For Palo Alto Networks next-generation firewalls running PAN-OS 8.1, PAN-OS 9.0, or PAN-OS 9.1, the IoT Security solution provides visibility of discovered IoT devices based on the logs it receives from the firewall. IoT Security also uses machine learning (ML) to identify vulnerabilities and assess risk in devices based on their network traffic behaviors and dynamically updated threat feeds. Although these PAN-OS versions don’t support automated policy enforcement of IoT devices through the Device-ID™ framework, which is available from PAN-OS 10.0, you can still use the policy rule recommendations that IoT Security generates as a reference when manually adding rules to your firewalls. IoT Security always generates Security policy rule recommendations regardless of the PAN-OS version.

Firewalls running PAN-OS 10.0 or later automate policy enforcement through Device-ID. This is a mechanism that identifies devices by attributes such as device type, vendor, model, or operating system and then applies device-based policy rules to those with matching attributes.

All Palo Alto Networks next-generation firewalls running PAN-OS 10.0 or later fully support IoT Security with the following exceptions.

IoT device visibility and the manual application of policy recommendations but not Device-ID

No IoT Security support

When choosing firewalls to subscribe to IoT Security services, consider the type of IoT Security functionality they support. Another factor to consider is when various firewall models will reach the end of sales and service support and when you plan to update them to newer models. However, even if you subscribe a firewall to IoT Security and then decide to retire it while its IoT Security license still has time remaining, you can transfer the license from that firewall to another one where IoT Security will continue to operate for the remainder of its subscription period.