Activate IoT Security Subscriptions Through Common Services
Table of Contents
Activate IoT Security Subscriptions Through Common Services
Common Services
Learn how to activate an IoT Security license on a single tenant through
Common Services
.Verify if this activation process applies to you. If you are
trying to activate IOT Security with the add-on Enterprise License Agreement (ELA),
see activate an add-on enterprise license
agreement instead.
After you receive an email from Palo Alto Networks identifying the IoT Security
license you are activating, click the email link to begin the activation process.
To convert a trial
IoT Security
license to a production license, see convert trial license to production- To onboard IoT Security, open your IoT Security activation email and clickActivate.Because IoT Security requires network traffic data for analysis, you must enable firewalls to forward logs with that data to a cloud logging service that IoT Security can access. There are two types of IoT Security subscriptions:
- IoT Security Subscription - Doesn't Require Data Lake Subscription: (Available for all IoT Security products) This subscription sends data logs to a cloud logging service that streams them directly to IoT Security without storing them in a data lake.
- IoT Security Subscription: (Available on Enterprise IoT Security Plus, Industrial OT Security, and Medical IoT Security) This subscription requires aCortex Data Lakeinstance, which stores the data logs from firewalls. Firewalls forward logs to the logging service, which streams them directly to aCortex Data Lakeinstance and to IoT Security. You can use an existing, already activatedCortex Data Lakeinstance or buy a new one to use.
In addition to the IoT Security subscription and possibly aCortex Data Lakesubscription, you might have also purchased anIoT Security Third-party Integrations Add-on. This allows IoT Security to exchange information about devices, security alerts, and device vulnerabilities with third-party products that provide services such as asset management, network access control (NAC), network management, vulnerability scanning, and security information and event management (SIEM). IoT Security can also enhance the information it has by retrieving data about devices and vulnerabilities from third-party products. IoT Security supports third-party integrations through Cortex XSOAR. - Log in to thehubwith your Palo Alto Networks Customer Support credentials.
- Activate IoT Security.
- If you are activating a new IoT Security instance in a new tenant service group (TSG), chooseCreate Newin the Tenant field and then enter a unique subdomain to complete the <subdomain>.iot.paloaltonetworks.com URL for your IoT Security application. This will be the URL where you log in to the IoT Security portal.Note: The subdomain is prepopulated with the domain name from your login email address, but you can change it if you want.orIf you want to add a new IoT Security instance to an existing TSG, choose the TSG from the drop-down list. The remaining fields in this step change to read-only and show previously defined settings for the chosen tenant except the App Subdomain field. Because the IoT Security app subdomain didn’t previously exist, you must either accept the prepopulated subdomain derived from your login email address or enter a new, unique name.
- Select a customer support account. If you have more than one support account, select the one with firewalls to subscribe to IoT Security.
- Choose the data ingestion region, which is the region where the cloud logging service is receiving data from firewalls.
- Check what will be activated, read and agree to the terms and conditions, and thenActivatethe subscription.
- IoT Security Subscription – Does Not Require Data Lake SubscriptionThe following shows the activation page when an IoT Security Subscription – Does Not Require Data Lake Subscription is being activated for a new tenant. The activation page for Enterprise IoT Security has the same settings.
- IoT Security Third-party Integration Add-on – Enterprise Plus, Industrial, or MedicalIf you purchased an IoT Security Third-party Integration Add-on, it appears on the activation page and will be activated at the same time as the IoT Security subscription.
- IoT Security Subscription with Data Retention – Enterprise Plus, Industrial, or MedicalIf you are activating IoT Security Subscription with data retention on a Cortex Data Lake, both IoT Security andCortex Data Lakeproducts are present for activation together.
If you are activating new instances, the activation process creates aCortex Data Lakeinstance first and then an instance for your IoT Security portal. The process takes at least 5 minutes to complete and can take longer if the amount of server activity is higher than normal at the time of the activation.At this point, the IoT Security portal is activated. However, you must still assign firewalls to the TSG.
- Go to the tab to add firewalls to the TSG tenant, associate them with the IoT Security application, and then apply the IoT Security subscription to them: Device Associations.
- (Optional) Manage identity and access to IoT Security.To create an IoT Security user with owner privileges plus the ability to generate one-time passwords (OTPs) and pre-shared keys (PSKs), add a user account in the Customer Support Portal and assign a Superuser role in the relevant tenant service group (TSG) in Identity & Access (this is described in the following steps.) To create an IoT Security user with all owner privileges except the ability to generate OTPs and PSKs, add the new user account in Identity & Access and assign a Superuser role in Identity & Access. To create an IoT Security user with read-only privileges, add a user account in Identity & Access and assign a View Only user role in Identity & Access.
- (Optional) Add a user account in the Customer Support Portal. New users only need to be added to the Customer Support Portal accounts if they need access to operate onboarding or offboarding tasks, such as generating OTPs and PSKs. To create a new user in the Customer Support Portal:
- Log in to the Customer Support Portal with superuser permissions, which allow you to create new user accounts.
- , enter the required information, and thenSubmit.
A new user account is created and added to the account as a member. An email notification is sent to the new user with login credentials. - Log in to the hub, navigate to .
- Add user access. Users added in the Customer Support Portal are separate from users added in Identity & Access.
- To assign a role to the user you created, select the user,Assign Role, choose from the following options andSubmit:
- For Apps & Services, selectIoT Security.
- For Role, assign theMultitenant SuperuserorSuperuserroles to users you want to have the privileges of an owner role in IoT Security.
- For Role, assign theView Only Administratorrole to users you want to have the privileges of a read-only user in IoT Security.
There isn’t a role in Common Services that maps to the Administrator role in IoT Security. See the Common Services FAQ for further information about the transition from RBAC roles to IAM roles.
- Continue setting up IoT Security to work with your firewalls.To log in to your IoT Security portal, select theIoT Securitylink on either the Tenant Management or Device Associations page.For IoT Security (Enterprise IoT Security Plus, Industrial IoT Security, or Medical IoT Security), see Onboard IoT Security.For Enterprise IoT Security, see Onboard Enterprise IoT Security.For Enterprise IoT Security Plus, Industrial OT Security, or Medical IoT Security with aCortex Data Lake, click thelink on the Tenant Management page to log in to theCortex Data LakeCortex Data Lakeapplication.