>
    IOT Security Support for CN-Series Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. IOT Security Support for CN-Series Firewall
    Download PDF
    CN-Series

    IOT Security Support for CN-Series Firewall

    Table of Contents

    IOT Security Support for CN-Series Firewall

    Where Can I Use This?
    What Do I Need?
    • IoT Security for CN-Series firewall
    • CDL license for IoT subscription that stores data in CDL
    • Panorama
       running with minimum PAN-OS 11.1 version
    For Palo Alto Networks next-generation CN-Series firewall, the IoT Security solution uses machine learning (ML) to provide visibility of discovered IoT devices based on the meta-data in the logs it receives from the firewall. IoT Security also identifies vulnerabilities and assess risk in devices based on their network traffic behaviors and dynamically updated threat feeds.
    You can use the policy rule recommendations that IoT Security generates as a reference when manually adding rules to your CN-Series firewall. IoT Security always generates Security policy rule recommendations regardless of the PAN-OS version.
    When using
    IoT Security Subscription
    , which stores data in Cortex Data Lake, you need one Cortex Data Lake license per account and must ensure that CDL configuration for your CN-Series firewall is complete.
    For more information, see IoT Security Prerequisites.

    Configure IOT Support for CN-Series Firewall

    You must ensure that your environment meets all prerequisites for deploying IoT Security with CN-Series firewall. For more information, see IoT Security Prerequisites.
    To configure
    IoT - Requires Data Lake
     subscription for CN-Series firewall, you must complete the following steps:
    You must ensure that you onboard your Panorama onto the CDL instance. For more information, see Onboard firewalls with Panorama.
    1. Create a Tenant Service Group (TSG). For more information, see
      Step 3
       in Activate IoT Security Subscriptions Through Common Services.
    2. Onboard CDL tenant to the TSG. You must ensure that you purchase the CDL and activate it using Magic link before using in TSG.
    3. Create a CN-Series Deployment Profile with
      IoT - Requires Data Lake
      option.
    4. Click
      Finish Setup
      . Once you associate the deployment profile to the TSG and click
      Activate
      , an IoT tenant will be created if one doesn't already exist.
      You can then forward the collected metadata to the cloud-based logging service where IoT Security uses it to identify various IoT devices on the network.
    5. Provision Panorama and generate a serial number. For more information, see Register Panorama and Install Licenses.
    6. Configure your CN-Series firewall with Panorama using the auth code to push licenses from Panorama to CN-Series firewall using the kubernetes plugin. For more information, see Configure Panorama to Secure a Kubernetes Deployment.
      Apply deployment authcode to Kubernetes plugin in Panorama.
      You can now see your CN-series firewall onboarded on an IoT tenant.
    7. Configure template vwire to allow and enable device id in zone.
      You can use the Default template
      K8S-Network-Setup-V2
      and make the following changes in that template:
      • Enable link state passthrough and multicast firewall for default vwire.
      • Enable device identification for default zone.
      For more information, see Configure Virtual Wires.
    8. Configure the
      Enable Cortex Data Lake
       and
      Enable Enhanced Application Logging
       option Panorama to CN-Series firewall. For more information, see CDL configuration for your CN-Series firewall.
    To configure
    IoT Security, Doesn't Require Data Lake
    subscription for CN-Series firewall, you must complete the following steps:
    Note
    : You must ensure that you onboard your Panorama onto the CDL instance. When using IoT Security, Doesn't Require Data Lake Subscription, you must register your Panorama in the IoT portal after adding the CN-series Firewall. For more information, see
    Step 2
     in
    Prepare Your Firewall for IoT Security
    .
    1. Create a Tenant Service Group (TSG). For more information, see
      Step 3
       in
      Activate IoT Security Subscriptions Through Common Services
      .
    2. Create a CN-Series Deployment Profile with
      IoT - Doesn’t Require Data Lake
      option.
    3. Set up your IOT instance and select
      Finish Setup
       option to associate your deployment profile with the tenant service group (TSG) to enable logging service on your CN-Series firewall and configure it to obtain and log network traffic metadata. For more information, see Prepare Your Firewall for IoT Security.
      You can then forward the collected metadata to the cloud-based logging service where IoT Security uses it to identify various IoT devices on the network.
    4. Provision Panorama and generate a serial number. For more information, see Register Panorama and Install Licenses.
    5. Configure your CN-Series firewall with Panorama using the auth code to push licenses from Panorama to CN-Series firewall using the kubernetes plugin. For more information, see Configure Panorama to Secure a Kubernetes Deployment.
      Apply deployment authcode to Kubernetes plugin in Panorama. You can now see your CN-series firewall onboarded on an IoT tenant.
    6. Configure template vwire to allow and enable device ID in zone. For more information, see Configure Virtual Wires.
      You can use the Default template
      K8S-Network-Setup-V
       and make the following changes in that template:
      • Enable link state passthrough and multicast firewall for default vwire.
      • Enable device identification for default zone.
        For more information, see Configure Virtual Wires.
        Vwire configured in k8s-template-v2 allows Link state pass through and Multicast Firewalling. The zone configuration of the k8s-template-v2 enables device identification
    7. Configure the
      Enable Cortex Data Lake
       and
      Enable Enhanced Application Logging
       option Panorama to CN-Series firewall. For more information, see CDL configuration for your CN-Series firewall
    After you have successfully onboarded your Panorama and CN-Series firewall onto the cloud-based logging service, go to your IoT instance.
    After IoT Security has sufficient information to identify devices from their network behavior, it provides CN-Series firewall with IP address-to-device mappings and Panorama with policy recommendations that the Panorama administrator can import and then push to CN-Series Firewall to enforce policy on IoT device traffic.
    Click
    Administration
    >
    Sites and Firewalls
     >
    Firewalls
    in the IoT Security portal to see the status of logs that the logging service is streaming to the IoT Security application. For more information, see IoT Security Integration Status with Firewalls.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.