IoT Security Integration with Prisma Access
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use Network Discovery Polling to Discover Devices
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
IoT Security Integration with Prisma Access
IoT Security
Integration with Prisma Access
Use
IoT Security
with Prisma Access
to gain visibility and protection of IoT
devices in your remote networks.Prisma Access
uses a cloud-based infrastructure that
lets you avoid the challenges of sizing firewalls and computing resource allocation
while securing remote networks and mobile users. To identify IT and IoT devices at your
remote sites, detect IoT device vulnerabilities, and discover threats posed to these
devices and the network, Prisma Access
can integrate with IoT Security
through
a purchased add-on. In addition, IoT Security
also provides Prisma Access
with
policy rule recommendations through Panorama to permit only acceptable network behavior
and block anomalous behavior from your IoT devices.For
IoT Security
to identify IT and IoT devices, and analyze risk levels and detect
security alerts on IoT devices, it must be able to access network traffic metadata. The
more data it has to work with, the more accurate and faster it can be. Therefore, it's
critical to do two things to collect as much traffic metadata as possible. First, design
your network strategically so that Prisma Access
sees all traffic from your remote
sites, including DHCP traffic. Then apply policy rules to as much traffic as you can and
enable logging and log forwarding on these rules to
send traffic metadata to Strata Logging Service
.DHCP traffic is particularly important to
IoT Security
. It provides IoT Security
with
useful data, including a mapping of the IP address to MAC address of each DHCP client,
which is a critical element of the IP address-to-device mappings used
for device identification. To obtain this data, ensure that a DHCP server is in your
data center or in a similar centralized site and a DHCP relay agent is on the customer
premises equipment (CPE) where the remote network connection terminates at each site.
Each relay agent forwards the DHCP messages it receives from DHCP clients through the
Prisma Access
to
the IP address of the DHCP server. On the policy rule allowing DHCP traffic from the
remote sites to the DHCP server, be sure logging and log forwarding are enabled so that
Prisma Access
sends DHCP traffic logs to Strata Logging Service
. In fact,
if you have not already done so, enable logging and log forwarding on all policy rules.
With log forwarding enabled, Prisma Access
sends its logs through Strata Logging Service
, which then streams metadata to IoT Security
for
analysis.Prisma Access
cannot forward logs to IoT Security
for Layer 2 traffic or Layer 3
traffic where both the source and destination are in the same site because such
traffic never reaches it. Without ARP and DHCP traffic metadata in particular,
identifying devices might take IoT Security
longer and its confidence might be
lower than it otherwise would be. To counter this, consider deploying SD-WAN ION
devices at remote sites where they can log these types of traffic and forward their
logs to Strata Logging Service
for IoT Security
to access. By integrating IoT Security with both Prisma Access
and SD-WAN, IoT Security
can gain visibility into traffic that
flows between sites and the Internet as well as traffic that stays within a
site.After
IoT Security
has sufficient information to identify devices from their network
behavior, it provides Prisma Access
with IP address-to-device mappings and Panorama
with policy recommendations that the
Panorama administrator can import and then push to Prisma Access
to enforce policy
on IoT device traffic. In addition, Prisma Access
downloads device dictionary files
from the update server. The device dictionary lists various device attributes with which
the Panorama administrator can construct Security policy rules. The combination of IP
address-to-device mappings, policy recommendations, and device dictionary files comprise
the elements of the Device-ID feature introduced in
PAN-OS 10.0.Required Panorama Configuration
Check that you have enabled Enhanced Application Logs on
your log forwarding profiles.
- Log in to Panorama and selectunder theObjectsLog ForwardingRemote_Network_Device_Groupdevice group or a parent device group.
- Open your log forwarding profiles and make sure thatEnable enhanced application logging tois selected.Strata Logging Service
Requirements for using
IoT Security
with Prisma Access
To use the
IoT Security
add-on with Prisma Access
, check that your deployment meets the
following requirements:- Prisma Accessis running thePrisma Access2.0-Innovation release or later.
- You have purchased and activated licenses forStrata Logging Serviceand theIoT Securityadd-on forPrisma Access.If you are a new Panorama-managedPrisma Accesscustomer as of August 2022, activate new .If you are an existing Panorama-managedPrisma Accesscustomer from before August 2022, yourPrisma Accesstenant will be transitioned from the hub to the Prisma SASE platform. After the transition, you will no longer see aPrisma Accessapp title on the hub. However, there will be a button on the hub to navigate to sase.paloaltonetworks.com where you can activate new . Until then, continue to manage your deployment as you’ve been doing.
- The deployment ofPrisma Accessin a particular region requires that theStrata Logging Serviceinstance andIoT Securityapplication it works with to be in a particular location as well. The following table shows the relationship ofPrisma Accessdeployments in different regions to the locations ofStrata Logging ServiceandIoT Security.Prisma AccessStrata Logging ServiceIoT SecurityAmericasCanadaCanadaCanadaUnited StatesUnited StatesUnited StatesEuropean UnionFranceFranceGermanyGermanyGermanyGermanyItalyItalyGermanyPolandPolandGermanySpainSpainGermanyNetherlandsNetherlandsGermanySwitzerlandSwitzerlandSwitzerlandUnited KingdomUnited KingdomUnited KingdomAsia-PacificAustraliaAustraliaAustraliaChinaChinaSingaporeIndiaIndiaSingaporeIndonesiaIndonesiaSingaporeJapanJapanJapanSingaporeSingaporeSingapore
- You’re using Panorama 10.0 or later to managePrisma Access.With a mixed deployment ofPrisma Accessand on-premises next-generation firewalls, you must use the same Panorama management system to manage them and the sameIoT Securitytenant for both.
- DHCP is being served from a data center or from some other central site.
- ThePrisma Accessinfrastructure provides routing from remote sites to data center resources, which include the DHCP server.
- A DHCP relay agent on the VPN terminator at all remote sites points to the IP address of the DHCP server in the data center.
- Security policy rules inPrisma Accesscontrol traffic to the Internet, the data center, and other remote sites. Logging is enabled on these policies andPrisma Accessforwards logging data toStrata Logging Service, which streams it toIoT Security.IoT Securityuses Enhanced Application logs (EALs), traffic logs (which include DHCP traffic), threat logs, and wildfire logs. Make sure that your policy rules have logging enabled and are forwarding EALs and traffic logs toStrata Logging Service. Although the last two log types are not required forIoT Securityto function, we recommend getting licenses for threat prevention and Wildfire and forwarding their logs as well because they help improve risk assessment and malware detection.
Once these requirements are met, use
IoT Security
to monitor traffic metadata, identify IoT
devices, detect vulnerabilities, discover threats, and prepare policy rule
recommendations. Import policy rule recommendations from IoT Security
into
Panorama or configure Device-ID policy rules directly in Panorama and then push them to
Prisma Access
for policy enforcement on IoT device traffic.