One or more firewalls running a supported PAN-OS version 10.2 or later, with
the OpenConfig plugin installed.
Firewalls running PAN-OS 10.2 or later support Device Security for both
device visibility and automatic policy enforcement through Device-ID.
Device Security uses the OpenConfig plugin on firewalls to aid in device
identification, except in FedRAMP and Device Security China tenants.
A Device Security subscription license or a
Device Security X subscription license with associated
firewalls that you want to use with your subscription license. If your
subscription contains multiple licenses for firewalls or devices, you can
allocate each license to a different tenant service group (TSG) in your
customer support portal (CSP). You can also assign multiple firewall or
device licenses to one tenant.
If you have an Enterprise, Medical, or OT Device Security
subscription license, you must have one Device Security license per firewall.
If you have a Device Security X subscription license, you need one device
license per device learned across all tenants.
The license controls whether Device Security ingests log data that a
firewall forwards to Strata Logging Service to identify IoT devices and
assess risk. The license also controls whether a firewall can pull
IP address-to-device mappings and policy rule recommendations from
Device Security and the device dictionary from the update server for use in
its security policy rules.
(A note about IP address-to-device mappings: Device Security uses patented
multi-tier machine-learning algorithms to profile device behaviors and identify
the device type, make, model, OS, and OS version. It bundles this set of
attributes into a logical object, maps it to the IP address of a device, and
sends it to the firewall. This object is called an
IP address-to-device mapping.)
When you buy a Device Security subscription, you have a 90-day grace period
to activate the license on a firewall. If you activate it within the first
90 days, the subscription starts on the activation date. Otherwise, it starts
90 days after the purchase date.
Device Security requires Strata Cloud Manager to access the
Device Security interface, but you don't need to manage your firewalls
with Strata Cloud Manager.
If you activated Device Security before July 2025,
Device Security will automatically create a Strata Cloud Manager instance
in your tenant service groups that include Device Security. You can access
Strata Cloud Manager from the Device Security portal by going to
.
When you activate Device Security in or after July 2025, the
Device Security activation process automatically creates a
Strata Cloud Manager Essential instance in your tenant if there isn't an
existing Strata Cloud Manager instance.
When using Device Security Subscription, which stores data in
Strata Logging Service, you need one Strata Logging Service
license per account. When using
Device Security, Doesn't Require Data Lake Subscription, you do not need a
Strata Logging Service license. Device Security X does not require
associating Strata Logging Service with the license, although you can
still choose to store logs in Strata Logging Service if it is
associated with your Device Security X TSGs and firewalls.
Regardless of which subscription license you have, Device Security
uses the Strata Logging Service infrastructure to stream
firewall logs from the next-generation firewalls. You only need a
Device Security subscription license with
Strata Logging Service if you want to store the firewall logs in
Strata Logging Service.
Your
Strata Logging Service
subscription can either be new or an existing one, and the data lake can be in
the Americas, European Union, or Asia-Pacific region. Regardless of the use of
the data lake, firewalls stream logging data automatically and continuously to
the
Device Security infrastructure where it is retained for varying periods
of time based on data type. For details about data retention, see
IoT/OT Security Privacy.
For a new
Strata Logging Service instance, figure out the amount of
storage you'll need with the
Cortex sizing calculator.
When making your calculations, enter the number of firewalls with a
Device Security license and select
Device Security.
Using Strata Logging Service requires a Premium Support license or
better. This is required when using the logging service with either of the two
Device Security subscription types: Device Security Subscription and
Device Security Subscription - Doesn't Require Data Lake. (A Premium Support
license is automatically included with the purchase of a
Strata Logging Service instance.)
You must have a
Threat Prevention license
for
Device Security to get all the traffic and threat logs necessary to fully
assess risk and detect vulnerabilities.
The following licenses and firewall capability provide additional value to
Device Security:
When using
Device Security on networks with medical equipment, make sure the
application content version on your
firewalls is 8367-6513 or later; that is, the major version, which is identified
by the first four digits, is 8367 or above (8368, 8369, 8370, and so on),
starting from 8367-6513. These versions include healthcare-specific applications
that allow
Device Security to discover medical equipment and provide
utilization data. They also allow firewall Security policy rules to include
healthcare-specific applications.
When integrating
Device Security with
Prisma Access,
Prisma Access
must be running the
Prisma Access 2.0-Innovation release or later with a
Device Security add-on. To learn about other requirements, see
Device Security Integration with Prisma Access.
Device Security integration with Prisma Access is not supported with
the Device Security X subscription license.
When Panorama manages firewalls running PAN-OS 10.2, it requires the
3.1 cloud services plugin.
