Configure Device-ID
Focus
Focus

Configure Device-ID

Table of Contents
End-of-Life (EoL)

Configure Device-ID

Complete the following tasks to import the IP address-to-device mappings and policy rule recommendations from IoT Security to your firewall or Panorama.
Complete the following tasks to import the IP address-to-device mappings and policy rule recommendations from IoT Security to your firewall or Panorama.
If you use Panorama to manage multiple firewalls, Palo Alto Networks strongly recommends upgrading all firewalls in your Device-ID deployment to PAN-OS 10.0 or a later version. If you create a rule that uses
Device
as a match criteria and Panorama pushes the rule to a firewall that uses PAN-OS 9.1 or an earlier version, the firewall omits the
Device
match criteria because it is not supported, which may cause issues with policy rule traffic matching.
  1. Activate your IoT Security license on the hub.
    1. Follow the instructions that you received in your email to activate your IoT Security license.
    2. Initialize your IoT Security app. For more information, refer to Get Started with IoT Security and the IoT Security Best Practices.
    3. Apply the license to the firewalls you want to use to enforce the IoT Security policy.
    4. Refresh your license on the firewall or Panorama.
  2. Define your IoT Security policy on the IoT Security app.
    1. On the IoT Security app, select the source device object.
    2. Create
      a new set of policy rules for the source device object.
      For more information about creating security policies with the IoT Security app, refer to Recommend Security Policies.
    3. Activate
      the policy rules to confirm your changes.
  3. Import the IP address-to-device mappings and policy rule recommendations to the firewall or Panorama.
    1. Import the policy rule recommendation.
      • On the firewall, select
        Device
        Policy Recommendation
        .
      • For Panorama, select
        Panorama
        Policy Recommendation
        then push the policy rules to the firewalls that Panorama manages.
        After you push the policy to the firewalls, you must Sync Policy Rules on the firewalls to create the policy rule recommendation-to-policy rule mapping.
      When you select Policy Recommendation, the firewall or Panorama communicates with IoT Security to obtain the latest policy rule recommendations. The policy rule recommendations are not cached on the firewall or Panorama.
      Because IoT Security creates the policy rule recommendation using the trusted behavior for the device, the default action for the rule is allow.
    2. Select the
      Source Device Profile
      .
    3. Verify that the
      Destination Device Profile
      and permitted
      Applications
      are correct.
    4. Select
      Import Policy Rules
      to import the policy rules.
    5. (
      Panorama only
      ) Select the
      Location
      of the device group where you want to import the policy rules.
    6. Enter a
      Name
      for the policy rules.
    7. (
      Panorama only
      ) Select the
      Destination Type
      (
      Pre-Rulebase
      or
      Post-Rulebase
      ).
    8. Select
      After Rule
      to define the placement of the rule in the rulebase.
      • No Rule Selection
        —Places the rule at the top of the rulebase.
      • Default One
        —Places the rule after the listed rule.
      In your Security policy, Device-ID rules must precede any existing rules that apply to the devices.
    9. Repeat this process for each policy rule recommendation to create rules to allow access for each device object to the necessary destination(s).
    10. Click
      OK
      and
      Commit
      your changes.
  4. Enable Device-ID in each zone where you want to use Device-ID to detect devices and enforce your Security policy.
    By default, Device-ID maps all subnetworks in the zones where you enable it. You can modify which subnetworks Device-ID maps in the
    Include List
    and
    Exclude List
    .
    As a best practice, enable Device-ID in the source zone to detect devices and enforce security policy. You should only enable Device-ID for internal zones.
    1. Select
      Network
      Zones
      .
    2. Select the zone where you want to enable Device-ID.
    3. Enable Device Identification
      then click
      OK
      .
  5. Commit
    your changes.
  6. Verify your Security policy is correct.
    1. Select
      Policies
      then select the rule you created from the policy rule recommendation.
      IoT Security assigns a
      Description
      that contains the source device object and
      Tags
      to identify the source device object and that this rule is a recommendation from IoT Security.
      Device object names must be unique.
    2. Select the
      Source
      tab, then verify the
      Source Device Profile
      .
    3. Select the
      Destination
      tab and verify the
      Destination Device Profile
      .
    4. Select the
      Application
      tab and verify the
      Applications
      .
    5. Select the
      Actions
      tab and verify the
      Action
      (default is
      Allow
      ).
    6. Use Explore to verify CDL receives your logs and review which logs CDL receives.
  7. Create custom device objects for any devices that do not have IoT Security policy rule recommendations.
    For example, you cannot secure devices such as laptops and smartphones using policy rule recommendations, so you must manually create device objects for these types of devices to use in your Security policy. For more information on custom device objects, see Manage Device-ID.
  8. Use the device objects to enforce policy rules and to monitor and identify potential issues.
    The following list includes some example use cases for device objects.
    • Use source device objects and destination device objects in Security, Authentication, QoS, & decryption policies.
    • Use the decryption log to identify failures and which assets are the most critical to decrypt.
    • View device object activity in ACC to track new devices and device behavior.
    • Use device objects to create a custom report (for example, for incident reports or audits).

Recommended For You