>
    IOT Security Support for CN-Series Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. Getting Started with CN-Series
    4. IOT Security Support for CN-Series Firewall
    Download PDF
    CN-Series

    IOT Security Support for CN-Series Firewall

    Table of Contents

    IOT Security Support for CN-Series Firewall

    Where Can I Use This?What Do I Need?
    • IoT Security for CN-Series firewall
    • Strata Logging Service license for IoT subscription that stores data in strata logging service
    • Panorama running with minimum PAN-OS 11.1 version
    For Palo Alto Networks next-generation CN-Series firewall, the IoT Security solution uses machine learning (ML) to provide visibility of discovered IoT devices based on the meta-data in the logs it receives from the firewall. IoT Security also identifies vulnerabilities and assess risk in devices based on their network traffic behaviors and dynamically updated threat feeds.
    You can use the policy rule recommendations that IoT Security generates as a reference when manually adding rules to your CN-Series firewall. IoT Security always generates Security policy rule recommendations regardless of the PAN-OS version.
    When using IoT Security Subscription, which stores data in Strata Logging Service, you need one Strata Logging Service license per account and must ensure that Strata Logging Service configuration for your CN-Series firewall is complete.
    For more information, see IoT Security Prerequisites.

    Configure IOT Support for CN-Series Firewall

    You must ensure that your environment meets all prerequisites for deploying IoT Security with CN-Series firewall. For more information, see IoT Security Prerequisites.
    To configure IoT - Requires Data Lake subscription for CN-Series firewall, you must complete the following steps:
    You must ensure that you onboard your Panorama onto the strata logging service instance. For more information, see Onboard firewalls with Panorama.
    1. Create a Tenant Service Group (TSG). For more information, see Step 3 in Activate IoT Security Subscriptions Through Common Services.
    2. Onboard strata logging service tenant to the TSG. You must ensure that you purchase the strata logging service and activate it using Magic link before using in TSG.
    3. Create a CN-Series Deployment Profile with IoT - Requires Data Lake option.
    4. Click Finish Setup. Once you associate the deployment profile to the TSG and click Activate, an IoT tenant will be created if one doesn't already exist.
      You can then forward the collected metadata to the cloud-based logging service where IoT Security uses it to identify various IoT devices on the network.
    5. Provision Panorama and generate a serial number. For more information, see Register Panorama and Install Licenses.
    6. Configure your CN-Series firewall with Panorama using the auth code to push licenses from Panorama to CN-Series firewall using the kubernetes plugin. For more information, see Configure Panorama to Secure a Kubernetes Deployment.
      Apply deployment authcode to Kubernetes plugin in Panorama.
      You can now see your CN-series firewall onboarded on an IoT tenant.
    7. Configure template vwire to allow and enable device id in zone.
      You can use the Default template K8S-Network-Setup-V2 and make the following changes in that template:
      • Enable link state passthrough and multicast firewall for default vwire.
      • Enable device identification for default zone.
      For more information, see Configure Virtual Wires.
    8. Configure the Enable Cloud Logging and Enable Enhanced Application Logging option on Panorama to CN-Series firewall. For more information, see Strata Logging Service configuration for your CN-Series firewall.
    To configure IoT Security, Doesn't Require Data Lakesubscription for CN-Series firewall, you must complete the following steps:
    Note: You must ensure that you onboard your Panorama onto the strata logging service instance. When using IoT Security, Doesn't Require Data Lake Subscription, you must register your Panorama in the IoT portal after adding the CN-series Firewall. For more information, see Step 2 in Prepare Your Firewall for IoT Security.
    1. Create a Tenant Service Group (TSG). For more information, see Step 3 in Activate IoT Security Subscriptions Through Common Services.
    2. Create a CN-Series Deployment Profile with IoT - Doesn’t Require Data Lake option.
    3. Set up your IOT instance and select Finish Setup option to associate your deployment profile with the tenant service group (TSG) to enable logging service on your CN-Series firewall and configure it to obtain and log network traffic metadata. For more information, see Prepare Your Firewall for IoT Security.
      You can then forward the collected metadata to the cloud-based logging service where IoT Security uses it to identify various IoT devices on the network.
    4. Provision Panorama and generate a serial number. For more information, see Register Panorama and Install Licenses.
    5. Configure your CN-Series firewall with Panorama using the auth code to push licenses from Panorama to CN-Series firewall using the kubernetes plugin. For more information, see Configure Panorama to Secure a Kubernetes Deployment.
      Apply deployment authcode to Kubernetes plugin in Panorama. You can now see your CN-series firewall onboarded on an IoT tenant.
    6. Configure template vwire to allow and enable device ID in zone. For more information, see Configure Virtual Wires.
      You can use the Default template K8S-Network-Setup-V and make the following changes in that template:
      • Enable link state passthrough and multicast firewall for default vwire.
      • Enable device identification for default zone.
        For more information, see Configure Virtual Wires.
        Vwire configured in k8s-template-v2 allows Link state pass through and Multicast Firewalling. The zone configuration of the k8s-template-v2 enables device identification.
    7. Configure the Enable Cloud Logging and Enable Enhanced Application Logging option Panorama to CN-Series firewall. For more information, see Strata Logging Service support on CN-Series.
    After you have successfully onboarded your Panorama and CN-Series firewall onto the cloud-based logging service, go to your IOT instance.
    After IoT Security has sufficient information to identify devices from their network behavior, it provides CN-Series firewall with IP address-to-device mappings and Panorama with policy recommendations that the Panorama administrator can import and then push to CN-Series Firewall to enforce policy on IoT device traffic.
    Click Administration > Sites and Firewalls > Firewalls in the IoT Security portal to see the status of logs that the logging service is streaming to the IoT Security application. For more information, see IoT Security Integration Status with Firewalls.

    © 2024 Palo Alto Networks, Inc. All rights reserved.