>
    Strata Copilot
    Control Allowed Traffic for Onboarding Devices
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Getting Started
    4. Firewall Deployment for Device Visibility
    5. Control Allowed Traffic for Onboarding Devices
    Download PDF
    Device Security

    Control Allowed Traffic for Onboarding Devices

    Table of Contents

    Control Allowed Traffic for Onboarding Devices

    Add one or more Device-ID policy rules to control allowed traffic for devices during the onboarding period.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical)
    • Device Security X subscription
    When new devices join the network, they must be allowed to function normally so that Device Security can identify them by analyzing their normal network behavior. However, firewalls are typically configured with Zero Trust security policy rules that allow only the network activities that devices need based on their function. As a result, the rules might inadvertently block traffic for a new device that, if allowed, would have allowed Device Security to determine its identity.
    To overcome this, you can configure one or more onboarding policy rules that use Device-ID to apply the rules only to devices that have been recently detected on the network but have not yet been confidently identified. For the firewall to enforce the rule, a device must be categorized as an Onboarding Device. Device Security places low-confidence devices in this category during a customizable period of time that starts when Device Security first detects them on the network. Devices continue to be categorized as “Onboarding Device” until Device Security confidently identifies them with a confidence score above 90 or until the time period ends. The policy rule does not apply to other, previously identified devices and must be configured to allow new devices enough network access for Device Security to identify them. Once Device Security identifies them, it switches them over to an appropriate category for what they are. The firewall can then apply appropriate policy rules based on their identities. If Device Security cannot confidently identify one or more devices and the time period expires, it still switches them to a category it considers appropriate, but because their confidence scores are below 90, Device Security doesn’t generate any security rule recommendations.
    1. Configure a security policy rule that allows certain types of traffic from any device whose Device-ID attribute for Category is “Onboarding Device”.
      1. Log in to the PAN-OS or Panorama web portal and configure a security policy rule that allows the basic types of traffic that devices in certain VLANs or in different IP address subnets would be expected to generate. For example, a rule for a VLAN that contains printers should allow only typical printer-specific traffic, whereas a rule for a VLAN that contains medical scanning equipment should only allow typical types of traffic for scanners.
      2. Add a Device-ID component to the rule and specify Onboarding Device as the category that a device must match for the firewall to apply the rule. (In short, Add a security policy rule on PoliciesSecurity. Select the Source tab, click Add in the Source Device section, and then click Device. In the Device Object dialog that appears, choose Onboarding Device in the Category list.)
      3. Create additional security policy rules that specify Onboarding Device as the category in the Device-ID section of the rule configuration.
    2. Enable the new device onboarding feature based on Device-ID in Device Security.
      1. Log in to the Device Security portal as a user with owner privileges.
      2. Strata Cloud Manager Select PoliciesDevice-ID Policy Configuration and toggle on Control newly onboarded low-confidence devices through firewall policy rules.
        Legacy IoT Security portal Select Policy SetsSettings and toggle on Control newly onboarded low-confidence devices through firewall policy rules.
      3. Optionally change the period of time during which Device Security categorizes a device as an Onboarding Device if it has an identity confidence score below 90. The default onboarding period is 7 days. There are no maximum and minimum limits. You can also switch from a limited period of time to an unlimited length of time.
        After you enable this feature and set a length of time for the onboarding period, Device Security displays a daily system alert if there are any devices for which the onboarding period will soon be expiring. The alert appears a few days before the expiration and includes a link to the AssetsDevices page with a filter applied to show just these devices.
      4. To see which devices are in the Onboarding Device category, select AssetsDevices and, if necessary, show the Onboarding Device column in the Devices table.
        If necessary, also show the First Seen column and then sort by this to organize the display of devices based on the order in which Device Security first discovered them on the network.

    © 2026 Palo Alto Networks, Inc. All rights reserved.