Prepare to Deploy Device-ID

1. If you have not already done so, install a device certificate on your firewall or Panorama.

   The device certificate authenticates the firewall when connecting to Strata Logging Service and Device Security.
2. Install a device license and a Strata Logging Service license on your firewalls.

   To do this, click DeviceLicenses, and then select Retrieve license keys from license server in the License Management section. This installs the licenses for Strata Logging Service and Device Security on the firewall.

   The Strata Logging Service license permits a firewall to connect to Strata Logging Service.

   The device license permits a firewall to connect to Device Security.
3. (Layer 2 interfaces only) Create a VLAN interface for each Layer 2 interface so the firewall can observe the DHCP broadcast traffic.
4. (Optional) Configure service routes to allow the necessary traffic for Device-ID and Device Security.

   By default, the firewall uses the management interface. To use a different interface, complete the following steps.

   1. If necessary, configure the data interface you want to use as the source interface for required Device Security communications.
   2. Select DeviceSetupServicesService Route Configuration and then select Customize.
   3. On the IPv4 tab, select Data Services and then choose the data interface you want to use as the Source Interface.
      Its IP address autofills the Source Address field. This service route is for forwarding Enhanced Application logs (EALs) to Strata Logging Service.
      Device-ID and Device Security don’t support IPv6.
   4. Click OK.
   5. Click IoT, choose the same data interface as the Source Interface, and then click OK.
      This service route is for pulling IP address-to-device mappings and policy rule recommendations from Device Security.
   6. Click Palo Alto Networks Services, choose the same data interface, and then click OK.
      This service route is for forwarding other logs besides EALs to Strata Logging Service and for pulling device dictionary files from the update server.
   7. Click OK to save your configuration changes.
5. (Optional) If you created service routes in the previous step, add Security policy rules permitting services required for the firewall to use Device Security.

   1. Select PoliciesSecurity+ Add.
   2. On the General tab, enter a name for the Security policy rule and choose interzone as the Rule Type.
   3. On the Source tab, select Any as the source zone and then Add 127.168.0.0/16 as the source address.
   4. On the Destination tab, Add the destination zone with Device Security, and Add the edge services FQDN for your region as the destination address.
   5. On the Application tab, Add paloalto-iot-security.
      The firewall uses this application to pull IP address-to-device mappings and policy rule recommendations from Device Security.
   6. On the Actions tab, choose Allow and then click OK.
   7. If you have an intranet policy rule that allows all intranet traffic in the zone where Strata Logging Service and update server are, you can use that rule to allow the firewall to forward logs to Strata Logging Service and pull dictionary files from the update server.
      Otherwise, create an intranet policy rule that allows the firewall to send these three applications to Strata Logging Service and update server from the IP address of the firewall interface in the same zone:
      paloalto-shared-services to forward EALs and session logs to Strata Logging Service
      paloalto-logging-service to forward other logs besides EALs to Strata Logging Service
      paloalto-updates to pull device dictionary files from the update server
6. If there is a third-party firewall between the internet and Panorama and Panorama managed next-generation firewalls, make sure it allows the necessary traffic for Device-ID and Device Security.

   Firewalls automatically discover the correct FQDN to use based on the region set during the Device Security onboarding process. You should not need to set it manually.

   Purpose	Address	TCP Port
   Receive the regional FQDN allowing next-generation firewalls to retrieve IP address-to-device mappings and policy rule recommendations from Device Security.	enforcer.iot.services-edge.paloaltonetworks.com	443
   Let next-generation firewalls receive policy rule recommendations and IP address-to-device mappings from Device Security.	United States iot.services-edge.paloaltonetworks.com Canada ca.iot.services-edge.paloaltonetworks.com EU region eu.iot.services-edge.paloaltonetworks.com Asia-Pacific region apac.iot.services-edge.paloaltonetworks.com Japan jp.iot.services-edge.paloaltonetworks.com Australia au.iot.services-edge.paloaltonetworks.com	443
   Let next-generation firewalls download device dictionary files from the update server.	updates.paloaltonetworks.com	443
   Let Panorama send queries for logs to Strata Logging Service.	United States iot.services-edge.paloaltonetworks.com Canada ca.iot.services-edge.paloaltonetworks.com EU region eu.iot.services-edge.paloaltonetworks.com Asia-Pacific region apac.iot.services-edge.paloaltonetworks.com Japan jp.iot.services-edge.paloaltonetworks.com Australia au.iot.services-edge.paloaltonetworks.com	443
   Device Security subscription + Strata Logging Service Forward logs to Strata Logging Service.	See TCP Ports and FQDNs Required for Strata Logging Service.

7. If there is a third-party firewall between the internet and next-generation firewalls (without Panorama), make sure it allows the necessary traffic for Device-ID and Device Security.

   Purpose	Address	TCP Port
   Receive the regional FQDN allowing next-generation firewalls to retrieve IP address-to-device mappings and policy rule recommendations from Device Security.	enforcer.iot.services-edge.paloaltonetworks.com	443
   Let next-generation firewalls receive policy rule recommendations and IP address-to-device mappings from Device Security.	United States iot.services-edge.paloaltonetworks.com Canada ca.iot.services-edge.paloaltonetworks.com EU region eu.iot.services-edge.paloaltonetworks.com Asia-Pacific region apac.iot.services-edge.paloaltonetworks.com Japan jp.iot.services-edge.paloaltonetworks.com Australia au.iot.services-edge.paloaltonetworks.com	443
   Let next-generation firewalls download device dictionary files from the update server.	updates.paloaltonetworks.com	443
   Device Security subscription + Strata Logging Service Forward logs to Strata Logging Service.	See TCP Ports and FQDNs Required for Strata Logging Service.

8. Configure your firewall to observe and generate logs for DHCP traffic then forward the logs for processing and analysis by Device Security.

   • If the firewall is acting as a DHCP server:
     1. Enable Enhanced Application logging.
     2. Create a Log Forwarding profile to forward the logs to Strata Logging Service for processing.
     3. Enable the DHCP Broadcast Session option (DeviceSetupSessionSession Settings).
        This setting is supported from PAN-OS 11.0.1 on the PA-5450 and PA-7000 Series and on all other firewalls running any version of PAN-OS 11.0 and later.
     4. Create a Security policy rule to allow dhcp as the Application type.
   • If the firewall isn’t a DHCP server, configure an interface as a DHCP relay agent so that the firewall can generate EALs for the DHCP traffic it receives from clients.
   • If your DHCP server is on the same network segment as the interface your firewall, deploy a virtual wire interface in front of the DHCP server to ensure the firewall generates EALs for all packets in the initial DHCP exchange with minimal performance impact.
     1. Configure a virtual wire interface with corresponding zones and enable the Multicast Firewalling option (NetworkVirtual WiresAdd).
     2. Configure a rule to allow DHCP traffic to and from the DHCP server between the virtual wire zones. The policy rule must allow all existing traffic that the server currently observes and use the same Log Forwarding profile as the rest of your rules.
     3. To allow the DHCP servers to check if an IP address is active before assigning it as a lease to a new request, configure a rule to allow pings from the DHCP server to the rest of the subnet.
     4. Configure a rule to allow all other traffic to and from the DHCP server that does not forward logs for traffic matches.
     5. Configure the DHCP server host to use the first virtual wire interface and the network switch to use the second virtual wire interface. To minimize cabling, you can use an isolated VLAN in the switching infrastructure instead of connecting the DHCP server host directly to the firewall.
   • If you want to use a tap interface to gain visibility into DHCP traffic that the firewall does not usually observe due to the current configuration or topology of the network, use the following configuration as a best practice.
     1. Configure a tap interface and corresponding zone.
     2. Configure a rule to match DHCP traffic that uses the same Log Forwarding profile as the rest of your rules.
     3. To minimize the session load on the firewall, configure a rule to drop all other traffic.
     4. Connect the tap interface to the port mirror on the network switch.
   • If you want to collect data about devices whose network traffic isn’t visible to a firewall, employ one or both of these options:
     • Use Encapsulated Remote Switched Port Analyzer (ERSPAN) to send mirrored traffic from a network switch through a generic routing encapsulation (GRE) tunnel to the firewall.
     • Configure DHCP servers to send their server logs containing IP address-to-MAC address bindings to the firewall.
9. Apply a Log Forwarding profile to your Security policy rules.

   Apply a predefined Log Forwarding profile for Device Security to your rules—or update an existing profile or create a new one—so that they forward the required types of logs to Strata Logging Service.