CDL license for IoT subscription that stores data in CDL
Panorama
running with minimum PAN-OS 11.1 version
For Palo Alto Networks next-generation CN-Series firewall, the IoT Security
solution uses machine learning (ML) to provide visibility of discovered IoT devices
based on the meta-data in the logs it receives from the firewall. IoT Security also
identifies vulnerabilities and assess risk in devices based on their network traffic
behaviors and dynamically updated threat feeds.
You can use the policy rule recommendations that IoT Security generates as a
reference when manually adding rules to your CN-Series firewall. IoT Security always
generates Security policy rule recommendations regardless of the PAN-OS version.
You must ensure that your environment meets all prerequisites for deploying
IoT Security with CN-Series firewall. For more information, see IoT Security Prerequisites.
To configure
IoT - Requires Data Lake
subscription for CN-Series
firewall, you must complete the following steps:
You must
ensure that you onboard your Panorama onto the CDL instance. For more
information, see Onboard firewalls with
Panorama.
Create a Tenant Service Group (TSG). For more information, see
. Once you associate the deployment
profile to the TSG and click
Activate
, an IoT tenant will be created
if one doesn't already exist.
You can then forward the collected metadata to the cloud-based
logging service where IoT Security uses it to identify various IoT devices
on the network.
Configure your CN-Series firewall with Panorama using the auth code
to push licenses from Panorama to CN-Series firewall using the kubernetes
plugin. For more information, see Configure Panorama to Secure a Kubernetes
Deployment.
Apply deployment authcode to Kubernetes plugin in Panorama.
You can now see your CN-series firewall onboarded on an IoT tenant.
Configure template vwire to allow and enable device id in zone.
You can use the Default template
K8S-Network-Setup-V2
and
make the following changes in that template:
Enable link state passthrough and multicast firewall for
default vwire.
subscription for
CN-Series firewall, you must complete the following steps:
Note
: You must ensure that you onboard your Panorama onto the CDL instance.
When using IoT Security, Doesn't Require Data Lake Subscription, you must register
your Panorama in the IoT portal after adding the CN-series Firewall. For more
information, see
option to
associate your deployment profile with the tenant service group (TSG) to
enable logging service on your CN-Series firewall and configure it to obtain
and log network traffic metadata. For more information, see Prepare Your Firewall for IoT
Security.
You can then forward the collected metadata to the cloud-based
logging service where IoT Security uses it to identify various IoT devices
on the network.
Configure your CN-Series firewall with Panorama using the auth code
to push licenses from Panorama to CN-Series firewall using the kubernetes
plugin. For more information, see Configure Panorama to Secure a Kubernetes
Deployment.
Apply deployment authcode to Kubernetes plugin in Panorama. You can now see
your CN-series firewall onboarded on an IoT tenant.
Configure template vwire to allow and enable device ID in zone. For
more information, see Configure Virtual Wires.
You can use the Default template
K8S-Network-Setup-V
and
make the following changes in that template:
Enable link state passthrough and multicast firewall for
default vwire.
Vwire configured in k8s-template-v2 allows Link state pass
through and Multicast Firewalling. The zone configuration of the
k8s-template-v2 enables device identification
After you have successfully onboarded your Panorama and CN-Series firewall
onto the cloud-based logging service, go to your IoT instance.
After IoT Security has sufficient information to identify devices from
their network behavior, it provides CN-Series firewall with IP address-to-device
mappings and Panorama with policy recommendations that the Panorama administrator
can import and then push to CN-Series Firewall to enforce policy on IoT device
traffic.
Click
Administration
>
Sites and Firewalls
>
Firewalls
in the
IoT Security portal to see the status of logs that the logging service is streaming
to the IoT Security application. For more information, see IoT Security Integration Status with
Firewalls.