Prepare to Deploy Device-ID
Focus
Focus

Prepare to Deploy Device-ID

Table of Contents
End-of-Life (EoL)

Prepare to Deploy Device-ID

Complete the following predeployment tasks to prepare to deploy Device-ID.
To prepare your network for Device-ID deployment, complete the following predeployment tasks to enable your firewall to generate and send Enhanced Application logs (EALs) to the Cortex Data Lake for processing and analysis by IoT Security for policy rule recommendation generation.
  1. If you have not already done so, install the device certificate on your firewall or Panorama.
    If you use Panorama to manage multiple firewalls, Palo Alto Networks strongly recommends upgrading all firewalls in your Device-ID deployment to PAN-OS 10.0 or a later version. If you create a rule that uses
    Device
    as a match criteria and Panorama pushes the rule to a firewall that uses PAN-OS 9.1 or an earlier version, the firewall omits the
    Device
    match criteria because it is not supported, which may cause issues with policy rule traffic matching.
  2. Activate your Cortex Data Lake instance and connect your firewall to the instance.
    1. Activate a Cortex Data Lake instance.
    2. Connect your firewall to Cortex Data Lake.
  3. (
    L2 interfaces only
    ) Create a VLAN interface for each L2 interface so the firewall can observe the DHCP broadcast traffic.
  4. (
    Optional
    ) Configure a service route to allow the necessary traffic for Device-ID and IoT Security.
    By default, the firewall uses the management interface. To use a different interface, complete the following steps.
    1. Select
      Device
      Setup
      Services
      then select
      Service Route Configuration
      .
    2. Customize
      a service route.
    3. Select the
      IPv4
      protocol.
      Device-ID and IoT Security do not support IPv6.
    4. Select
      Data Services
      in the Service column.
    5. Select a
      Source Interface
      and
      Source Address
      .
    6. Click
      OK
      twice.
  5. Use App-IDs to allow the necessary traffic for Device-ID and IoT Security.
    Purpose
    App-ID
    Retrieve policy rule recommendations and allow traffic between the IoT Security app and your firewall or Panorama.
    paloalto-iot-security
    Allow traffic for all EALs and all session logs.
    paloalto-logging-service
    Retrieve IoT Security dynamic updates and Device Dictionary updates.
    paloalto-updates
    If you have a third-party firewall between a Palo Alto Networks next-generation firewall using Device-ID and the internet, verify that the next-generation firewall can access
    iot.services-edge.paloaltonetworks.com:443
    if it’s in the Americas region,
    eu.iot.services-edge.paloaltonetworks.com:443
    if it’s in the EU region, or
    apac.iot.services-edge.paloaltonetworks.com:443
    if it’s in the Asia-Pacific region.
  6. If there’s a third-party firewall between the internet and Panorama and Panorama-managed next-generation firewalls, make sure it allows the necessary traffic for Device-ID and IoT Security.
    Purpose
    Address
    TCP Port
    (
    PAN-OS versions 10.0.3 and later
    ) Receive the regional FQDN allowing next-generation firewalls to retrieve IP address-to-device mappings and policy rule recommendations from IoT Security.
    enforcer.iot.services-edge.paloaltonetworks.com
    443
    (
    PAN-OS versions 10.0.0 and later
    ) Let next-generation firewalls receive policy rule recommendations and IP address-to-device mappings from IoT Security.
    Americas region
    iot.services-edge.paloaltonetworks.com
    EU region
    eu.iot.services-edge.paloaltonetworks.com
    Asia-Pacific region
    apac.iot.services-edge.paloaltonetworks.com
    443
    (
    PAN-OS versions 10.0.0 and later
    ) Let next-generation firewalls download device dictionary files from the update server.
    updates.paloaltonetworks.com
    443
    (
    PAN-OS versions 10.0.0 and later
    ) Let Panorama send queries for logs to the logging service.
    Americas region
    iot.services-edge.paloaltonetworks.com
    EU region
    eu.iot.services-edge.paloaltonetworks.com
    Asia-Pacific region
    apac.iot.services-edge.paloaltonetworks.com
    443
    (
    IoT Security subscription + Cortex Data Lake
    ) Forward logs to Cortex Data Lake.
    PAN-OS versions 10.0.0 - 10.0.2 connect to the edge services FQDN in the Americas region by default (
    iot.services-edge.paloaltonetworks.com
    ). For firewalls running these PAN-OS versions to connect to the FQDN in the EU region (
    eu.iot.services-edge.paloaltonetworks.com
    ) or Asia-Pacific region (
    apac.iot.services-edge.paloaltonetworks.com
    ), you must manually configure it. For PAN-OS versions 10.0.3 and later, firewalls automatically discover the correct FQDN to use based on the region set during the IoT Security onboarding process. There is no need to set it manually.
  7. If there’s a third-party firewall between the internet and next-generation firewalls (without Panorama), make sure it allows the necessary traffic for Device-ID and IoT Security.
    Purpose
    Address
    TCP Port
    (
    PAN-OS versions 10.0.3 and later
    ) Receive the regional FQDN allowing next-generation firewalls to retrieve IP address-to-device mappings and policy rule recommendations from IoT Security.
    enforcer.iot.services-edge.paloaltonetworks.com
    443
    (
    PAN-OS versions 10.0.0 and later
    ) Let next-generation firewalls receive policy rule recommendations and IP address-to-device mappings from IoT Security.
    Americas region
    iot.services-edge.paloaltonetworks.com
    EU region
    eu.iot.services-edge.paloaltonetworks.com
    Asia-Pacific region
    apac.iot.services-edge.paloaltonetworks.com
    443
    (
    PAN-OS versions 10.0.0 and later
    ) Let next-generation firewalls download device dictionary files from the update server.
    updates.paloaltonetworks.com
    443
    (
    IoT Security subscription + Cortex Data Lake
    ) Forward logs to Cortex Data Lake.
  8. Configure your firewall to observe and generate logs for DHCP traffic then forward the logs for processing and analysis by IoT Security.
    • If the firewall is acting as a DHCP server:
      1. Enable Enhanced Application logging.
      2. Create a log forwarding profile to forward the logs to Cortex Data Lake for processing.
      3. (
        Not supported on the PA-3200, PA-5200, or PA-7000
        ) Enable the
        DHCP Broadcast Session
        option (
        Device
        Setup
        Session
        Session Settings
        ).
      4. Create a Security policy rule to allow
        dhcp
        as the
        Application
        type.
    • If the firewall is not a DHCP server, configure an interface as a DHCP relay agent so that the firewall can generate EALs for the DHCP traffic it receives from clients.
    • If your DHCP server is on the same network segment as the interface your firewall, deploy a virtual wire interface in front of the DHCP server to ensure the firewall generates EALs for all packets in the initial DHCP exchange with minimal performance impact.
      1. Configure a virtual wire interface with corresponding zones and enable the
        Multicast Firewalling
        option (
        Network
        Virtual Wires
        Add
        ).
      2. Configure a rule to allow DHCP traffic to and from the DHCP server between the virtual wire zones. The policy must allow all existing traffic that the server currently observes and use the same log forwarding profile as the rest of your rules.
      3. To allow the DHCP servers to check if an IP address is active before assigning it as a lease to a new request, configure a rule to allow pings from the DHCP server to the rest of the subnet.
      4. Configure a rule to allow all other traffic to and from the DHCP server that does not forward logs for traffic matches.
      5. Configure the DHCP server host to use the first virtual wire interface and the network switch to use the second virtual wire interface. To minimize cabling, you can use an isolated VLAN in the switching infrastructure instead of connecting the DHCP server host directly to the firewall.
    • If you want to use a tap interface to gain visibility into DHCP traffic that the firewall doesn’t usually observe due to the current configuration or topology of the network, use the following configuration as a best practice.
      1. Configure a tap interface and corresponding zone.
      2. Configure a rule to match DHCP traffic that uses the same log forwarding profile as the rest of your rules.
      3. To minimize the session load on the firewall, configure a rule to drop all other traffic.
      4. Connect the tap interface to the port mirror on the network switch.
  9. Add session log types to the log forwarding profile.
    If there are no existing entries in the log forwarding profile, selecting the
    Enable enhanced application logging to Cortex Data Lake (including traffic and url logs)
    option adds all logs types.
    1. Add
      a new profile and enter a name.
    2. Select
      traffic
      as the
      Log type
      .
    3. Select
      All logs
      as the
      Filter
      .
    4. Select the
      Cortex Data Lake
      option.
    5. Click
      OK
      .
    6. Repeat substeps 1-5 for the
      threat
      and, if you have a subscription,
      wildfire
      log types.

Recommended For You