Onboard IoT Security on VM-Series with Software NGFW Credits
Table of Contents
Onboard IoT Security on VM-Series with Software NGFW Credits
IoT Security
on VM-Series
with Software NGFW CreditsUse Software NGFW credits to onboard
IoT Security
on VM-Series
.A Palo Alto Networks
VM-Series
is a virtualized
form factor of a Palo Alto Networks next-generation firewall and is intended for use
in a virtualized or cloud environment. When you use Software NGFW credits to fund VM-Series
with either fixed or flexible virtual CPUs (vCPUs), you can
include IoT Security
in the deployment profile during the firewall
registration process.You can also use Software NGFW credits to fund
CN-Series
with an
IoT Security
subscription as long as the firewalls are under Panorama
management. For onboarding instructions of a CN-Series
with IoT Security
, see IoT Security
.The following onboarding procedure is for
VM-Series
with an IoT Security
subscription. It assumes that you have already purchased Software
NGFW credits and activated them. At this point, you can use
the Software NGFW credits to purchase VM-Series
.- Create one or more deployment profiles forVM-Series.Create a deployment profile for each type ofVM-Seriesmodel you want to deploy.
- Log in to the Customer Support Portal (CSP), and—if you have multiple accounts—choose the account you want to use.
- Select to view the Software NGFW Credits Dashboard.
- Locate your purchased NGFW Credits pool on the dashboard andCreate Deployment Profile.
- SelectVM Seriesand eitherFixed vCPU models (Valid for all currently supported PAN-OS releases)orFlexible vCPUs (PAN-OS 10.0.4 and above)and then clickNext.
- Assuming you selectedFixed vCPU models (Valid for all currently supported PAN-OS releases), configure the following and thenCreate Deployment Profile:Profile Name: Enter a name for the deployment profile.Number of Firewalls: Enter the maximum number of firewalls that can be associated with this deployment profile.Fixed vCPU model: Choose aVM-Seriesmodel from the list.Security Use Case: ChooseCustom.Customize Subscriptions: Clear all preselected items and selectIOT.IOT Subscription: Choose the type ofIoT Securitysubscription to activate on theVM-Series. The different types are based on vertical themes with or without traffic log retention inCortex Data Lake.Use Credits to Enable VM Panorama: (clear all)
After creating the deployment profile, it appears in the Current Deployment Profiles table on the page. - (Optional) After you clickCreate Deployment Profile, you can return to the configuration and clickCalculate Estimated Costto see an estimation of how many Flex credits will be deducted from your account and your remaining balance. If you hover your cursor over the question mark next to the estimate, you can see the credit breakdown for each component.
- If you have other types of firewall models to deploy, create additional deployment profiles, one for each type.
- ActivateIoT Securitysubscriptions based on the deployment profile in Common Services.
- Log in to the hub with your Palo Alto Networks Customer Support credentials.The hub fetches available deployment profiles for this account from the CSP.
- Select .The deployment profile you created appears in the Ready for Activation section at the top of the page.
- ClickActivate Now.The Activate Subscriptions based on Deployment Profile(s) page appears.
- Configure the followingIoT Securitysubscription activation settings:Customer Support Account: Choose your CSP account with the deployment profile.Recipient: Use an existing tenant or create a new one.To create a new tenant, hover your cursor overAll Tenantsat the top of the Select Tenant drop-down list and then click theAddicon (+) that appears on the right. Enter a unique name for the tenant service group (TSG) and choose a business vertical.Select Region: When activating anIoT Securitysubscription that doesn’t require aCortex Data Lake, select the region where the logging service will ingest network traffic logs that theVM-Seriessend it forIoT Securityto access and analyze.When activating anIoT Securitysubscription that does require aCortex Data Lake, you must first already have an activatedCortex Data Lakeinstance in the same tenant service group (TSG).IoT Securitywill then use this instance by default. The TSG might already have another product with an activatedCortex Data Lake(PA+CDL or AIOps+CDL for example), or you might have migrated an activated standalone to the TSG before activating theIoT Securitysubscription. In either case, the region will be automatically populated based on the region of the existing data lake in the TSG.Select Deployment Profile(s): Select the deployment profile you previously created.There are two sections for deployment profiles:AvailableandUnavailable. Deployment profiles appear in the Unavailable section if a required component is missing. For example, if theIoT Securitysubscription in the deployment profile requires aCortex Data Lakebut the tenant service group (TSG) doesn’t have one, the deployment profile will be in the Unavailable section. You will need to activate the required before attempting to activateIoT Securityin such scenarios.When you create multiple deployment profiles, it's possible that they have differentIoT Securitysubscriptions. When using them in the same IoT tenant, theIoT Securitysubscription type in the first deployment profile takes precedence over others added afterward.Configure Subscription URL(s): Enter a unique subdomain to complete the <subdomain>.iot.paloaltonetworks.com URL for yourIoT Securityapplication. This will be the URL where you log in to theIoT Securityportal.
- Agree to the Terms and Conditionsand thenActivate.The hub displays the Tenant Management page where you can see theIoT Securityinitialization status for the TSG. The initialization generally takes a few minutes to complete.
- Associate firewalls through the deployment profile with theIoT Securitysubscription in the TSG.
- Register aVM-Seriesusing one of the two methods described in Register the and thenSubmitthe registration.When registering aVM-Seriesthat cannot access the CSP, you must enter a UUID, a CPU ID, the number of vCPUs on the firewall, and the amount memory allocated to the firewall. This information is in the General Information section on theDashboardpage of the web interface on your firewall. You can copy it from there and paste it in the Register Firewall form. You can also download this information from the firewall web interface to a text file by selecting . Then on the Register Firewall page in the CSP,Upload a File for UUID & CPUID.After you submit the firewall registration, the CSP associates this firewall through the deployment profile with the TSG. It typically takes a few minutes for the registration and association to complete. When completed, you can see the firewall on the tab in the hub.During the firewall registration, the number of Software NGFW credits needed to fund the virtual firewall are automatically deducted from your pool of credits.
- Associate more firewalls to the TSG through the same deployment profile or, if they are different types of firewall models, through other deployment profiles you have created for them.It’s not currently possible to extend, renew, or offboardIoT Securitylicenses that have been activated onVM-Seriesfunded by Software NGFW credits. In addition, Enterprise License Agreements (ELA) andIoT SecurityFedRAMP Moderate licenses are not supported.
- Configure theVM-Seriesto provide network traffic logs withIoT Security.Now that you’ve onboardedIoT Securityonto yourVM-Series, follow the steps in Prepare Your Firewall for IoT Security to configure it to log network traffic and forward the traffic logs to the logging service, which then streams network traffic metadata toIoT Securityfor analysis.