>
    Configure Third-Party Device-ID in Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access User-Based Policy
    4. Configure Third-Party Device-ID in Prisma Access
    Download PDF
    Prisma Access

    Configure Third-Party Device-ID in Prisma Access

    Table of Contents

    Configure Third-Party Device-ID in
    Prisma Access

    Use
    Prisma Access
     and the Cloud Identity Engine to configure third-party Device-ID for third-party IoT devices.
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    If you'd like to use this feature in your
    Prisma Access
     environment, get in touch with your account team to learn more.
    • Prisma Access
       license with
      Cloud Identity Engine
       functionality enabled
    You can use the Cloud Identity Engine along with
    Prisma Access
     to apply information from third-party IoT detection sources to simplify the task of identifying and closing security gaps for devices in your network. After you set up Third-Party Device-ID in the Cloud Identity Engine using an API, you can set up a device object and a security policy rule in
    Prisma Access
     to obtain and use information from third-party IoT visibility solutions through the Cloud Identity Engine for device visibility and control.
    In the following figure, the Third-Party Device-ID service receives the device information from the third-party IoT solutions, which it then transmits as IP address-to-device mappings to the Cloud Identity Engine and the
    Prisma Access
     Security Processing Nodes (SPNs).

    Cloud Management

    Allow third-party IoT device vendors to retrieve their device IDs using the Cloud Identity Engine and
    Prisma Access
    .
    To configure third-party Device-ID, complete the following task.
    1. Activate Third-Party Device-ID in the Cloud Identity Engine.
      This procedure includes uploading a signed certificate and using that with an API to communicate with, and download Device-ID information from, the third-party IoT vendor.
    2. Activate Third-Party Device-ID in
      Prisma Access
       by going to
      Settings
      Prisma Access
       Setup
      Shared
       or
      Workflows
      Prisma Access
       Setup
      Prisma Access
      and set
      Enable Device Identification
       to
      Enabled
      .
    3. Configure a device object and enter device attributes.
      1. Go to
        Manage
        Objects
        Remote Networks
        Devices
         and
        Add
         a device object.that matches all the Device ID attributes.
        Be sure that you are in the Remote Networks device group.
        If you're using
        Strata Cloud Manager
        , go to
        Manage
        Configuration
        NGFW and
        Prisma Access
        , set the configuration scope to
        Remote Networks
        , and select
        Objects
        Devices
         and
        Add Devices
        .
      2. Add a device object that matches attributes for the third-party objects.
        The Cloud Identity Engine
        Mappings
         area displays the attributes of the third-party devices; you can use any attributes retrieved from there.
    4. Go to
      Manage
      Security Services
      Remote Networks
      Security Policy
       and
      Add
       a security policy, adding the device objects you created in the
      Devices
       area.
      If you're using
      Strata Cloud Manager
      , go to
      Manage
      Configuration
      NGFW and
      Prisma Access
      , set the configuration scope to
      Remote Networks
      , and select
      Security Services
      Security Policy
       and
      Add
       a security policy, adding the device objects you created in the
      Devices
       area.
    5. Push Config
       to save your changes to the
      Prisma Access
       configuration, making sure to select
      Remote Networks
       in the push scope.
    6. Verify that
      Prisma Access
       is receiving the Device-ID logs by going to
      Activity
      Logs
      Log Viewer
      , selecting
      Firewall/Traffic
      , and searching for traffic under the rule you created by entering
      rule_matched =
      rulename
      , where
      rulename
       is the security policy rule you created for the third-party IoT devices.
      The Device-ID to IP address mappings display in the logs.
      If you're using
      Strata Cloud Manager
      , go to
      Incidents & Alerts
      Log Viewer
      , selecting
      Firewall/Traffic
      , and searching for traffic under the rule you created by entering
      rule_matched =
      rulename
      , where
      rulename
       is the security policy rule you created for the third-party IoT devices.

    Panorama

    Allow third-party IoT device vendors to retrieve their device IDs using the Cloud Identity Engine and
    Prisma Access
    .
    To configure third-party Device-ID, complete the following task.
    1. Activate Third-Party Device-ID in the Cloud Identity Engine.
      This procedure includes uploading a signed certificate and using that with an API to communicate with, and download Device-ID information from, the third-party IoT vendor.
    2. Activate Third-Party Device-ID in
      Prisma Access
       by going to
      Panorama
      Cloud Services
      Configuration
      Remote Networks
      Settings
      , clicking the gear to edit the
      Settings
      , and selecting
      Enable Device Identification
      .
    3. Configure a device object and enter device attributes.
      1. Go to
        Objects
        Devices
         and
        Add
         a device object that matches all the Device ID attributes.
        Be sure that you are in the
        Remote_Network_Device_Group
         or the
        Shared
         device group.
      2. Add
         a device object that matches attributes for the third-party objects.
        The Cloud Identity Engine
        Mappings
         area displays the attributes of the third-party devices; you can use any attributes retrieved from there.
    4. Go to
      Policies
      Security
      Pre Rules
       and
      Add
       a security policy, adding the device objects you created in the
      Devices
       area as the
      Source Device
      .
      Be sure that you are in the
      Remote_Network_Device_Group
       or the
      Shared
       device group.
    5. Commit and push your changes, making sure that
      Remote Networks
       is selected in the
      Push Scope
      .
      1. Click
        Commit
        Commit and Push
        .
      2. Edit Selections
         and, in the
        Prisma Access
         tab, make sure that
        Remote Networks
         is selected in the
        Push Scope
        , then click
        OK
        .
      3. Click
        Commit and Push
        .
    6. Verify that
      Prisma Access
       is receiving the Device-ID logs by going to
      Monitor
      Logs
      , and searching the
      Traffic
       logs for traffic under the rule you created by entering
      rule_matched =
      rulename
      , where
      rulename
       is the security policy rule you created for the third-party IoT devices.
      The Device-ID to IP address mappings display in the logs.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.