IoT Security Prerequisites
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
IoT Security Prerequisites
IoT Security
PrerequisitesThese are the prerequisites for deploying
IoT Security
.Ensure that your environment meets all
prerequisites for deploying
IoT Security
with Palo Alto Networks
next-generation firewalls:- One or more firewalls running PAN-OS 8.1 to PAN-OS 9.0.2 with Panorama management, or PAN-OS 9.0.3 or later with or without Panorama management.Firewalls running PAN-OS 8.1, PAN-OS 9.0, and PAN-OS 9.1 supportIoT Securityfor device visibility and manual policy enforcement. Firewalls running PAN-OS 10.0 or later supportIoT Securityfor both device visibility and automatic policy enforcement through Device-ID.
- OneIoT Securitylicense per firewall.The license controls whetherIoT Securityingests log data that a firewall forwards to the Palo Alto Networks cloud-based logging service to identify IoT devices and assess risk. The license also controls whether a firewall can pull IP address-to-device mappings and policy rule recommendations fromIoT Securityand the device dictionary from the update server for use in its security policy rules.(A note about IP address-to-device mappings:IoT Securityuses patented multi-tier machine-learning algorithms to profile device behaviors and identify the device type, make, model, OS, and OS version. It bundles this set of attributes into a logical object, maps it to the IP address of a device, and sends it to the firewall. This object is called an IP address-to-device mapping.)When you buy anIoT Securitysubscription, you have a 90-day grace period to activate the license on a firewall. If you activate it within the first 90 days, the subscription starts on the activation date. Otherwise, it starts 90 days after the purchase date.A Panorama management server does not require anIoT Securitylicense.
- When usingIoT SecuritySubscription, which stores data inCortex Data Lake, you need oneCortex Data Lakelicense per account. (When usingIoT Security, Doesn't Require Data Lake Subscription, you do not need aCortex Data Lakelicense.)YourCortex Data Lakesubscription can either be new or an existing one, and the data lake can be in the Americas, European Union, or Asia-Pacific region. Regardless of the use of the data lake, firewalls stream logging data automatically and continuously to theIoT Securityinfrastructure where it is retained for varying periods of time based on data type. For details about data retention, see IoT/OT Security Privacy.For a newCortex Data Lakeinstance, figure out the amount of storage you'll need with the Cortex sizing calculator. When making your calculations, enter the number of firewalls with anIoT Securitylicense and selectIoT Security.
- Using the logging service requires a Premium Support license or better. This is required when using the logging service with either of the twoIoT Securitysubscription types:IoT SecuritySubscription andIoT SecuritySubscription - Doesn't Require Data Lake. (A Premium Support license is automatically included with the purchase of aCortex Data Lakeinstance.)
- A Threat Prevention license is required forIoT Securityto get all the traffic and threat logs necessary to fully assess risk and detect vulnerabilities.
- The following licenses and firewall capability provide additional value toIoT Security:
- A DNS Security license helpsIoT Securitydetect DNS-related threats and risks.
- A Wildfire license enhances the detection of malware and file-related vulnerabilities.
- A URL Filtering license controls the online content devices can access and how they can interact with it.
- Enabling SSL decryption on the firewall improves the coverage and accuracy of device identification. It also helpsIoT Securitywith risk assessment and threat detections.
- When usingIoT Securityon networks with medical equipment, make sure the application content version on your firewalls is 8367-6513 or later; that is, the major version, which is identified by the first four digits, is 8367 or above (8368, 8369, 8370, and so on), starting from 8367-6513. These versions include healthcare-specific applications that allowIoT Securityto discover medical equipment and provide utilization data. They also allow firewall Security policy rules to include healthcare-specific applications.
- When integratingIoT Securitywith Prisma Access, Prisma Access must be running the Prisma Access 2.0-Innovation release or later with anIoT Securityadd-on. To learn about other requirements, see IoT Security Integration with Prisma Access.
- When Panorama manages firewalls running PAN-OS 10.2, it requires the 3.1 cloud services plugin.