Focus

IoT Security Administrator’s Guide

Support Isolated Network Segments

Table of Contents

Support Isolated Network Segments

Configure next-generation firewalls as security telemetry gateways to safely forward outbound connections from firewalls in isolated network segments.

An isolated network segment is a part of a private network that allows an extremely limited set of connections between devices in the segment and devices in any other local segment or in the public network. Because IoT Security is a cloud-based application that relies on network traffic logs to provide its services, there needs to be a way to get the logs to IoT Security without compromising the security of the isolated segment. To accomplish this, you can configure next-generation firewalls as security telemetry gateways (referred to in the PAN-OS web interface as proxies) to forward traffic logs from the isolated segment through the non-isolated part of the network to the Palo Alto Networks logging service, where IoT Security can access it. In addition, the security telemetry gateways can forward requests from isolated firewalls for the data and files they need to onboard IoT Security and support Device-ID: licenses, certificates, IP address-to-device mappings, security policy rule recommendations, and dictionary file downloads.

This data path occurs only through security telemetry gateways, and only requests and network traffic logs that next-generation firewalls generate, not actual data from protected devices, are sent on this path through the security telemetry gateway chain.

Importantly, there are no direct connections between devices in the isolated network segment and the cloud, and the status of the security telemetry gateway-to-cloud connection (up or down) has no impact on protected device operations nor on next-generation firewall functions such as policy enforcement and threat detection and prevention. All protected device and firewall operations will continue to operate even if an upstream security telemetry connection goes down.

You can use a single security telemetry gateway or a chain of two or more security telemetry gateways for additional security layering. In this way, Palo Alto Networks can provide IoT Security services to industries that have isolated OT networks as is common in power utilities and oil and gas companies for example. These networks typically consist of two segments: an IT network and OT network. Leveraging existing next-generation firewalls or deploying new ones, you could configure two firewalls as security telemetry gateways, placing one at the boundary between OT and IT networks and the other at the boundary between the IT and public networks. Firewalls in the OT network would send traffic logs to the OT security telemetry gateway, which forwards them to the IT security telemetry gateway, which forwards them to the Palo Alto Networks logging service. Setting up next-generation firewalls in a security telemetry gateway chain like this increases the depth of the logical network segment boundary because the IT security telemetry gateway blocks inbound connections to the OT security telemetry gateway.

The following next-generation firewalls support the security telemetry gateway feature:

Physical firewalls: PA-1400 series, PA-3400 series, PA-5400 series (except PA-5450)
VM-300, VM-500, VM-700

The firewalls must be running PAN-OS version 11.0.1-h2 or later.

When deploying firewalls for a network that contains an isolated OT network segment, set up the security telemetry gateways in order from the IT perimeter (the IT security telemetry gateway) toward the deepest part of the OT network: IT security telemetry gateway, then OT security telemetry gateway, and then OT firewalls. By deploying them in this order, you will have the information you need after completing one deployment to deploy the next one. Also, as each firewall comes online, the firewall or firewalls that the next one needs to reach the public network will already be online and reachable.

The following illustration shows the logical relationship of next-generation firewalls in a security telemetry gateway chain and the IP addresses and subnets used as examples in the configuration instructions that follow. As shown here, OT firewalls initiate all outbound connections through the OT and IT security telemetry gateways to the logging service, IoT Security cloud, and update server.

Although having an IT security telemetry gateway in front of an OT security telemetry gateway lets you block inbound connections to the firewall at the perimeter of the OT network, multiple cascading gateways is not required. If you use a single security telemetry gateway at the perimeter of the OT network, it becomes the proxy between OT firewalls and Palo Alto Networks cloud services in the external network instead of hopping through an IT security telemetry gateway.

Configure the IT Security Telemetry Gateway

The IT security telemetry gateway is the next-generation firewall that forwards the traffic logs and requests it receives from the OT security telemetry gateway to the logging service, IoT Security, and update server. It would typically be deployed on the network perimeter.

Configure a next-generation firewall to act as an IT security telemetry gateway.
1. Access the CLI as a superuser or device administrator and enter the following command to enable the firewall to function as a security telemetry gateway (proxy):
  set system setting paloalto-networks-service-proxy on
2. Reboot the firewall.
  
  When using Panorama to manage firewalls, enter the above command in the Panorama CLI and then reboot Panorama.
3. Log in to the firewall web interface as a superuser or device administrator and configure two Layer3 interfaces—one on the IT network and the other on the external network. For example, configure ethernet1/1 with IP address 192.168.10.1/24 for the IT network and ethernet1/2 with IP address 1.1.1.1/24 for the external network.
4. Create a loopback interface with an IP address in a different subnet from the other two networks. For example, if the subnet of the IT network is 192.168.10.0/24 and the subnet of the external network is 1.1.1.0/24, use an IP address that’s not in either of these subnets, such as 10.1.2.3, for the loopback interface.
5. Create a virtual router for all three interfaces and add them to it (for example, vr1). If the external network interface is a static IP address, add a default route to the gateway in the external network subnet as the next hop.
6. Create a zone for each interface such as IT, external, and loop.
7. Select NetworkDNS Proxy and configure a DNS proxy for the interface in the external zone. For example, create a configuration called dns-proxy that does DNS lookups on a DNS server at 8.8.8.8 from ethernet1/2.
8. Select ObjectsURL Category and create the following URL group:
  Name: Give the URL list a name; for example, iot_cloud_traffic.
  URL List: Add the following URLs (and IP address) to the URL list. These are the only destinations that proxied traffic must be allowed to access.
  - *.paloaltonetworks.com/
  - *.panservicetest.com/
  - ocsp.godaddy.com/
  - certificates.godaddy.com/
  - *.gpcloudservice.com/
  - *.lencr.org/
  - 34.122.191.141
  When using Panorama to manage firewalls, create the URL category as “shared”.
9. Select PoliciesSecurity, and create a universal policy rule that allows any application from the IT zone to the external zone for destinations in the iot_cloud_traffic URL category and position it above other policy rules.
10. Select PoliciesNAT, and create a policy that translates source addresses of devices and interfaces in the IT and loop zones to the IP address of the egress interface in the external zone. In our example, this would be 1.1.1.1, which is the IP address of ethernet1/2.
11. Select NetworkProxy, click the settings icon for Proxy Enablement, choose Palo Alto Networks Service Proxy and then click OK.
12. Click the settings icon for Palo Alto Networks Service Proxy Configuration and enter the following:
  Connect Timeout: 5 (default)
  Listening: Enter the name of the IT network interface; for example, ethernet1/1.
  Upstream interface: loopback.1
  Proxy IP: Enter the IP address of the interface in the IT zone; for example, 192.168.10.1.
  DNS-Proxy: Enter the name of the DNS proxy you defined previously; for example, dns-proxy.
  Allowed URL Category: Enter the name of the allowed URL group you defined previously, for example, iot_cloud_traffic.
  Next Hop Proxy Server: Leave empty.
  Next Hop Proxy Port: Leave empty.
(Optional) To use IoT Security for device identification, risk assessment, and vulnerability detection in the IT network, subscribe the firewall acting as the IT security telemetry gateway to IoT Security.
If you don’t want the firewall acting as the IT security telemetry gateway to use IoT Security services in the IT network, it’s unnecessary to subscribe it to IoT Security and you can skip this step.
1. Onboard IoT Security on the IT security telemetry gateway.
2. Install licenses for the logging service and on the IT security telemetry gateway and download a device certificate to the IT security telemetry gateway to authenticate its connections with the logging service and IoT Security.
3. Configure the IT security telemetry gateway to support Device-ID and work with.

Configure the OT Security Telemetry Gateway

With the IT security telemetry gateway configured and in place, you can next configure the OT security telemetry gateway. The OT security telemetry gateway is the next-generation firewall that forwards the traffic logs it receives from OT firewalls to the IT security telemetry gateway, which in turn forwards them to the logging service. It also forwards requests from OT firewalls for IP address-to-device mappings, policy rule recommendations, and dictionary files to IoT Security and the update server. It would typically be deployed on the edge of the OT network.

Configure a next-generation firewall to act as an OT security telemetry gateway.
1. Access the CLI as a superuser or device administrator and enter the following command to enable the firewall to function as a security telemetry gateway (referred to as a proxy in PAN-OS):
  set system setting paloalto-networks-service-proxy on
2. Reboot the firewall.
  
  When using Panorama to manage firewalls, enter the above command in the Panorama CLI and then reboot Panorama.
3. Configure two Layer3 interfaces—one on the OT network and the other on the IT network. For example, configure ethernet1/1 with IP address 192.168.100.1 for the OT network and ethernet1/2 with IP address 192.168.10.2 for the IT network.
4. Create a loopback interface with an IP address in a different subnet from the other two networks. Because it’s only used for internal routing, you can even use the same IP address as the loopback interface on the IT security telemetry gateway—10.2.3.4, for example.
5. Create a virtual router for all three interfaces and add them to it (for example, vr1) and add a default route using ethernet1/2 as the egress interface and 192.168.10.1, the IP address of ethernet1/1 on the IT security telemetry gateway interface, as the next hop.
6. Create a zone for each interface such as OT, IT, and loop.
7. If the next hop security telemetry gateway server is a hostname, select NetworkDNS Proxy and configure a DNS proxy for the interface of the OT security telemetry gateway that’s in the IT zone. For example, create a configuration called dns-proxy that does DNS lookups on a local DNS server that the OT security telemetry gateway can reach from ethernet1/2.
  
  If the next hop security telemetry gateway server is an IP address, you don’t need to configure a DNS proxy and can skip this step.
8. Select ObjectsURL Category and create the following URL group:
  Name: Give the URL list a name; for example, iot_cloud_traffic.
  URL List: Add the following URLs (and IP address) to the URL list. These are the only destinations that proxied traffic must be allowed to access.
  - *.paloaltonetworks.com/
  - *.panservicetest.com/
  - ocsp.godaddy.com/
  - certificates.godaddy.com/
  - *.gpcloudservice.com/
  - *.lencr.org/
  - 34.122.191.141
  When using Panorama to manage firewalls, create the URL category as “shared”.
9. Select PoliciesSecurity, and create a universal policy rule that allows any application from the OT zone to the IT zone for destinations in the iot_cloud_traffic URL category and position it above other policy rules.
  
  Add security policy rules that deny all other outbound connections from the OT network and all inbound connections to the OT network and position them below the rule that allows outbound connections to the destinations in the iot_cloud_traffic URL list.
10. Select NetworkProxy, click the settings icon for Proxy Enablement, choose Palo Alto Networks Service Proxy and then click OK.
11. Click the settings icon for Palo Alto Networks Service Proxy Configuration and enter the following:
  Connect Timeout: 5 (default)
  Listening: Enter the name of the 0T network interface; for example, ethernet1/1.
  Upstream interface: loopback.1
  Proxy IP: Enter the IP address of the interface in the OT zone; for example, 192.168.100.1.
  DNS-Proxy: Enter the name of the DNS proxy you defined previously; for example, dns-proxy.
  Allowed URL Category: Enter the name of the allowed URL group you defined previously, for example, iot_cloud_traffic.
  Next Hop Proxy Server: Enter the IP address of ethernet1/1 on the IT security telemetry gateway interface; 192.168.10.1 in our example.
  Next Hop Proxy Port: 8080
(Optional) To forward network traffic logs for the OT network from the OT security telemetry gateway as well as from OT firewalls, subscribe the OT security telemetry gateway to IoT Security.
If you don’t want the firewall acting as the OT security telemetry gateway to use IoT Security services in the OT network, it’s unnecessary to subscribe it to IoT Security and you can skip this step.
1. Onboard IoT Security on the OT security telemetry gateway.
2. Install licenses for the logging service and on the OT security telemetry gateway and download a device certificate to the OT security telemetry gateway to authenticate its connections with the logging service and IoT Security.
3. Configure the OT security telemetry gateway to support Device-ID and work with.

Configure OT Firewalls

With both the IT and OT security telemetry gateways configured, you can set up the OT firewalls to use the security telemetry gateway chain to access the Palo Alto Networks cloud services necessary to support IoT Security:

Logging service – OT firewalls forward EAL and traffic logs to the logging service, which streams the metadata to IoT Security for analysis to identify devices, assess risk, and detect device vulnerabilities.
IoT Security – OT firewalls retrieve IP address-to-device mappings from IoT Security to enforce Device-ID Security policy rules. OT firewalls also retrieve policy rule recommendations from IoT Security.
Update server – OT firewalls periodically download device dictionary files with a regularly updated list of device attributes used as components in Device-ID Security policy rules.
License server – OT firewalls download activated logging service and IoT Security licenses from the license server.
Certificate server – Firewalls fetch new device certificates from certificate.paloaltonetworks.com and use their existing device certificates—expiring but still valid—to fetch renewed certificates from certificatetrusted.paloaltonetworks.com.
Customer Service Portal and the hub – Firewalls connect to the Customer Service Portal to verify admin users and then to the hub to get their role assignments.

Configure a next-generation firewall to act as an OT firewall.
1. Select DeviceSetupInterfacesManagement, configure MGT interface with an IP address on the OT network, and enter the IP address of the OT security telemetry gateway interface in the OT zone as its default gateway; for example:
  IP Type: Static
  IP Address: 192.168.100.2
  Netmask: 255.255.255.0
  Default Gateway: 192.168.100.1
  The OT firewall uses the management interface to onboard IoT Security and fetch certificates and licenses, forward various traffic logs to the logging service, request IP address-to-device mappings and policy rule recommendations from IoT Security, and download dictionary files from the update server.
  
  You can also configure the OT firewall to use one of its Ethernet interfaces when initiating connections through the chain of security telemetry gateways. If you do, you must configure service routes to instruct the firewall to use this interface instead of the management interface. In the service route configuration, select Palo Alto Networks Services, Data Services, and IoT.
2. Configure interfaces, security zones, and security policy rules as necessary to collect network traffic metadata for IoT Security to analyze. PAN-OS provides various options and you’ll need to use whatever methods make sense for your network topology; for example:
  Virtual wire to capture OT traffic – Create a virtual wire zone and a virtual wire object that links two virtual wire interfaces. Add either an intrazone or universal policy rule that allows traffic between devices within the same zone, and enable logging and log forwarding on the rule. Consider placing one or more OT firewalls with this configuration on the OT network at one of the OT Purdue levels (0-3) to capture network traffic at this level and forward traffic logs to the OT security telemetry gateway.
  Tap interface to collect traffic from downstream switches – Create a tap zone with a tap interface to receive traffic from a mirror port on downstream switches. This will capture traffic at other Purdue levels that don't reach OT firewalls, which can then forward it to the logging service.
  Layer 3 interface to collect traffic from a ERSPAN port on downstream switches – Create a Layer 3 zone with a Layer 3 interface on the OT firewall. Configure your switches to use Encapsulated Remote Switched Port Analyzer (ERSPAN) to send mirrored traffic through a Generic Routing Encapsulation (GRE) tunnel to the IP address of the OT network interface on the OT security telemetry gateway. After decapsulating the traffic, the OT security telemetry gateway generates various traffic types of logs and forwards them to the IT security telemetry gateway, which then forwards them to the logging service where IoT Security can access them for analysis.
3. Select DeviceSetupServices, enter the following settings in the Proxy Server section and leave the other settings with their default values:
  Proxy Server
  - Server: Enter the IP address of the OT security telemetry gateway interface in the OT zone; for example, 192.168.100.1, which is the IP address of the OT security telemetry gateway ethernet1/1 interface.
  - Port: 8080
  - Use proxy to send logs to Strata Logging Service: (select)
4. Select PoliciesSecurity, and create a universal policy rule that allows the following applications from OT network zones to any zones and position it above other policy rules:
  google-base
  paloalto-device-telemetry
  paloalto-iot-security
  paloalto-logging-service
  paloalto-shared-services
Subscribe the OT firewall to IoT Security.
1. Onboard IoT Security on the OT firewall.
2. Install licenses for the logging service and on the OT firewall and download a device certificate to the OT firewall to authenticate its connections with the logging service and IoT Security.
3. Configure the OT firewall to support Device-ID and work with IoT Security.

Control Allowed Traffic for Onboarding Devices

IoT Security Integration with Prisma Access