>
    Strata Copilot
    Onboard Enterprise Device Security
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Onboard Enterprise Device Security
    Download PDF
    Device Security

    Onboard Enterprise Device Security

    Table of Contents

    Onboard Enterprise Device Security

    Create a URL for your Enterprise Device Security portal and activate Enterprise Device Security subscriptions for firewalls.
    Where Can I Use This?What Do I Need?
    • (Legacy) IoT Security (Standalone portal)
    • Enterprise Device Security subscription
    Follow the onboarding workflow to create a URL for your Enterprise Device Security portal and activate Enterprise Device Security subscriptions for your firewalls.
    It is important to keep the Enterprise Device Security activation email you received from Palo Alto Networks. It not only contains confidential activation-related data, but if you still have unused Enterprise Device Security licenses after completing the onboarding process, you can click the Activate button in the email again to repeat the process and activate more firewalls later.
    If you activate at least one Device Security license and then lose the email, you can still start the activation process by logging in to your Customer Support Portal account and selecting Activate Products and then clicking Activate Now for the Device Security license you want to use for onboarding.
    (Enterprise License Agreement) When you have an Enterprise License Agreement (ELA), begin the activation process by entering the authorization code that Palo Alto Networks sends you in your Customer Support Portal account. For complete step-by-step instructions, see Activate an Add-on Enterprise License Agreement through Common Services.
    When you have Enterprise Device Security subscriptions, the onboarding process consists of the following main steps.
    1. Click Activate in the Enterprise Device Security activation email from Palo Alto Networks.
    2. Log in to the Palo Alto Networks hub.
    3. Activate Enterprise Device Security.
    4. Add firewalls to the tenant service group (TSG) and associate Device Security, and possibly other applications as well, with the firewalls.
    5. (Optional) Manage identity and access to Enterprise Device Security.
    6. Set up Enterprise Device Security and firewalls to work together.
      For instructions for these first six steps, see Common Services: Subscription & Tenant Management. Then return here to continue the setup.
    7. Log in to the Enterprise Device Security portal and generate a one-time password (OTP) and pre-shared key (PSK) to get device and logging service certificates.
      For information about the sites that next-generation firewalls contact to authenticate certificates when communicating with Enterprise Device Security, see Device Security.
      1. As a user with owner privileges, click the Enterprise Device Security link on either the Tenant Management or Device Associations page and log in to the Enterprise Device Security portal.
        To be able to generate OTPs and PSKs, your user account must have been created in the Customer Support Portal (CSP) and assigned a superuser role in the relevant tenant service group (TSG) in Identity & Access. A superuser role in the hub provides owner privileges in Enterprise Device Security.
      2. Select AdministrationFirewallsOTP/PSK Generation.
      3. If you manage your firewalls with Panorama, choose Yes and enter its serial number. This will link your Panorama management server with the applications in this TSG. You can find the Panorama serial number in your Customer Service Portal account in AssetsDevices. After you choose Yes and enter your Panorama serial number, Enterprise Device Security displays the materials you need to get the certificate or certificates that firewalls need to secure their connections with Enterprise Device Security and the logging service.
        To get a device certificate, follow the link to the Customer Support Portal and log in to your account. To generate an OTP or PSK to get a logging service certificate, click the Generate icon next to each field.
        If you don’t use Panorama, choose No. Because an OTP for a logging service certificate applies only to Panorama, it isn’t shown.
        Consider the following points when deciding which certificates you need and how to generate them:
        Device Certificate: From PAN-OS 10.0, firewalls require a device certificate to authenticate with Enterprise Device Security and, from PAN-OS 10.1, to also authenticate with the logging service. To generate and install a device certificate on firewalls directly and through Panorama:
        Logging Service Certificate – One-Time Password: An OTP is necessary for Panorama to verify itself with its logging service instance and obtain logging service certificates for Panorama-managed firewalls running PAN-OS 8.1-10.0. A logging service certificate authenticates firewalls with the logging service.
        1. Log in to the Customer Service Portal.
        2. Select AssetsDevice Certificates and Generate OTP.
        3. For the Device Type, select Generate OTP for Panorama and Generate OTP.
        4. Select the Panorama Device serial number.
        5. Generate OTP and then copy the OTP.
        6. Log in to the Panorama Web Interface as an admin user and select PanoramaSetupManagementDevice Certificate and Get certificate.
        7. Paste the OTP and then click OK.
        Logging Service Certificate – Pre-Shared Key: A PSK is necessary to generate a logging service certificate on firewalls without Panorama management running PAN-OS 9.0.6-10.0.x. A logging service certificate authenticates firewalls with the logging service. To generate a logging service certificate:
        1. Regenerate the PSK if necessary and copy it.
        2. Log in to your PAN-OS 9.0.6-10.0.x firewall and select DeviceSetupManagement.
        3. In the Strata Logging Service section, click Connect next to Onboard without Panorama.
          This opens the Onboard without Panorama dialog box.
        4. Paste the PSK and Connect.
          The firewall first connects to the Customer Support Portal, submits the PSK, and downloads a logging service certificate. It then uses the certificate to authenticate itself and connect securely to the logging service.
        5. Click the Edit icon (gear) for Strata Logging Service. Select Enable Duplicate Logging (Cloud and On-Premises) and Enable Enhanced Application Logging.
        6. Choose the region where the logging service will ingest logs from your firewalls.
          For PA-7000 and PA-5200 models, enter the number of connections for sending logs from the firewall to the logging service. The range is 1-20 and the default is 5.
        7. When done, click OK.
          The term “Strata Logging Service” is a bit of a misnomer. The firewall forwards logs to the logging service, which only streams them to Enterprise Device Security. Enterprise Device Security doesn’t use Strata Logging Service at all, but it still requires that this setting be enabled to do logging.
    8. Prepare the firewall for Enterprise Device Security.
      • While logged in to your firewall, prepare it for IoT Security. Enable Device-ID in each zone where you want to use it to enforce Security policy rules. Select NetworkZones, select a zone, Enable Device Identification, and then click OK. Repeat this for other zones and then Commit your changes.
      • Ensure that logging is enabled on Security policy rules, which it is by default.
      • Create and apply a Log Forwarding profile to policy rules.
      • (Optional) If the firewall is using a data interface for Enterprise Device Security communications, set the necessary service routes.
    9. Use the Enterprise Device Security portal.
      To access the rest of the web interface, use the navigation menu on the left. For an overview of the Enterprise Device Security portal, see the previous chapter, Get Started with Enterprise Device Security.
      There might not be any data in the portal when you first log in. Firewalls create network traffic data logs and forward them to the logging service, which streams them to the Device Security Cloud. On average, devices begin showing up in the Enterprise Device Security portal within the first 30 minutes. Depending on the size of the network and the amount of activity of the devices on it, it can take several days for all the data to show up.
      To see the status of logs that the logging service is streaming to the Enterprise Device Security application, click NetworksNetworks and SitesSites and AdministrationFirewalls in the Enterprise Device Security portal.
      After Enterprise Device Security has had time to use its machine-learning algorithms to analyze the network behavior of your IoT devices (1-2 days), you can begin examining the types and number of devices on your network and consider how to use this information when monitoring and securing your network and the devices in it. Some common ways to use Enterprise Device Security are described in the next chapter.

    © 2026 Palo Alto Networks, Inc. All rights reserved.