IoT Security Prerequisites

• One or more firewalls running a supported PAN-OS version 10.2 or later.
  Firewalls running PAN-OS 10.2 or later support IoT Security for both device visibility and automatic policy enforcement through Device-ID.
• An IoT Security subscription license or a Device Security X subscription license with associated firewalls that you want to use with your subscription license. If your subscription contains multiple licenses for firewalls or devices, you can allocate each license to a different tenant service group (TSG) in your customer support portal (CSP). You can also assign multiple firewall or device licenses to one tenant.
  If you have an Enterprise Plus, Medical, or Industiral OT IoT Security subscription license, you must have one IoT Security license per firewall.
  If you have a Device Security X subscription license, you need one device license per device learned across all tenants.
  The license controls whether IoT Security ingests log data that a firewall forwards to Strata Logging Service to identify IoT devices and assess risk. The license also controls whether a firewall can pull IP address-to-device mappings and policy rule recommendations from IoT Security and the device dictionary from the update server for use in its security policy rules.
  (A note about IP address-to-device mappings: IoT Security uses patented multi-tier machine-learning algorithms to profile device behaviors and identify the device type, make, model, OS, and OS version. It bundles this set of attributes into a logical object, maps it to the IP address of a device, and sends it to the firewall. This object is called an IP address-to-device mapping.)
  When you buy an IoT Security subscription, you have a 90-day grace period to activate the license on a firewall. If you activate it within the first 90 days, the subscription starts on the activation date. Otherwise, it starts 90 days after the purchase date.
  A Panorama management server does not require an IoT Security license.
• When using IoT Security Subscription, which stores data in Strata Logging Service, you need one Strata Logging Service license per account. When using IoT Security, Doesn't Require Data Lake Subscription, you do not need a Strata Logging Service license. Device Security X does not require associating Strata Logging Service with the license, although you can still choose to store logs in Strata Logging Service if it is associated with your Device Security X TSGs and firewalls.
  Regardless of which subscription license you have, IoT Security uses the Strata Logging Service infrastructure to stream firewall logs from the next-generation firewalls. You only need an IoT Security subscription license with Strata Logging Service if you want to store the firewall logs in Strata Logging Service.
  Your Strata Logging Service subscription can either be new or an existing one, and the data lake can be in the Americas, European Union, or Asia-Pacific region. Regardless of the use of the data lake, firewalls stream logging data automatically and continuously to the IoT Security infrastructure where it is retained for varying periods of time based on data type. For details about data retention, see IoT/OT Security Privacy.
  For a new Strata Logging Service instance, figure out the amount of storage you'll need with the Cortex sizing calculator. When making your calculations, enter the number of firewalls with an IoT Security license and select IoT Security.
• Using Strata Logging Service requires a Premium Support license or better. This is required when using the logging service with either of the two IoT Security subscription types: IoT Security Subscription and IoT Security Subscription - Doesn't Require Data Lake. (A Premium Support license is automatically included with the purchase of a Strata Logging Service instance.)
• You must have a Threat Prevention license for IoT Security to get all the traffic and threat logs necessary to fully assess risk and detect vulnerabilities.
• The following licenses and firewall capability provide additional value to IoT Security:
  • A DNS Security license helps IoT Security detect DNS-related threats and risks.
  • A Wildfire license enhances the detection of malware and file-related vulnerabilities.
  • A URL Filtering license controls the online content devices can access and how they can interact with it.
  • Enabling SSL decryption on the firewall improves the coverage and accuracy of device identification. It also helps IoT Security with risk assessment and threat detections.
• When using IoT Security on networks with medical equipment, make sure the application content version on your firewalls is 8367-6513 or later; that is, the major version, which is identified by the first four digits, is 8367 or above (8368, 8369, 8370, and so on), starting from 8367-6513. These versions include healthcare-specific applications that allow IoT Security to discover medical equipment and provide utilization data. They also allow firewall Security policy rules to include healthcare-specific applications.
• When integrating IoT Security with Prisma Access, Prisma Access must be running the Prisma Access 2.0-Innovation release or later with an IoT Security add-on. To learn about other requirements, see IoT Security Integration with Prisma Access.
  IoT Security integration with Prisma Access is not supported with the Device Security X subscription license.
• When Panorama manages firewalls running PAN-OS 10.2, it requires the 3.1 cloud services plugin.