>
    Configure Third-Party Device-ID in Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access User-Based Policy
    4. Configure Third-Party Device-ID in Prisma Access
    Download PDF
    Prisma Access

    Configure Third-Party Device-ID in Prisma Access

    Table of Contents

    Configure Third-Party Device-ID in Prisma Access

    Use Prisma Access and the Cloud Identity Engine to configure third-party Device-ID for third-party IoT devices.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    If you'd like to use this feature in your Prisma Access environment, get in touch with your account team to learn more.
    • Prisma Access license with Cloud Identity Engine functionality enabled
    You can use the Cloud Identity Engine along with Prisma Access to apply information from third-party IoT detection sources to simplify the task of identifying and closing security gaps for devices in your network. After you set up Third-Party Device-ID in the Cloud Identity Engine using an API, you can set up a device object and a security policy rule in Prisma Access to obtain and use information from third-party IoT visibility solutions through the Cloud Identity Engine for device visibility and control.
    In the following figure, the Third-Party Device-ID service receives the device information from the third-party IoT solutions, which it then transmits as IP address-to-device mappings to the Cloud Identity Engine and the Prisma Access Security Processing Nodes (SPNs).

    Configure Third-Party Device-ID in Prisma Access (Strata Cloud Manager)

    Allow third-party IoT device vendors to retrieve their device IDs using the Cloud Identity Engine and Prisma Access.
    To configure third-party Device-ID, complete the following task.
    1. Activate Third-Party Device-ID in the Cloud Identity Engine.
      This procedure includes uploading a signed certificate and using that with an API to communicate with, and download Device-ID information from, the third-party IoT vendor.
    2. Activate Third-Party Device-ID in Prisma Access by going to SettingsPrisma Access SetupShared or WorkflowsPrisma Access SetupPrisma Accessand set Enable Device Identification to Enabled.
    3. Configure a device object and enter device attributes. ManageConfigurationNGFW and Prisma Access, set the configuration scope to Remote Networks, and select ObjectsDevices and Add Devices. Be sure that you are in the Remote Networks device group.
      1. Add a device object that matches attributes for the third-party objects.
        The Cloud Identity Engine Mappings area displays the attributes of the third-party devices; you can use any attributes retrieved from there.
    4. Go to ManageConfigurationNGFW and Prisma Access, set the configuration scope to Remote Networks, and select Security ServicesSecurity Policy and Add a security policy, adding the device objects you created in the Devices area.
    5. Push Config to save your changes to the Prisma Access configuration, making sure to select Remote Networks in the push scope.
    6. Verify that Prisma Access is receiving the Device-ID logs by going to Incidents & AlertsLog Viewer, selecting Firewall/Traffic, and searching for traffic under the rule you created by entering rule_matched = rulename, where rulename is the security policy rule you created for the third-party IoT devices.
      The Device-ID to IP address mappings display in the logs.

    Configure Third-Party Device-ID in Prisma Access (Panorama)

    Allow third-party IoT device vendors to retrieve their device IDs using the Cloud Identity Engine and Prisma Access.
    To configure third-party Device-ID, complete the following task.
    1. Activate Third-Party Device-ID in the Cloud Identity Engine.
      This procedure includes uploading a signed certificate and using that with an API to communicate with, and download Device-ID information from, the third-party IoT vendor.
    2. Activate Third-Party Device-ID in Prisma Access by going to PanoramaCloud ServicesConfigurationRemote NetworksSettings, clicking the gear to edit the Settings, and selecting Enable Device Identification.
    3. Configure a device object and enter device attributes.
      1. Go to ObjectsDevices and Add a device object that matches all the Device ID attributes.
        Be sure that you are in the Remote_Network_Device_Group or the Shared device group.
      2. Add a device object that matches attributes for the third-party objects.
        The Cloud Identity Engine Mappings area displays the attributes of the third-party devices; you can use any attributes retrieved from there.
    4. Go to PoliciesSecurityPre Rules and Add a security policy, adding the device objects you created in the Devices area as the Source Device.
      Be sure that you are in the Remote_Network_Device_Group or the Shared device group.
    5. Commit and push your changes, making sure that Remote Networks is selected in the Push Scope.
      1. Click CommitCommit and Push.
      2. Edit Selections and, in the Prisma Access tab, make sure that Remote Networks is selected in the Push Scope, then click OK.
      3. Click Commit and Push.
    6. Verify that Prisma Access is receiving the Device-ID logs by going to MonitorLogs, and searching the Traffic logs for traffic under the rule you created by entering rule_matched = rulename, where rulename is the security policy rule you created for the third-party IoT devices.
      The Device-ID to IP address mappings display in the logs.

    © 2024 Palo Alto Networks, Inc. All rights reserved.