Discover Mobile Device Attributes
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
Discover Mobile Device Attributes
IoT Security
IoT Security
Assets
Devices
Device Details
pages. You can also use the
mobile device attributes when creating custom alerts. However, because they are
classified as Traditional IT, IoT Security
Set up PAN-OS to Send IoT Security
Mobile Device Attributes
PAN-OS
IoT Security
This assumes that is
already onboarded on your firewall, it has the required licenses and certificates, and logging is
enabled.
IoT Security
- Enable GTP Security on the firewall.
- Log in to, selectPAN-OS, and then clickDeviceSetupManagementEdit(the gear icon) for General Settings.
- SelectGTP Securityand then clickOK.
- Commityour changes and then select.DeviceOperationsReboot Device
- Create a Log Forwarding profile that includes GTP logging.
- Log back in and select.ObjectsLog ForwardingAdd
- Enter a name for the log forwarding profile likeMobile Device Logging, selectEnable enhanced application logging to, and then clickCortex Data LakeOK.
- Create a Mobile Network Protection profile for the types of mobile devices on the network.The following are the recommended settings that enable the correlation of user IDs and equipment IDs to user equipment IP addresses (UEIP) for different mobile devices. For details about each setting, see the Mobile Network Protection Profile help in.PAN-OS
- 5G mobile devices with RADIUS
- Selectand then clickObjectsSecurity ProfilesMobile Device ProtectionAdd.
- Enter a name for the profile such asRADIUS Correlation, clickCorrelation, and then enter the following:UEIP Correlation: (select)Mode:LooseUser Plane with GTP-U encapsulation: (clear)Source:RADIUSLog At Ueip Start: (select)Log At Ueip End: (select)
- Click, and then enter the following to perform validity checks of the Information Element (IE) in GTP headers and generate alerts if any irregularities are found:GTP InspectionGTP-UAlert: (select)Reserved IE: (select)Order of IE: (select)Length of IE: (select)Spare Flag in Header: (select)Unsupported message type: (select)GTP-in-GTP:alert
- 5G mobile devices with Packet Forwarding Control Protocol (PFCP)
- Selectand then clickObjectsSecurity ProfilesMobile Device ProtectionAdd.
- Enter a name for the profile such asPFCP-5G Correlation, clickCorrelation, and then enter the following:UEIP Correlation: (select)Mode:LooseUser Plane with GTP-U encapsulation: (clear)Source:PFCPLog At Ueip Start: (select)Log At Ueip End: (select)
- Click, and then enter the following to perform validity checks of the IE in GTP headers and generate alerts if any irregularities are found:GTP InspectionGTP-UAlert: (select)Reserved IE: (select)Order of IE: (select)Length of IE: (select)Spare Flag in Header: (select)Unsupported message type: (select)GTP-in-GTP:alert
- 3G and 4G mobile devices with GTP-C
- Selectand then clickObjectsSecurity ProfilesMobile Device ProtectionAdd.
- Enter a name for the profile such asGTP-C-3G4G Correlation, and then enter the following in theGTP-Ctab to use stateful inspection, perform validity checks of the IE in GTP headers, and generate alerts if irregularities are found:GTPv1-CStateful Inspection: (select)Alert: (select)Reserved IE: (select)Order of IE: (select)Length of IE: (select)Spare Flag in Header: (select)Unsupported message type: (select)GTPv2-C:Stateful Inspection: (select)Alert: (select)Reserved IE: (select)Length of IE: (select)Spare Flag in Header: (select)Unsupported message type: (select)
- ClickGTP-U, and then enter the following:Alert: (select)Reserved IE: (select)Order of IE: (select)Length of IE: (select)Spare Flag in Header: (select)Unsupported message type: (select)GTP-in-GTP:alertLog at GTP-U session start: (select)Log at GTP-U session end: (select)GTP-U Content Inspection: (select)
- Create Security policy rules to log mobile device traffic and forward the logs to the logging service.Create Security policy rules to log mobile device traffic and forward logs to the logging service forto analyze. The rules you create depend on the generation of mobile devices on the network and whether the network uses RADIUS or PFCP.IoT Security
- 5G mobile devices with RADIUS
- Selectand then clickPoliciesSecurityAdd.
- Create a universal Security policy rule with the following settings:Allowradiusas the application from any source to any destination.In the Actions tab, chooseProfilesas the Profile Type, choose the Mobile Network Protection profile you created previously for the RADIUS correlation, selectLog at Session StartandLog at Session End, and choose the Log Forwarding profile you previously created.ClickOK.
- ClickAddand then create a universal Security policy rule with the following settings:In the Actions tab, chooseNoneas the Profile Type, selectLog at Session StartandLog at Session End, and choose the Log Forwarding profile you previously created.Allow any application from any source to any destination.ClickOK.
- If necessary, reposition the first rule above the second in the ruleset.
- 5G mobile devices with PFCP
- Selectand then clickPoliciesSecurityAdd.
- Create a universal Security policy rule with the following settings:Allowpfcpas the application from any source to any destination.In the Actions tab, chooseProfilesas the Profile Type, choose the Mobile Network Protection profile you created previously for the PFCP 5G correlation, selectLog at Session StartandLog at Session End, and choose the Log Forwarding profile you previously created.ClickOK.
- ClickAddand then create a universal Security policy rule with the following settings:Allowgtp-uas the application from any source to any destination.In the Actions tab, chooseProfilesas the Profile Type, choose the Mobile Network Protection profile you created previously for the PFCP 5G correlation, selectLog at Session StartandLog at Session End, and choose the Log Forwarding profile you previously created.ClickOK.
- ClickAddand then create a universal Security policy rule with the following settings:Allow any application from any source to any destination.In the Actions tab, chooseNoneas the Profile Type, selectLog at Session StartandLog at Session End, and choose the Log Forwarding profile you previously created.ClickOK.
- If necessary, reposition rules so that the first and second rules are above the third in the ruleset.
- 3G and 4G mobile devices with GTP-C
- Selectand then clickPoliciesSecurityAdd.
- Create a universal Security policy rule with the following settings:Allowgtpv1-candgtpv2-cas the application from any source to any destination.In the Actions tab, chooseProfilesas the Profile Type, choose the Mobile Network Protection profile you created previously for the GTP-C 3G and 4G correlation, selectLog at Session StartandLog at Session End, and choose the Log Forwarding profile you previously created.ClickOK.
- ClickAddand then create a universal Security policy rule with the following settings:Allowgtp-uas the application from any source to any destination.In the Actions tab, chooseProfilesas the Profile Type, choose the Mobile Network Protection profile you created previously for the GTP-C 3G and 4G correlation, selectLog at Session StartandLog at Session End, and choose the Log Forwarding profile you previously created.ClickOK.
- ClickAddand then create a universal Security policy rule with the following settings:Allow any application from any source to any destination.In the Actions tab, chooseNoneas the Profile Type, selectLog at Session StartandLog at Session End, and choose the Log Forwarding profile you previously created.ClickOK.
- If necessary, reposition rules so that the first and second rules are above the third in the ruleset.
- Committhe configuration
View Mobile Device Attributes in IoT Security
IoT Security
After the firewall begins logging mobile device traffic, it forwards the traffic
metadata in GTP logs to the logging service, which in turn streams it to
. To check the status of the GTP logs,
log in to the portal and select . There you can see if is
receiving GTP logs, the time of the latest log, and how many GTP log events and
bytes it’s received.
IoT Security
IoT Security
Administration
Firewalls
IoT Security
To see mobile device attributes in the device inventory on the Devices page, select . Because the Mobile Device columns are hidden by default, click
the icon with three vertical bars to open the column selection panel, and select
all the columns you want to see. All the columns displaying mobile device
attributes are available in the Mobile section:
Assets
Devices
- Mobile Equipment Identity– The 15-to-17-digit code assigned to every mobile device to uniquely identify it International Mobile Equipment Identity (IMEI)
- Mobile Subscriber Identity– A unique identifier issued on a Subscriber Identity Module (SIM) card. In 2G, 3G, and 4G networks, this identifier is referred to as International Mobile Subscriber Identity (IMSI). In 5G networks, it is called Subscription Permanent Identifier (SUPI).
- Mobile Subscriber ISDN– The Integrated Services Digital Network number is a mapping of a cellular telephone number to a mobile subscriber
- Mobile APN(Access Point Name) – Term used to identify the external Packet Data Network (PDN) to which mobile devices connect through the 2G, 3G, or 4G cellular network. In a 5G network, it refers to the Data Network Name (DNN).
- Radio Access Technology– The underlying connection method mobile devices use for wireless radio communications; for example, Bluetooth, Wi-Fi, UMTS, LTE, or 5G NR
- Mobile Base Station Code– The identification number that uniquely identify a cellular base station
- Mobile Area Code– The area code of the user’s location
- Mobile Network Code(MNC) – A two-digit (European standard) or three-digit (North American standard) number identifying the Public Land Mobile Network (PLMN) of the mobile subscriber
- Mobile Country Code(MCC) – A three-digit number identifying the country of the mobile subscriber
- Mobile TAC(Type Allocation Code) – An eight-digit number that identifies the manufacturer of a mobile device
- Network Slice– The logically discrete section of network operating over a common infrastructure
- Mobile Device– The end user device operating on a wireless network
In addition to showing columns with these attributes in the inventory table, you
can also use them in filters and queries at the top of the
Devices page. They are displayed on the Device Details page of mobile devices and are available
for use when creating custom alert rules.