: IoT Security Solution Setup
Focus
Focus

IoT Security Solution Setup

Table of Contents

IoT Security
Solution Setup

Set up the multiple components that constitute the
IoT Security
solution.
The following is an overview of the main steps involved in setting up the
IoT Security
solution with particular focus on the following three components:
  • Palo Alto Networks Next-Generation Firewalls with or without Panorama management
  • Logging service with or without a
    Cortex Data Lake
    instance
  • IoT Security
    application
The solution also makes use of the update server for device dictionary file updates and the Customer Support Portal and hub for
IoT Security
user management. Optionally,
IoT Security
integrates with Prisma Access and SD-WAN and, through XSOAR, with third-party products.
Learn about the main steps involved in the
IoT Security
solution setup:

1 - Check Firewall Support and Prerequisites

Most current Palo Alto Networks firewall models support
IoT Security
with a few exceptions and with different degrees of functionality depending on the PAN-OS release:
  • PAN-OS 8.1, PAN-OS 9.0, and PAN-OS 9.1: Device visibility and manually configured Security policy enforcement
  • PAN-OS 10.0 or later: Device visibility and automated Security policy enforcement through Device-ID
Although
IoT Security
is a cloud application and is always running its latest software version, make sure the firewall models and PAN-OS versions on them support the level of functionality you want.
In addition, there are several prerequisites. For example, each firewall that integrates with
IoT Security
must have an
IoT Security
subscription. Not all firewalls on your network must subscribe to
IoT Security
; only those that collect network traffic and forward logs to it and those after PAN-OS 10.0 that receive policy rule recommendations and IP address-to-device mappings from it.
Detailed Instructions

2 - Onboard
IoT Security

IoT Security
onboarding is a six-step process that starts from an
Activate
link in an email from Palo Alto Networks. (If you have an Enterprise License Agreement, it starts either in the Customer Support Portal or in the hub). During the
IoT Security
onboarding process, do the following depending on what you’re activating:
  • Create an
    IoT Security
    tenant
  • (
    IoT Security
    Subscription
    ) Activate a new
    Cortex Data Lake
    instance or associate an existing one with your
    IoT Security
    tenant
    or
    (
    IoT Security
    Subscription - Doesn’t Require Data Lake
    ) Specify the data ingestion region
  • Subscribe firewalls to
    IoT Security
    services
  • Optionally activate a third-party integrations add-on
Detailed Instructions

3 - Prepare Firewalls

For
IoT Security
to discover network-connected devices and assess their network behavior patterns, it needs quality network metadata from next-generation firewalls. Therefore, it’s essential that firewalls are placed on the network and configured to collect metadata from traffic and forward it for
IoT Security
to access. In particular, DHCP traffic is important because it links dynamically assigned IP addresses to device MAC addresses, making them trackable over time.
Firewalls must also provide
IoT Security
with metadata for other types of traffic that devices generate. They do this by enforcing policy on network traffic, creating logs, and then forwarding them to the logging service, which then streams the metadata to
IoT Security
.
Detailed Instructions

4 - Install Certificates and Licenses

Logging service and device licenses permit next-generation firewalls to connect to the logging service and
IoT Security
. Logging service and device certificates authenticate these connections. Firewalls need these licenses and certificates to integrate with
IoT Security
.
Firewalls running PAN-OS 8.1–10.0 use logging service certificates to secure communications with the logging service so they can forward various logs to it. From PAN-OS 10.0, when Device-ID was introduced, firewalls use device certificates to secure communications with
IoT Security
to get IP address-to-device mappings and recommended policy rules. (Note: Panorama-managed firewalls can get recommended policy rules either directly from
IoT Security
or indirectly from
IoT Security
through Panorama.) From PAN-OS 10.1, firewalls use just one device certificate to secure connections to both the logging service and
IoT Security
. Panorama also uses a device certificate to secure communications with
IoT Security
.
Detailed Instructions

5 - Configure Logging

Configure Security policy rules on firewalls to log traffic and forward logs to the logging service where
IoT Security
accesses it. The more network traffic metadata
IoT Security
has for analysis, the more quickly and confidently it identifies devices and establishes a baseline of their normal network behaviors. This results in a broader application of Security policy rules based on Device-ID (
IoT Security
sends firewalls IP address-to-device mappings only when it has a high confidence in their identities and the devices have sent or received traffic within the past hour) and broader and deeper insight into device risk and real and potential security threats.
Detailed Instructions

Recommended For You