>
    Strata Copilot
    Device Security Integration with Next-generation Firewalls
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Getting Started
    4. Device Security Solution
    5. Device Security Integration with Next-generation Firewalls
    Download PDF
    Device Security

    Device Security Integration with Next-generation Firewalls

    Table of Contents

    Device Security Integration with Next-generation Firewalls

    Device Security integrates with the Strata™ Logging Service and next-generation firewalls using Device-ID.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical)
    • Device Security X subscription
    The Device Security solution involves the integration of three key architectural components to process network data:
    • Palo Alto Networks Next-Generation Firewalls collect device data and send it to Strata Logging Service.
    • Strata Logging Service uses a cloud-based log forwarding process to direct the logs from firewalls to destinations like Device Security and Strata Logging Service. Depending on the type of Device Security subscription you have, Strata Logging Service either streams metadata to your Device Security account and Strata Logging Service instance or just to your Device Security account.
    • Device Security is an app that runs on a cloud-based platform, such as Strata Cloud Manager. Device Security uses machine learning, artificial intelligence, and threat intelligence to discover, classify, and secure the IoT devices on the network. The app ingests firewall logs with network traffic data and provides Security policy recommendations and IP address-to-device mappings to the firewall for use in Security policy rules. Administrators access the dynamically enriched IoT device inventory, detected device vulnerabilities, security alerts, and recommended policy rule sets through the Device Security portal.
    The Device Security app integrates with next-generation firewalls through Device-ID, which is a construct that uses device identity as a means to apply policy rules. The integration uses three mechanisms.
    • Device dictionary – This is an XML file that Device Security generates and makes available for Panorama and firewalls to import. The dictionary file provides the Panorama and firewall administrator with a list of device attributes for selection when importing recommended Security policy rules from Device Security and when creating rules themselves. These attributes are profile, category, vendor, model, OS family, and OS version and are for both IoT and traditional IT devices. Although it isn't possible to download a device dictionary file, you can see the release notes summarizing the new content added to a file that your firewall has imported. To do this, log in to the PAN-OS web portal, select DeviceDynamic Updates and then click Release Notes for the device dictionary file you want to learn about.
    • Policy rule recommendations – After a Device Security administrator creates a set of Security policy rules based on traffic from IoT devices in the same device profile, a firewall administrator can import them as recommendations for use in its policy rule set.
    • IP address-to-device mappings – These mappings tell firewalls what attributes a device with a particular IP address has. When traffic to or from that IP address reaches a firewall, it checks if one of its attributes matches a policy rule and, if so, the firewall applies the policy rule. Device Security sends IP address-to-device mappings to firewalls for both IoT and IT devices if the confidence score for device identities is high (90-100%) and they've sent or received traffic within the past hour.
    The goal of Device-ID is to use the intelligence of Device Security to enforce firewall policy rules on IoT devices.

    Device-ID

    Device-ID is a way to enforce policy rules based on device attributes. Device Security provides the firewall with a device dictionary file containing a list of device attributes such as profiles, categories, vendors, and models. For various attributes in the dictionary file, it lists a set of entries. For example, three entries for the profile attribute might be Advidia Camera, BK Medical UltraSound Machine, and Carefusion Infusion Pump Base Station.
    Device-ID isn't supported on multi-vsys firewalls.
    When configuring a Security policy rule, firewall administrators have the option to select device attributes from the device dictionary. If they select profile, they can choose one of the profile entries: Polycom IP Phone, for example. The policy rule then applies to all devices that match this profile. But how does the firewall know what the profile is for a device? It knows this from the IP address-to-device mappings that Device Security also gives the firewall. These mappings identify attributes for each device. When traffic from an IP address that's mapped to a device attribute specified in the policy rule reaches the firewall, the policy rule lookup will find a match with this rule and apply whatever action it enforces.
    A firewall downloads a device dictionary file from the update server. The dictionary file populates entries in all the Device-ID attribute lists for profile, category, vendor, and other attributes. These attribute entries are then available for use as policy rule configuration elements. The firewall administrator next configures a firewall policy rule using the profile attribute "Polycom IP Phone". After a Polycom Trio 8800 device joins the network and Device Security identifies it, Device Security provides the firewall with an IP address-to-device mapping for it. The two key elements in the mapping for this example are its device profile (Polycom IP Phone profile, highlighted in yellow) and its IP address (10.1.2.3, highlighted in blue). When traffic from the Polycom Trio 8800 device at 10.1.2.3 reaches the firewall, it does a Device-ID policy rule lookup, finds that the profile for the device at this IP address matches one specified in a policy rule, and then applies the rule.
    If a firewall becomes disconnected from Device Security, the firewall retains its IP address-to-device mappings and continues enforcing Device-ID policy rules with them until the connection is re-established.
    Every next-generation firewall model has the same maximum of 1000 unique Device-ID objects.
    The maximum of 1,000 Device-ID objects isn't the same as that for IP address-to-device mappings. The maximum number of IP address-to-device mappings varies based on firewall model and is the same as the User-ID maximums listed in the + Show More sections for each firewall model on the Product Selection page.
    More information about the Device-ID feature is in the PAN-OS Administrator's Guide.
    Device Dictionary
    The device dictionary is an XML file for firewalls to use in Security policy rules. It contains entries for the following device attributes: profile, category, vendor, model, OS family, and OS version. These entries come from devices across all Device Security tenants and are refreshed regularly and posted as a new file on the update server. If there are any changes to a dictionary entry, a revised file will be posted on the update server so that Panorama and firewalls will automatically download and install it the next time they check the update server, which they do automatically every two hours.
    IP Address-to-device Mappings
    After Device Security identifies a device, it bundles the following set of identifying characteristics about it:
    • IP address
    • MAC address
    • Hostname
    • Device type
    • Device category
    • Device profile
    • Vendor
    • Model
    • OS family
    • OS version
    • Risk score
    • Risk level
    Firewalls poll Device Security for these IP address-to-device mappings for use in policy rule enforcement. A firewall polls for new or modified mappings every second, and Device Security returns mappings that it has identified with high confidence (a confidence score of 90-100%) for devices that were active within the last hour. For each IP address-to-device mapping that a firewall receives, the firewall generates an entry in its host information profile Match log.
    If Device Security discovers duplicate IP address-to-device mappings—that is, there are two IP addresses mapped to the same device MAC address—it resolves it to the MAC address with the latest network activity.
    There is no time limit for how long a firewall retains IP address-to-device mappings. It only begins deleting them when its cache fills up, starting with the oldest first.
    Policy Rule Recommendations
    You can generate Security policy rule recommendations based on the normal, acceptable network behaviors of the IoT devices in the same device profile and manually import them into firewalls for enforcement. PAN-OS supports the importing of policy rule recommendations.
    For Panorama managed firewalls that have a Device Security subscription requiring Strata Logging Service – Panorama can only import policy rule recommendations if it was used to onboard its managed firewalls to Strata Logging Service.
    Firewall and Panorama Communications Related to Device Security
    Device Security communications from firewalls without Panorama management:
    • Firewalls download device dictionary files from the update server at updates.paloaltonetworks.com on TCP port 443.
    • Firewalls forward logs to Strata Logging Service on TCP ports 443 (for Enhanced Application logs) and 3978 (for all other firewall logs).
      For details about the ports and FQDNs required for next-generation firewalls to communicate with Strata Logging Service, see the Strata Logging Service Getting Started.
    • Firewalls retrieve IP address-to-device mappings and policy rule recommendations from Device Security on TCP port 443. Depending on their region, they use one of the following edge services URLs:
      • United States: iot.services-edge.paloaltonetworks.com
      • Canada: ca.iot.services-edge.paloaltonetworks.com
      • EU: eu.iot.services-edge.paloaltonetworks.com
      • Switzerland: ch.iot.services-edge.paloaltonetworks.com
      • United Kingdom: uk.iot.services-edge.paloaltonetworks.com
      • APAC: apac.iot.services-edge.paloaltonetworks.com
      • Japan: jp.iot.services-edge.paloaltonetworks.com
      • Australia: au.iot.services-edge.paloaltonetworks.com
      The following table summarizes the relationship of different data lake regions and ingestion regions with Device Security application regions:
      Data Lake Region/Ingestion Region
      Device Security Application Region
      Americas
      Canada
      Canada, United States*
      United States
      United States
      FedRAMP
      FedRAMP
      European Union
      France
      Germany
      Germany
      Germany
      Italy
      Germany
      Netherlands
      Germany
      Poland
      Germany
      Spain
      Germany
      Switzerland
      Switzerland, Germany*
      United Kingdom
      United Kingdom, Germany*
      Asia-Pacific
      Australia
      Australia, Singapore*
      India
      Singapore
      Indonesia
      Singapore
      Japan
      Japan
      Singapore
      Singapore
      *Switzerland and the United Kingdom were added as Device Security application regions on July 7, 2023. When onboarding Device Security after this date to existing firewall deployments established before it, the firewalls continue to use Germany as the Device Security application region. When onboarding Device Security to new deployments in Switzerland or the United Kingdom established after July 7, 2023, the firewalls will use the local Device Security application region for each country.
      A similar situation exists in Canada, which continues to use United States – Americas as the Device Security application region for deployments existing before January 25, 2023, and Canada for new deployments after this date. Likewise, deployments existing before October 25, 2023, in Australia still use the Device Security application in Singapore while new deployments after this date use Australia.
    • During the certificate exchange between a firewall and the edge server in front of the Device Security cloud, they verify each other's certificates. The firewall validates the certificate it receives by checking these sites:
      • *.o.lencr.org
      • x1.c.lencr.org
      Communications to these sites occur over HTTP on TCP port 80.
    Device Security communications from Panorama:
    • A Panorama management server imports policy rule recommendations from Device Security through the same URLs listed above that firewalls use. When validating the certificate the edge server presents, Panorama checks the same sites listed above that firewalls check.
      Firewalls under Panorama management still contact Device Security through regional edge services URLs for IP address-to-device mappings, they still download device dictionaries from the update server, and they still forward logs to Strata Logging Service.
    • A Panorama management server sends queries for logs to Strata Logging Service on TCP port 444.

    © 2026 Palo Alto Networks, Inc. All rights reserved.