Onboard Enterprise IoT Security
Table of Contents
Expand all | Collapse all
Onboard Enterprise IoT Security
Create a URL for your Enterprise IoT Security portal and activate Enterprise IoT Security subscriptions for firewalls.
Follow the onboarding workflow to create a URL for your Enterprise IoT Security portal and activate Enterprise IoT Security subscriptions for your firewalls.
It is important to keep the Enterprise IoT Security activation email you received from Palo Alto Networks. It not only contains confidential activation-related data, but if you still have unused Enterprise IoT Security licenses after completing the onboarding process, you can click the
Activatebutton in the email again to repeat the process and activate more firewalls later.
If you activate at least one IoT Security license and then lose the email, you can still start the activation process by logging in to your Customer Support Portal account and selecting
Activate Productsand then clicking
Activate Nowfor the IoT Security license you want to use for onboarding.
Enterprise License Agreement) When you have an Enterprise License Agreement (ELA), begin the activation process by entering the authorization code that Palo Alto Networks sends you in your Customer Support Portal account. For complete step-by-step instructions, see Activate an Add-on Enterprise License Agreement through Common Services.
When you have Enterprise IoT Security subscriptions, the onboarding process consists of the following main steps.
- ClickActivatein the Enterprise IoT Security activation email from Palo Alto Networks.
- Log in to the Palo Alto Networks hub.
- Activate Enterprise IoT Security.
- Add firewalls to the tenant service group (TSG).
- (Optional) Manage identity and access to Enterprise IoT Security.
- Set up Enterprise IoT Security and firewalls to work together.
- Log in to the Enterprise IoT Security portal and generate a one-time password (OTP) and pre-shared key (PSK) to get device and logging service certificates.For information about the sites that next-generation firewalls contact to authenticate certificates when communicating with Enterprise IoT Security, see IoT Security Integration with Next-generation Firewalls.
- As a user with owner privileges, click theEnterprise IoT Securitylink on either the Tenant Management or Device Associations page and log in to the Enterprise IoT Security portal.To be able to generate OTPs and PSKs, your user account must have been created in the Customer Support Portal (CSP) and assigned a superuser role in the relevant tenant service group (TSG) in Identity & Access. A superuser role in the hub provides owner privileges in Enterprise IoT Security.
- Select.AdministrationFirewallsOTP/PSK Generation
- If you manage your firewalls with Panorama, chooseYesand enter its serial number. This will link your Panorama management server with the applications in this TSG. You can find the Panorama serial number in your Customer Service Portal account in. After you chooseAssetsDevicesYesand enter your Panorama serial number, Enterprise IoT Security displays the materials you need to get the certificate or certificates that firewalls need to secure their connections with Enterprise IoT Security and the logging service.To get a device certificate, follow the link to the Customer Support Portal and log in to your account. To generate an OTP or PSK to get a logging service certificate, click theGenerateicon next to each field.If you don’t use Panorama, chooseNo. Because an OTP for a logging service certificate applies only to Panorama, it isn’t shown.Consider the following points when deciding which certificates you need and how to generate them:Device Certificate: From PAN-OS 10.0, firewalls require a device certificate to authenticate with Enterprise IoT Security and, from PAN-OS 10.1, to also authenticate with the logging service. To generate and install a device certificate on firewalls directly and through Panorama:Logging Service Certificate – One-Time Password: An OTP is necessary for Panorama to verify itself with its logging service instance and obtain logging service certificates for Panorama-managed firewalls running PAN-OS 8.1-10.0. A logging service certificate authenticates firewalls with the logging service.
Logging Service Certificate – Pre-Shared Key: A PSK is necessary to generate a logging service certificate on firewalls without Panorama management running PAN-OS 9.0.6-10.0.x. A logging service certificate authenticates firewalls with the logging service. To generate a logging service certificate:
- SelectandAssetsDevice CertificatesGenerate OTP.
- For the Device Type, selectGenerate OTP for PanoramaandGenerate OTP.
- Select thePanorama Deviceserial number.
- Generate OTPand then copy the OTP.
- Log in to the Panorama Web Interface as an admin user and selectandPanoramaSetupManagementDevice CertificateGet certificate.
- Paste the OTP and then clickOK.
- Regenerate the PSK if necessary and copy it.
- Log in to your PAN-OS 9.0.6-10.0.x firewall and select.DeviceSetupManagement
- In the Cortex Data Lake section, clickConnectnext to Onboard without Panorama.This opens the Onboard without Panorama dialog box.
- Paste the PSK andConnect.The firewall first connects to the Customer Support Portal, submits the PSK, and downloads a logging service certificate. It then uses the certificate to authenticate itself and connect securely to the logging service.
- Click theEditicon (gear) for Cortex Data Lake. SelectEnable Duplicate Logging (Cloud and On-Premises)andEnable Enhanced Application Logging.
- Choose the region where the logging service will ingest logs from your firewalls.For PA-7000 and PA-5200 models, enter the number of connections for sending logs from the firewall to the logging service. The range is 1-20 and the default is 5.
- When done, clickOK.The term “Cortex Data Lake” is a bit of a misnomer. The firewall forwards logs to the logging service, which only streams them to Enterprise IoT Security. Enterprise IoT Security doesn’t use Cortex Data Lake at all, but it still requires that this setting be enabled to do logging.
- Prepare the firewall for Enterprise IoT Security.
- While logged in to your firewall, enable Device-ID in each zone where you want to use it to enforce Security policy rules. Select, select a zone,NetworkZonesEnable Device Identification, and then clickOK. Repeat this for other zones and thenCommit your changes.
- Ensure that logging is enabled on Security policy rules, which it is by default.
- Use the Enterprise IoT Security portal.To access the rest of the web interface, use the navigation menu on the left. For an overview of the Enterprise IoT Security portal, see the previous chapter, What Enterprise IoT Security Does.There might not be any data in the portal when you first log in. Firewalls create network traffic data logs and forward them to the logging service, which streams them to the IoT Security Cloud. On average, devices begin showing up in the Enterprise IoT Security portal within the first 30 minutes. Depending on the size of the network and the amount of activity of the devices on it, it can take several days for all the data to show up.To see the status of logs that the logging service is streaming to the Enterprise IoT Security application, clickandNetworksNetworks and SitesSitesin the Enterprise IoT Security portal.AdministrationFirewallsAfter Enterprise IoT Security has had time to use its machine-learning algorithms to analyze the network behavior of your IoT devices (1-2 days), you can begin examining the types and number of devices on your network and consider how to use this information when monitoring and securing your network and the devices in it. Some common ways to use Enterprise IoT Security are described in the next chapter.