host ID quarantine feature.
  • No Native Feature / Custom Script Needed: This was true before PAN-OS 10.2, but since version 10.2, device quarantine using Host ID is a **native feature**, eliminating the need for custom scripting for this core functionality.

Device Quarantine Quiz (5 Questions)

1. Starting with which PAN-OS version was native GlobalProtect Device Quarantine introduced?

2. What unique identifier collected by the GlobalProtect agent is essential for the device quarantine feature?

3. Which component is primarily responsible for *enforcing* the quarantine by blocking VPN access from listed devices?

4. How can the process of adding a device's Host ID to the quarantine list be automated?

5. Is a custom script required to implement basic automatic device quarantine based on logs in PAN-OS 10.2 and later?

📘 Official Documentation on GlobalProtect Device Quarantine