IoT Security Prerequisites
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use Network Discovery Polling to Discover Devices
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Network Segments Configuration
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
IoT Security Prerequisites
These are the prerequisites for deploying IoT Security.
Ensure that your environment meets all
prerequisites for deploying IoT Security with Palo Alto Networks
next-generation firewalls:
- One or more firewalls running PAN-OS 8.1 to PAN-OS 9.0.2 with Panorama management, or PAN-OS 9.0.3 or later with or without Panorama management.Firewalls running PAN-OS 8.1, PAN-OS 9.0, and PAN-OS 9.1 support IoT Security for device visibility and manual policy enforcement. Firewalls running PAN-OS 10.0 or later support IoT Security for both device visibility and automatic policy enforcement through Device-ID.
- One IoT Security license per firewall.The license controls whether IoT Security ingests log data that a firewall forwards to the Palo Alto Networks cloud-based logging service to identify IoT devices and assess risk. The license also controls whether a firewall can pull IP address-to-device mappings and policy rule recommendations from IoT Security and the device dictionary from the update server for use in its security policy rules.(A note about IP address-to-device mappings: IoT Security uses patented multi-tier machine-learning algorithms to profile device behaviors and identify the device type, make, model, OS, and OS version. It bundles this set of attributes into a logical object, maps it to the IP address of a device, and sends it to the firewall. This object is called an IP address-to-device mapping.)When you buy an IoT Security subscription, you have a 90-day grace period to activate the license on a firewall. If you activate it within the first 90 days, the subscription starts on the activation date. Otherwise, it starts 90 days after the purchase date.A Panorama management server does not require an IoT Security license.
- When using IoT Security Subscription, which stores data in Strata Logging Service, you need one Strata Logging Service license per account. (When using IoT Security, Doesn't Require Data Lake Subscription, you do not need a Strata Logging Service license.)Your Strata Logging Service subscription can either be new or an existing one, and the data lake can be in the Americas, European Union, or Asia-Pacific region. Regardless of the use of the data lake, firewalls stream logging data automatically and continuously to the IoT Security infrastructure where it is retained for varying periods of time based on data type. For details about data retention, see IoT/OT Security Privacy.For a new Strata Logging Service instance, figure out the amount of storage you'll need with the Cortex sizing calculator. When making your calculations, enter the number of firewalls with an IoT Security license and select IoT Security.
- Using the logging service requires a Premium Support license or better. This is required when using the logging service with either of the two IoT Security subscription types: IoT Security Subscription and IoT Security Subscription - Doesn't Require Data Lake. (A Premium Support license is automatically included with the purchase of a Strata Logging Service instance.)
- A Threat Prevention license is required for IoT Security to get all the traffic and threat logs necessary to fully assess risk and detect vulnerabilities.
- The following licenses and firewall capability provide additional value to IoT Security:
- A DNS Security license helps IoT Security detect DNS-related threats and risks.
- A Wildfire license enhances the detection of malware and file-related vulnerabilities.
- A URL Filtering license controls the online content devices can access and how they can interact with it.
- Enabling SSL decryption on the firewall improves the coverage and accuracy of device identification. It also helps IoT Security with risk assessment and threat detections.
- When using IoT Security on networks with medical equipment, make sure the application content version on your firewalls is 8367-6513 or later; that is, the major version, which is identified by the first four digits, is 8367 or above (8368, 8369, 8370, and so on), starting from 8367-6513. These versions include healthcare-specific applications that allow IoT Security to discover medical equipment and provide utilization data. They also allow firewall Security policy rules to include healthcare-specific applications.
- When integrating IoT Security with Prisma Access, Prisma Access must be running the Prisma Access 2.0-Innovation release or later with an IoT Security add-on. To learn about other requirements, see IoT Security Integration with Prisma Access.
- When Panorama manages firewalls running PAN-OS 10.2, it requires the 3.1 cloud services plugin.