After upgrading Palo Alto Networks Global Protect to 6.1.2 or higher, each time an endpoint is requested to quarantine Global Protect VPN enabled, it loses network connectivity to the CB Cloud console and cannot be un-quarantined.

• Carbon Black Cloud Console: Current Version
• Carbon Black Cloud Windows Sensor: All Supported Versions
• Microsoft Windows OS: All Supported Versions
• Palo Alto Networks Global Protect VPN: 6.1.2 and Higher

Global Protect VPN seems to take over DNS resolution activity even before the CB Cloud quarantine starts. As noted by Palo Alto, all such requests are identified in the WFP callouts as SYSTEM. The CB Cloud network callout is skipping the quarantine exclusion check for SYSTEM, hence the CB Cloud network exclusions are ignored.

• This issue is still under investigation and will likely require the first version of the Quarantine Exclusions to be available in a future release.
• As a workaround a "quarantine" policy can be setup with a blocking rule like:

  Process: ** 
  Operation Attempt: A communicates over the network 
  Action: Deny

The quarantine blocking rule is going to be limited to having effect on new network connections only and existing netconns will not be stopped or terminated by the policy.