Deploy your firewall so it can log network traffic data for DHCP flows and forward the
logs to
Cortex
Data Lake
.
The Palo Alto Networks IoT Security app
uses machine learning to classify IoT devices based on the network
traffic for which these devices are either a source or destination. To
accomplish this, it relies on Enhanced Application logs (EALs) generated
by the Palo Alto Networks next-generation firewall.
DHCP traffic is of particular importance to the IoT security
solution. DHCP provides a way to create an IP address-to-device
mapping (that is, an IP address-to-MAC address mapping) that is
required for classification to take place. However, a firewall typically
only generates an EAL entry when it receives a unicast DHCP message;
for example, when there is centralized Internet Protocol address
management (IPAM) and either the firewall or another local device
acts as a DHCP relay agent. Below is an example architecture that
illustrates a common case where the firewall generates EALs for
unicast DHCP traffic.
The firewall generates an EAL entry for broadcast DHCP traffic
when the packet is seen on a virtual wire (vWire) interface with
multicast firewalling enabled, as shown below.