Deploy your firewall so it can log network traffic data
for DHCP flows and forward the logs to Cortex Data Lake.
The Palo Alto Networks IoT Security app
uses machine learning to classify IoT devices based on the network
traffic for which these devices are either a source or destination. To
accomplish this, it relies on Enhanced Application logs (EALs) generated
by the Palo Alto Networks next-generation firewall.
DHCP traffic is of particular importance to the IoT security
solution. DHCP provides a way to create an IP address-to-device
mapping (that is, an IP address-to-MAC address mapping) that is
required for classification to take place. However, a firewall typically
only generates an EAL entry when it receives a unicast DHCP message;
for example, when there is centralized Internet Protocol address
management (IPAM) and either the firewall or another local device
acts as a DHCP relay agent. Below is an example architecture that
illustrates a common case where the firewall generates EALs for
unicast DHCP traffic.
The firewall generates an EAL entry for broadcast DHCP traffic
when the packet is seen on a virtual wire (vWire) interface with
multicast firewalling enabled, as shown below.