Device Security
Device Security Integration with Next-generation Firewalls
Table of Contents
Device Security Integration with Next-generation Firewalls
Device Security integrates with the Strata™ Logging Service and next-generation firewalls using
Device-ID.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of the following subscriptions:
|
The Device Security solution involves the integration of three key architectural
components to process network data:
- Palo Alto Networks Next-Generation Firewalls collect device data and send it to Strata Logging Service.
- Strata Logging Service uses a cloud-based log forwarding process to direct the logs from firewalls to destinations like Device Security and Strata Logging Service. Depending on the type of Device Security subscription you have, Strata Logging Service either streams metadata to your Device Security account and Strata Logging Service instance or just to your Device Security account.
- Device Security is an app that runs on a cloud-based platform, such as Strata Cloud Manager. Device Security uses machine learning, artificial intelligence, and threat intelligence to discover, classify, and secure the IoT devices on the network. The app ingests firewall logs with network traffic data and provides Security policy recommendations and IP address-to-device mappings to the firewall for use in Security policy rules. Administrators access the dynamically enriched IoT device inventory, detected device vulnerabilities, security alerts, and recommended policy rule sets through the IoT security portal.
The Device Security app integrates with next-generation firewalls through
Device-ID, which is a construct that uses device identity as a means to
apply policy rules. The integration uses three mechanisms.
- Device dictionary – This is an XML file that Device Security generates and makes available for Panorama and firewalls to import. The dictionary file provides the Panorama and firewall administrator with a list of device attributes for selection when importing recommended Security policy rules from Device Security and when creating rules themselves. These attributes are profile, category, vendor, model, OS family, and OS version and are for both IoT and traditional IT devices. Although it isn't possible to download a device dictionary file, you can see the release notes summarizing the new content added to a file that your firewall has imported. To do this, log in to the PAN-OS web portal, select and then click Release Notes for the device dictionary file you want to learn about.
- Policy rule recommendations – After an Device Security administrator creates a set of Security policy rules based on traffic from IoT devices in the same device profile, a firewall administrator can import them as recommendations for use in its policy rule set.
- IP address-to-device mappings – These mappings tell firewalls what attributes a device with a particular IP address has. When traffic to or from that IP address reaches a firewall, it checks if one of its attributes matches a policy rule and, if so, the firewall applies the policy rule. Device Security sends IP address-to-device mappings to firewalls for both IoT and IT devices if the confidence score for device identities is high (90-100%) and they’ve sent or received traffic within the past hour.
The goal of Device-ID is to use the intelligence of
Device Security to enforce firewall policy rules on IoT devices.
Device-ID
Device-ID is a way to
enforce policy rules based on device attributes. Device Security provides
the firewall with a device dictionary file containing a list of
device attributes such as profiles, categories, vendors, and models.
For various attributes in the dictionary file, it lists a set of
entries. For example, three entries for the profile attribute might
be Advidia Camera, BK Medical UltraSound Machine, and Carefusion
Infusion Pump Base Station.
Device-ID isn’t supported on multi-vsys firewalls.
When configuring a Security policy
rule, firewall administrators have the option to select device attributes
from the device dictionary. If they select profile,
they can choose one of the profile entries: Polycom IP
Phone, for example. The policy rule then applies to
all devices that match this profile. But how does the firewall know
what the profile is for a device? It knows this from the IP address-to-device
mappings that Device Security also gives the firewall. These mappings
identify attributes for each device. When traffic from an IP address
that's mapped to a device attribute specified in the policy rule
reaches the firewall, the policy rule lookup will find a match with
this rule and apply whatever action it enforces.
A firewall downloads
a device dictionary file from the update server. The dictionary
file populates entries in all the Device-ID attribute lists for
profile, category, vendor, and other attributes. These attribute entries are
then available for use as policy rule configuration elements. The
firewall administrator next configures a firewall policy rule using
the profile attribute “Polycom IP Phone”. After a Polycom Trio 8800 device
joins the network and Device Security identifies it, Device Security provides
the firewall with an IP address-to-device mapping for it. The two
key elements in the mapping for this example are its device profile
(Polycom IP Phone profile, highlighted in yellow) and its IP address (10.1.2.3,
highlighted in blue). When traffic from the Polycom Trio 8800 device
at 10.1.2.3 reaches the firewall, it does a Device-ID policy rule
lookup, finds that the profile for the device at this IP address
matches one specified in a policy rule, and then applies the rule.
If
a firewall becomes disconnected from Device Security, the firewall
retains its IP address-to-device mappings and continues enforcing
Device-ID policy rules with them until the connection is re-established.
Every
next-generation firewall model has the same maximum of 1000 unique
Device-ID objects.
The maximum of 1,000 Device-ID objects isn’t the same
as that for IP address-to-device mappings. The maximum
number of IP address-to-device mappings varies based on firewall
model and is the same as the User-ID maximums listed in the + Show
More sections for each firewall model on the Product Selection page.
More
information about the Device-ID feature is in
the PAN-OS Administrator’s Guide.
Device Dictionary
The
device dictionary is an XML file for firewalls to use in Security
policy rules. It contains entries for the following device attributes: profile,
category, vendor, model, OS family, and OS version. These entries
come from devices across all Device Security tenants and are
refreshed regularly and posted as a new file on the update
server. If there are any changes to a dictionary entry, a revised
file will be posted on the update server so that Panorama and firewalls
will automatically download and install it the next time they check
the update server, which they do automatically every two hours.
IP
Address-to-device Mappings
After Device Security identifies
a device, it bundles the following set of identifying characteristics
about it:
- IP address
- MAC address
- Hostname
- Device type
- Device category
- Device profile
- Vendor
- Model
- OS family
- OS version
- Risk score
- Risk level
Firewalls poll Device Security for these IP address-to-device mappings for use in policy rule
enforcement. A firewall polls for new or modified mappings every second, and Device Security returns mappings that it has identified with high confidence (a
confidence score of 90-100%) for devices that were active within the last hour. For
each IP address-to-device mapping that a firewall receives, the firewall generates
an entry in its host information profile Match log.
If Device Security discovers duplicate IP address-to-device mappings—that is, there are two IP
addresses mapped to the same device MAC address—it resolves it to the MAC address
with the latest network activity.
There is no time
limit for how long a firewall retains IP address-to-device mappings.
It only begins deleting them when its cache fills up, starting with
the oldest first.
Policy Rule Recommendations
You
can generate Security policy rule recommendations based on the normal,
acceptable network behaviors of the IoT devices in the same device
profile and manually import them into firewalls for enforcement.
PAN-OS supports the importing of policy
rule recommendations.
For Panorama managed firewalls
that have an Device Security subscription requiring Strata Logging Service
– Panorama can only import policy rule recommendations if it was
used to
onboard its managed firewalls
to Strata Logging Service.
Firewall and Panorama
Communications Related to Device Security
Device Security communications
from firewalls without Panorama management:
- Firewalls download device dictionary files from the update server at updates.paloaltonetworks.com on TCP port 443.
- Firewalls forward logs to Strata Logging Service on TCP ports 443 (for Enhanced Application logs) and 3978 (for all other firewall logs).For details about the ports and FQDNs required for next-generation firewalls to communicate with Strata Logging Service, see the Strata Logging Service Getting Started.
- Firewalls retrieve IP address-to-device mappings and policy rule recommendations from Device Security on TCP port 443. Depending on their region, they use one of the following edge services URLs:
- United States: iot.services-edge.paloaltonetworks.com
- Canada: ca.iot.services-edge.paloaltonetworks.com
- EU: eu.iot.services-edge.paloaltonetworks.com
- Switzerland: ch.iot.services-edge.paloaltonetworks.com
- United Kingdom: uk.iot.services-edge.paloaltonetworks.com
- APAC: apac.iot.services-edge.paloaltonetworks.com
- Japan: jp.iot.services-edge.paloaltonetworks.com
- Australia: au.iot.services-edge.paloaltonetworks.com
The following table summarizes the relationship of different data lake regions and ingestion regions with Device Security application regions:Data Lake Region/Ingestion RegionDevice Security Application RegionAmericasCanadaCanada, United States*United StatesUnited StatesFedRAMPFedRAMPEuropean UnionFranceGermanyGermanyGermanyItalyGermanyNetherlandsGermanyPolandGermanySpainGermanySwitzerlandSwitzerland, Germany*United KingdomUnited Kingdom, Germany*Asia-PacificAustraliaAustralia, Singapore*IndiaSingaporeIndonesiaSingaporeJapanJapanSingaporeSingapore*Switzerland and the United Kingdom were added as Device Security application regions on July 7, 2023. When onboarding Device Security after this date to existing firewall deployments established before it, the firewalls continue to use Germany as the Device Security application region. When onboarding Device Security to new deployments in Switzerland or the United Kingdom established after July 7, 2023, the firewalls will use the local Device Security application region for each country.A similar situation exists in Canada, which continues to use United States – Americas as the Device Security application region for deployments existing before January 25, 2023, and Canada for new deployments after this date. Likewise, deployments existing before October 25, 2023, in Australia still use the Device Security application in Singapore while new deployments after this date use Australia. - During the certificate exchange between a firewall and the edge server in front of the Device Security cloud, they verify each other’s certificates. The firewall validates the certificate it receives by checking these sites:
- *.o.lencr.org
- x1.c.lencr.org
Communications to these sites occur over HTTP on TCP port 80.
Device Security communications from Panorama:
- A Panorama management server imports policy rule recommendations from Device Security through the same URLs listed above that firewalls use. When validating the certificate the edge server presents, Panorama checks the same sites listed above that firewalls check.Firewalls under Panorama management still contact Device Security through regional edge services URLs for IP address-to-device mappings, they still download device dictionaries from the update server, and they still forward logs to Strata Logging Service.
- A Panorama management server sends queries for logs to Strata Logging Service on TCP port 444.