Configure Advanced Device-ID Objects
Focus
Focus
Network Security

Configure Advanced Device-ID Objects

Table of Contents

Configure Advanced Device-ID Objects

Learn how to enable Advanced Device-ID in Device Security and in PAN-OS, and how to create Advanced Device-ID objects.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by PAN-OS or Panorama)
  • (Legacy) IoT Security (Standalone portal)
  • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
Before configuring Advanced Device-ID, you must have an active Device Security subscription. You don't need any additional license for Advanced Device-ID. Add the Device Security license to the firewall where you want to enable Advanced Device-ID for Security policy rules. By default, both Device Security and PAN-OS start in legacy Device-ID mode, even after upgrading to PAN-OS 12.1. If you have not previously used Device-ID, you can upgrade to Advanced Device-ID. If you have an existing legacy Device-ID configuration, you must enable Hybrid Mode before upgrading to Advanced Device-ID.
When using Advanced Device-ID, you must configure the Device-ID objects in Device Security. Unlike legacy Device-ID, you can’t create Advanced Device-ID objects on the firewall or in Panorama. You can create up to 4,000 Advanced Device-ID objects.

Upgrade to Advanced Device-ID in Device Security

Because Advanced Device-ID requires configuring objects in Device Security, ensure that you upgrade to Advanced Device-ID in Device Security first. If Advanced Device-ID isn’t enabled in Device Security, you won’t be able to use Advanced Device-ID in your Security policy rules, regardless of what Device-ID Operation Mode the firewall is using.
  1. (Banner in Device Security) Navigate to Policies to find the Advanced Device-ID upgrade banner, and click Upgrade to bring up the Advanced Device-ID informational pop-up.
  2. (From Policies Settings) Navigate to PoliciesSettings, and Enable the toggle for Upgrade to Device-ID to bring up the Advanced Device-ID informational pop-up.
  3. In the pop-up, click Continue to convert your profile-based Device-ID objects into Advanced Device-ID objects.
  4. Once the pop-up shows “Upgrade Completed!”, click Continue to view the new PoliciesDevice-ID page.
    When viewing the Device-ID page, the table might include system-generated Advanced Device-ID objects. System-generated Advanced Device-ID objects come from a variety of sources, such as enabling onboarding devices, traffic restrictions, or profiles with existing policy sets. You can modify or delete system-generated Advanced Device-ID objects in the same way as manually created ones.

Upgrade to Advanced Device-ID in PAN-OS

Before creating Advanced Device-ID objects, ensure that your firewall also has an appropriate Device-ID Operation Mode set. If the firewall isn’t using Hybrid Mode or Advanced Mode for Device-ID, it won’t be able to fetch the Advanced Device-ID objects from Device Security. The location to configure the Device-ID Operation Mode differs depending on whether you're using PAN-OS managed by NGFW or PAN-OS managed by Panorama.
If you have existing legacy Device-ID firewall rules, you must convert your rules to Advanced Device-ID first to ensure continuity of enforcement. Use Hybrid Mode to convert your rules first, before enabling Advanced Mode.
  1. Log in to your firewall running PAN-OS version 12.1.
  2. Navigate to the PAN-OS Edge Service Settings.
    For PAN-OS managed by NGFW, navigate to DeviceSetupManagementPAN-OS Edge Service Settings.
    For PAN-OS managed by Panorama, navigate to PanoramaSetupManagementPAN-OS Edge Service Settings.
  3. Click on the gear icon in PAN-OS Edge Service Settings to open the PAN-OS Edge Service Settings configuration pop-up.
  4. For the Device-ID Operation Mode, select Advanced Mode.
  5. Click OK to save the new settings and bring up the Warning pop-up.
  6. Acknowledge the warning and confirm that you migrated your firewall rules by clicking OK.
  7. After you changed the Device-ID Operation Mode to Advanced Mode, Commit the change.

Create an Advanced Device-ID Object in Device Security

In Advanced or Hybrid Mode, you can only create Advanced Device-ID objects in Device Security and then import them into the firewall. You can create up to 4,000 Advanced Device-ID objects.
  1. In your Device Security portal, navigate to PoliciesDevice-ID.
  2. Click on Create New Device-ID in the Device-ID table to go to the Create Device-ID page.
  3. Enter a unique Name for your Advanced Device-ID.
  4. Optional Enter a Description for your Advanced Device-ID.
  5. From the available attributes, add the matching criteria that you want to use for your Advanced Device-ID.
    When you View Saved Queries, you will see a list of existing saved queries in the Saved Queries side panel. You can apply one of the saved queries. If you want to apply multiple saved queries, you will need to manually add the additional query criteria.
    When you add matching criteria, you can use conditional logic to allow for precise matching or exclusion of device attributes.
  6. Once you're done entering the matching criteria, Test the criteria to see the list of devices that match the criteria.
    Use this list to verify that your matching criterion accurately captures the types of devices that you want to use in Security policy rules.
  7. Click Create to create the new Advanced Device-ID and close the Create Device-ID page.
  8. Verify that your new Advanced Device-ID appears in the Device-ID list.
    When you first create an Advanced Device-ID, it appears with a Pending chip next to the name. While the Pending chip displays, you won't be able to view the Device-ID details page.