Cloud Identity Engine Getting Started
    : Configure Third-Party Device-ID
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Manage the Cloud Identity Engine App
    5. Configure Third-Party Device-ID
    Download PDF

    Cloud Identity Engine Getting Started

    Configure Third-Party Device-ID

    Table of Contents

    Configure Third-Party Device-ID

    Third-Party Device-ID allows you to leverage information from third-party IoT detection sources to simplify the task of identifying and closing security gaps for devices in your network. Third-Party Device-ID enables Prisma Access to obtain and use information from third-party IoT visibility solutions through the Cloud Identity Engine for device visibility and control.
    When you configure Third-Party Device-ID, the third-party IoT solutions can use an API to provide the Device-ID verdicts to a secure cloud-based infrastructure, the Third-Party Device-ID service, that provides the information to the Prisma Access Security Processing Nodes (SPNs).
    The same verdicts display as IP address-to-device mappings in the Cloud Identity Engine, allowing you to confirm that the Device-ID verdicts are available to your Palo Alto Networks applications. After the Prisma Access SPNs receive the IP address-to-device mappings and the third-party IoT solution information is available in the Cloud Identity Engine, any matching device-based policies defined in Prisma Access are enforced.
    The following diagram depicts how the Third-Party Device-ID service receives the device information from the third-party IoT solutions, which it then transmits as IP address-to-device mappings to the Cloud Identity Engine and the Prisma Access SPNs.
    Before you begin the procedure, obtain a certificate signing request and its key for the vendor of each third-party IoT solution you want to use with Third-Party Device-ID from your network administrator.
    1. Activate Third-Party Device-ID in the Cloud Identity Engine.
      If you have not already done so, configure the Cloud Identity Engine.
      1. Log in to the hub and select the Cloud Identity Engine tenant you want to use, then select
        User Context
        Third-Party Device-ID
        .
      2. Select the
        Location
         of your tenant.
        Because you can only select the region once and you cannot change it after making a selection, verify your region before selecting it during Third-Party Device-ID activation.
      3. Click
        Add New Management System
        .
    2. Upload the certificate signing request (CSR) from the third-party IoT solution.
      1. Enter a unique
        Configuration Name
         (for example, the vendor of third-party IoT solution).
      2. Click
        Browse Files
         or drag and drop to upload the certificate signing request (CSR) file from the third-party IoT solution.
        Contact the administrator of the third-party IoT solution to obtain the CSR file.
        You can only upload a CSR once for each configuration. If you need to update or change the configuration, you must create a new CSR.
    3. Obtain the signed certificate and the API key to import to the management system for your third-party IoT solution.
      1. Click
        Sign CSR and Export
         to download the certificate that you must import to the third-party IoT solution management system.
        To help prevent any security risk for the certificate or the API key, be sure to store both the signed certificate and the API key in a secure location.
      2. Click
        Generate New API Key
         to generate an API token to authenticate the third-party IoT solution.
        The API key is a token that contains information about the third-party IoT solution and other required information, such as the identifier for the tenant and the token’s expiration.
        If the API key becomes compromised, you must generate a new API key and import the new key to the third-party IoT solution management system.
      3. Copy
         the API key then import both the signed certificate that you downloaded and the API key that you generated to the management system for your third-party IoT solution and configure the IoT solution to use these files to communicate with the Third-Party Device-ID.
        To ensure that the third-party IoT solution can successfully communicate with the Third-Party Device-ID, you must upload both the signed certificate from the previous step and the API key. Create a configuration for each third-party vendor in your network that you want to use with Third-Party Device-ID. The configuration for each vendor must have a unique signed certificate and API key; do not use the same certificate or API key in more than one configuration.
    4. Review the information to verify the configuration is correct.
    5. After you use the API commands to obtain the information from the third-party IoT solutions, select
      Mappings
       to view information about the devices that the Third-Party Device-ID has detected and their IP address-to-device mappings.
      You can search the IP address-to-device mappings by IP address by entering the IP address and clicking
      Apply Search
      .
      Now that your Third-Party Device-ID configuration is complete, you can:
      • Use the APIs to manage how your third-party IoT solutions share information with Third-Party Device-ID.
      • Use Device-ID features such as the Device Dictionary to manage and edit device information.
      For more information, refer to the Prisma Access documentation.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.