IoT Security Prerequisites

These are the prerequisites for deploying IoT Security.
Ensure that your environment meets all prerequisites for deploying IoT Security with Palo Alto Networks next-generation firewalls:
  • One or more firewalls running PAN-OS 8.1 to PAN-OS 9.0.2 with Panorama management, or PAN-OS 9.0.3 or later with or without Panorama management.
    Firewalls running PAN-OS 8.1, PAN-OS 9.0, and PAN-OS 9.1 support IoT Security for device visibility and manual policy enforcement. Firewalls running PAN-OS 10.0 or later support IoT Security for both device visibility and automatic policy enforcement through Device-ID.
  • One IoT Security license per firewall.
    The license controls whether IoT Security ingests log data that a firewall forwards to the Palo Alto Networks cloud-based logging service to identify IoT devices and assess risk. The license also controls whether a firewall can pull IP address-to-device mappings and policy rule recommendations from IoT Security and the device dictionary from the update server for use in its security policy rules.
    (A note about IP address-to-device mappings: IoT Security uses patented multi-tier machine-learning algorithms to profile device behaviors and identify the device type, make, model, OS, and OS version. It bundles this set of attributes into a logical object, maps it to the IP address of a device, and sends it to the firewall. This object is called an IP address-to-device mapping.)
    When you buy an IoT Security subscription, you have a 90-day grace period to activate the license on a firewall. If you activate it within the first 90 days, the subscription starts on the activation date. Otherwise, it starts 90 days after the purchase date.
    A Panorama management server does not require an IoT Security license.
  • When using IoT Security Subscription, which stores data in Cortex™ Data Lake, you need one Cortex Data Lake license per account.
    Your Cortex Data Lake subscription can either be new or an existing one, and the data lake can either be in the United States or European Union. Regardless of the use of the data lake, firewalls stream logging data automatically and continuously to the IoT Security infrastructure where it is retained for 30 days until deletion.
    For a new Cortex Data Lake instance, figure out the amount of storage you'll need with the Cortex sizing calculator. When making your calculations, enter the number of firewalls with an IoT Security license and select IoT Security.
  • Using the logging service requires a Premium Support license or better. This is required when using the logging service with either of the two IoT Security subscription types: IoT Security Subscription and IoT Security Subscription - Doesn't Require Data Lake. (A Premium Support license is automatically included with the purchase of a Cortex Data Lake instance.)
  • A Threat Prevention license is highly recommended to improve risk assessment and vulnerability detection so you can get the full benefit of IoT Security.
  • The following licenses and firewall capability provide additional value to IoT Security:
    • A DNS Security license helps IoT Security detect DNS-related threats and risks.
    • A Wildfire license enhances the detection of malware and file-related vulnerabilities.
    • Enabling SSL decryption on the firewall improves the coverage and accuracy of device identification. It also helps IoT Security with risk assessment and threat detections.
  • When using IoT Security on networks with medical equipment, make sure the application content version on your firewalls is 8367-6513 or later; that is, the major version, which is identified by the first four digits, is 8367 or above (8368, 8369, 8370, and so on), starting from 8367-6513. These versions include healthcare-specific applications that allow IoT Security to discover medical equipment and provide utilization data. They also allow firewall Security policy rules to include healthcare-specific applications.
  • When integrating IoT Security with Prisma Access, Prisma Access must be running the Prisma Access 2.0-Innovation release or later with an IoT Security add-on. To learn about other requirements, see IoT Security Integration with Prisma Access.

Recommended For You