Onboard IoT Security
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
Onboard IoT Security
IoT Security
Create a URL for your
IoT Security
portal and activate
IoT Security
subscriptions for firewalls and third-party integration add-ons.Follow the onboarding workflow to create a
URL for your
IoT Security
portal and activate IoT Security
subscriptions
for your firewalls. Through the onboarding process, you can optionally
activate a Cortex
Data Lake
instance to store data and a third-party
integration add-on for IoT Security
to expand its capabilities.It
is important to keep the
IoT Security
activation email you received
from Palo Alto Networks. It not only contains confidential activation-related
data but if you still have unused IoT Security
licenses after completing
the onboarding process, you can click the Activate
button
in the email again to repeat the process and activate more firewalls
later.(
Enterprise License Agreement
) When you have an Enterprise License Agreement (ELA),
begin the activation process by entering the authorization code that Palo Alto
Networks sends you in your Customer Support Portal account. For complete
step-by-step instructions, see Activate an Add-on Enterprise License Agreement
through Common Services.When you have
IoT Security
subscriptions, the onboarding process consists
of the following main steps.- ClickActivatein theIoT Securityactivation email from Palo Alto Networks.
- Log in to the Palo Alto Networks hub.
- ActivateIoT Security.
- Add devices (firewalls) to the tenant service group (TSG) and associateIoT Security, and possibly other applications as well, with the firewalls.
- (Optional) Manage identity and access toIoT Security.
- Set upIoT Securityand firewalls to work together.For instructions for these first six steps, see Common Services: Subscription & Tenant Management. Then return here to continue the setup.
- Log in to theIoT Securityportal.Click thelink on either the Tenant Management or Device Associations page.IoT SecurityA welcome page appears displaying the status of the logging service and several links to useful learning resources.
- To access the rest of the web interface, use the navigation menu on the left.If you are a user with owner privileges and the portal doesn’t have a predetermined vertical theme,IoT Securitywill prompt you to select a theme when you attempt to navigate away from the welcome page: EnterpriseIoT SecurityPlus, Industrial OT Security, or MedicalIoT Security. If you don’t select a theme, you will use the EnterpriseIoT SecurityPlus theme by default.IoT Securitywill continue to prompt you to select a theme every time you log in until you make a selection, or another user with owner privileges does.If you are a user without owner privileges and an owner hasn’t yet selected a vertical theme, you will see the EnterpriseIoT SecurityPlus theme by default. Otherwise, if the portal theme was already determined by theIoT Securityproduct purchased or if an owner already set a theme, then that is the one you see.There might not be any data in the portal when you first log in. Firewalls create network traffic data logs and forward them to the logging service, which streams them to theIoT SecurityCloud. On average, devices begin showing up in theIoT Securityportal within the first 30 minutes. Depending on the size of the network and the amount of activity of the devices on it, it can take several days for all the data to show up.Clickin theAdministrationSites and FirewallsFirewallsIoT Securityportal to see the status of logs that the logging service is streaming to theIoT Securityapp. For more information, see IoT Security Integration Status with FirewallsAfter theIoT Securityportal has had time to use its machine-learning algorithms to analyze the network behavior of your IoT devices (1-2 days), consider following the typical workflow of anIoT Securityuser:
- Device visibility – Learn about the IoT devices on the network
- Application visibility – Learn about the applications and protocols these devices use
- Device vulnerabilities – Learn about IoT device vulnerabilities and take steps to mitigate them, first on the most critical devices and then on others
- Security alerts – Respond to security alerts as they occur, prioritizing your response on the urgency of the alert and the importance of the targeted device or network segment
- Security policy rule recommendations – Based on observed network behavior, theIoT Securityapp can generate recommended security policy rules that you can then sync with those on your next-generation firewall.
Depending on the PAN-OS versions running on your firewalls, you must generate an OTP or PSK and install certificates on firewalls so they will connect securely with the logging service and withIoT Security. There are also firewall configurations necessary to enable logging and log forwarding toIoT Security. For EnterpriseIoT SecurityPlus, Industrial OT Security, and MedicalIoT Security, you must also configureIoT Securityand PAN-OS to apply Device-ID to enforce Security policy rules. To continue, see Prepare Your Firewall for IoT Security.