Onboard IoT Security

Create a URL for your IoT Security portal and activate IoT Security subscriptions for firewalls and third-party integration add-ons.
Follow the onboarding workflow to create a URL for your IoT Security portal and activate IoT Security subscriptions for your firewalls. Through the onboarding process, you can optionally activate a Cortex Data Lake instance to store data and a third-party integration add-on for IoT Security to expand its capabilities.
It is important to keep the IoT Security activation email you received from Palo Alto Networks. It not only contains confidential activation-related data but if you still have unused IoT Security licenses after completing the onboarding process, you can click the
Activate
button in the email again to repeat the process and activate more firewalls later.
If you activate at least one IoT Security license and then lose the email, you can still start the activation process by logging in to your Customer Support Portal account and selecting
Activate Products
and then clicking
Activate Now
for the IoT Security license you want to onboard.
The IoT Security onboarding workflow consists of the following steps:
(
Enterprise License Agreement
) When you have an Enterprise License Agreement (ELA), the activation process begins in the Customer Support Portal or the hub instead of through a link in an email.
  1. To onboard IoT Security, open your IoT Security activation email and click
    Activate
    .
    Because IoT Security requires network traffic data for analysis, you must enable firewalls to forward logs with that data to a cloud logging service that IoT Security can access. IoT Security subscriptions offer two options:
    • IoT Security Subscription
      : This subscription requires that you also have a Cortex Data Lake instance, which stores the data logs from firewalls. You can use an existing, already activated Cortex Data Lake instance or buy a new one to use.
    • IoT Security, Does Not Require Data Lake Subscription
      : This subscription sends data logs to a cloud logging service that streams them directly to IoT Security without storing them in a data lake.
      If an active Cortex Data Lake license is in your Customer Support Portal account, all your firewalls will forward logs to the data lake even if you activate them with IoT Security subscriptions that don't require a data lake. If you don’t want to store data from individual firewalls in the data lake, toggle
      Store Log Data
      off for them on the Firewalls page in the Cortex Data Lake app. Although the data lake won’t retain logs from these firewalls, IoT Security will continue to ingest the logs and analyze their data.
    In addition to the IoT Security subscription and possibly a Cortex Data Lake subscription, you might have also purchased an
    IoT Security Third-party Integrations Add-on
    . This allows IoT Security to exchange information about devices, security alerts, and device vulnerabilities with third-party products that provide services such as asset management, network management, wireless network control, security information and event management (SIEM), network access control (NAC), and vulnerability scanning.
    The number of Activate buttons in the email you received depends on what you purchased. Each Activate button launches the same onboarding workflow that lets you activate all your purchased products. Click any
    Activate
    button to begin.
    While the email message above has one Activate button, the following has two, either of which launches the same onboarding workflow.
    (
    Enterprise License Agreement
    ) To activate your ELA for IoT Security, make sure your user account has ELA administrator, domain administrator, and super user permissions. Either log in to your account on the Customer Support Portal or the hub and start the activation process.
    Customer Support Portal: Click
    Assets
    Enterprise Agreements
    and then click
    ELA-IoT Activation
    at the top of the page.
    or
    Hub: Click
    ELA Activations
    IoT Security
    at the top of the page.
  2. Log in with your Palo Alto Networks Customer Support Portal account credentials, select the products to activate, and then
    Start Activation
    .
    If you have multiple items to activate, leave them all selected when you
    Start Activation
    .
  3. Select a Support account.
    If you have more than one Support account, select the one with firewalls to subscribe to IoT Security or the one with firewalls to which you’re adding a third-party integrations add-on and then click
    Next
    .
    (
    Enterprise License Agreement
    ) This step is not included in the ELA activation process because you begin the process in the hub and, therefore, your Support account is already known.
  4. Complete the IoT Security setup.
    1. If you are activating a new IoT Security tenant, choose
      Activate New
      and then enter a subdomain name. This completes the URL for your IoT Security app. This will be the URL where you log in to the IoT Security portal.
      The subdomain is prepopulated with the domain name from your email address, but you can change it if you want.
      or
      If you have an existing IoT Security tenant, choose it from the drop-down list. The remaining fields in this step change to read-only and show previously defined settings for the chosen tenant.
      Because an IoT Security tenant can only have one IoT Security Third-party Integrations Add-on, if you are onboarding an IoT Security subscription with an integrations add-on, you cannot choose an existing tenant that already has one.
    2. If you are activating a new data lake subscription, choose
      Activate New
      for Data Lake and then choose one of these for Data Lake Region:
      United States - Americas
      ,
      Netherlands - Europe
      ,
      Germany
      ,
      United Kingdom
      ,
      Singapore
      ,
      Japan
      ,
      India
      ,
      Australia
      , or
      Canada
      . After you make your choice, the IoT App Region automatically fills in to match.
      or
      If you have an existing data lake instance, choose it from the drop-down list. This choice determines which firewalls become available for selection in the next step: those that are already associated with the chosen data lake instance or are unassociated with any other. If you have multiple data lake instances, choose the one to which firewalls will forward logs with network traffic metadata. The data lake region changes to read-only and shows the previously defined region for the chosen data lake instance.
      If you have multiple IoT Security tenants, map each tenant to its own Cortex Data Lake instance. It's not possible for multiple IoT Security tenants to share a single data lake instance.
      or
      If you are activating an IoT Security license that doesn’t use Cortex Data Lake, choose the data ingestion region, which is the region where the cloud logging service is receiving data from firewalls. You have the following choices:
      United States - Americas
      ,
      Netherlands - Europe
      ,
      United Kingdom
      ,
      Australia
      ,
      Singapore
      ,
      Canada
      ,
      Japan
      ,
      Germany
      , and
      India
      .
      The IoT App Region automatically changes to match the chosen ingestion region. The following table summarizes the relationship of different IoT app regions with data lake regions/ingestion regions:
      For example, if you choose
      India
      as the Ingestion Region, then the IoT App Region automatically becomes
      Singapore
      .
    3. If you are using Panorama to manage your firewalls, choose it from the list. Otherwise, select
      None
      and then click
      Next
      .
    (
    Enterprise License Agreement
    ) Because IoT Security–ELA licenses do not require data lake subscriptions, you won’t see an option to choose a data lake on the IoT Setup page. Instead, choose a data ingestion region, just like the option for IoT Security, Does Not Require Data Lake Subscription.
  5. Select firewalls to subscribe to IoT Security and then click
    Next
    .
    There are two steps to the selection process. First, select a firewall model on the left and then select subscriptions for the serial numbers of individual devices belonging to that model on the right. As you do, you can see how many IoT subscriptions are assigned and still available for the selected model near the top of the page. You can also track the number of licenses each model will use and how many are still available in the middle of the page. You can activate a maximum of 200 firewalls in each activation session. To activate more than 200 firewalls, repeat the activation process.
    The following are the types of firewalls and types of IoT Security licenses that each firewall type supports. The information in the following table applies equally to both an IoT Security subscription and an IoT Security - Doesn’t Require Data Lake subscription:
    Firewall types
    IoT Security license types
    Prod
    Eval
    Trial
    Lab
    Prod (Production)
    Yes
    No
    Yes
    No
    Eval (Evaluation)
    No
    Yes
    No
    No
    Lab
    Yes
    No
    Yes
    Yes
    When you purchase IoT Security production subscriptions, the licenses are specific to firewall models. It’s not possible to use licenses created for one model with a different model. On the other hand, when evaluating IoT Security, Palo Alto Networks provides temporary eval and trial licenses that can be used on any firewall model.
    A firewall type—prod, eval, and lab—is defined by the firewall SKU. To see the SKU for a firewall, log in to your Customer Support Portal account and select
    Assets
    Devices
    and check the entry for the serial number of your firewall in the Model Name column. This is the SKU, which indicates the firewall type as follows:
    • A prod SKU ends with the firewall model name; for example, PAN-PA-200
    • An eval SKU ends with -E30, which stands for
      Eval + 30 days
      ; for example, PAN-PA-200-E30
    • A lab SKU ends with -LAB; for example, PAN-PA-200-LAB
    (
    Enterprise License Agreement
    ) There is one type of IoT Security–ELA license and it applies to all firewall models. Simply select the individual firewalls you want to subscribe to IoT Security services. For each activation session, you can activate a maximum of 200 firewalls. To activate more, repeat the activation process.
  6. Check what will be activated, read and agree to the terms and conditions, and then
    Activate Subscription
    .
    To check how many subscriptions will be used and how many remain, hover your cursor over the information icon next to
    Activate Subscriptions on
    <number>
    firewalls
    . A pop-up panel appears showing the total number of purchased IoT Security subscriptions you have, how many will be activated in this session, how many were previously activated, and how many have not yet been chosen for activation.
    Depending upon what you onboard, the activation process creates a URL for your IoT Security portal, enables the third-party integrations, and applies IoT Security licenses to the selected firewalls. This links them to your IoT Security account.
    The license for an IoT Security subscription is not applied immediately to a firewall. A firewall automatically pulls new and updated licenses on a daily basis. To install a license faster than that, manually fetch it by opening the web interface on the firewall, select
    Device
    Licenses
    and then click
    Retrieve license keys from license server
    .
    At this point, the IoT Security portal is activated. However, you must continue to install certificates on firewalls so they will connect securely with the logging service and IoT Security.
  7. On the Activating IoT Security Portal page, copy the pre-shared key (PSK) or one-time password (OTP) that’s displayed.
    Do this step if the PAN-OS version on your firewalls is 8.1–10.0 or if it’s 10.1 or later and you are using Panorama. If your firewalls are running 10.1 or later and you are not using Panorama, skip this step.
    You will use the PSK on firewalls and the OTP on Panorama to install the certificates necessary to secure connections with the logging service and IoT Security.
    If you’re activating IoT Security, Doesn’t Require Data Lake Subscription and previously chose a Panorama instance on the IoT Security Setup page (Step 5 above), both an OTP and PSK are displayed. If your Panorama selection was
    None
    , then only a PSK is displayed.
    If you’re activating IoT Security Subscription (which requires a data lake), then neither an OTP nor a PSK is displayed. In this case, you must generate them in the Cortex Data Lake app. Log in to the hub, open the Cortex Data Lake app, navigate to the Inventory page, and then click either
    Generate OTP
    or
    Generate PSK
    . Information about when to use an OTP or a PSK is provided below. For additional information, see Cortex Data Lake Getting Started.
    Finally, if you’re activating both subscription types together, then the OTP and PSK are displayed based on whether you selected a Panorama instance or
    None
    , as explained above for IoT Security Subscription - Doesn’t Require Data Lake.
    In PAN-OS 10.0, a firewall requires two separate certificates when it connects to logging services and IoT Security:
    • A logging service certificate to authenticate itself when connecting to the logging service
    • A device certificate to authenticate itself when connecting to IoT Security
    In PAN-OS version 10.1 or later, a firewall uses a single device certificate to authenticate itself when connecting to the logging service and IoT Security. If a firewall has a device certificate installed to connect to IoT Security, it also uses that same device certificate when connecting to the logging service. In this case, the firewall no longer uses a logging service certificate at all; it uses the device certificate for both connection types.
    Firewalls running PAN-OS 8.1–9.0.5 must be managed by Panorama to get a logging service certificate. Panorama does this through the cloud services plugin, which must be installed on Panorama. From PAN-OS 9.0.6, a firewall can either use a PSK to get a logging service certificate directly or use Panorama to get a certificate for it through the cloud service plugin.
    Here’s what to do depending on the use of Panorama and the PAN-OS version on the firewalls:
    • Panorama-managed firewalls running PAN-OS 8.1 or later
      : Copy the OTP and enter it when installing the Cloud Services plugin on Panorama as explained in the “Configure Panorama for Cortex Data Lake” topics in Get Started with Cortex Data Lake: 10.0 or Earlier or 10.1 or Later. See steps 7 and 8 in particular. When Panorama initially connects to the logging service, it submits the OTP to verify itself and register with its logging service instance. Later, when you push a configuration requiring logging services from Panorama to a firewall that doesn’t yet have a logging service certificate, it responds to Panorama by requesting the necessary certificate. Panorama then automatically obtains the logging service certificate and sends it to the firewall.
      After its generation, an OTP is valid for 15 minutes before expiring. However, if you don’t use it within this 15-minute time frame, you can generate another one in the Customer Support Portal.
      Panorama-managed firewalls running PAN-OS 10.0 or later require device certificates to authenticate themselves when accessing cloud services like IoT Security. From PAN-OS 10.1, they also need device certificates for accessing the logging service. For instructions on installing device certificates on your firewall through Panorama, see Install the Device Certificate for Managed Firewalls.
      If you use Panorama to manage firewalls running PAN-OS 10.2, it requires the 3.1 cloud services plugin, which is currently scheduled for release in April 2022.
    • PAN-OS 9.0.6–10.0 firewalls without Panorama management
      : Copy the PSK to securely connect firewalls to the Customer Support Portal and download a logging service certificate. PAN-OS 9.0.6–10.0 firewalls use this certificate to connect securely to the logging service when forwarding logs to it. For instructions on entering the PSK on a firewall, see Prepare Your Firewall for IoT Security.
      The PSK is valid for 24 hours and can be used on multiple firewalls. If you need to generate another one, click the
      Activate
      link in the activation email you received from Palo Alto Networks (see step 1 above) and navigate back to this page.
    • PAN-OS 10.1 firewalls or later without Panorama management
      : Do not copy either the OTP or PSK. Firewalls running PAN-OS 10.1 or later use a device certificate for logging services and IoT Security connectivity. For instructions on installing device certificates on your firewall, see Prepare Your Firewall for IoT Security.
      If you upgrade firewalls with active IoT Security subscriptions to PAN-OS 10.1 or later and reboot them, they automatically switch from a logging service certificate to a device certificate for logging service connectivity.
  8. Check the activation status of the subscribed firewalls and their certificates.
    To check their status, click
    Details
    next to “Activate Subscriptions on <number> firewalls” or in the Logging service status and Device certificate sections. All occurrences of
    Details
    on this page open the Subscribed Firewalls page. (Note that some sections might not appear depending on what’s being activated and their status.)
    However, in addition to the installation of one or two certificates (depending on PAN-OS version) on each subscribed firewall, firewalls must also have logging services enabled and be configured to forward log events to the logging service where IoT Security can access them for analysis. Check the status of certificate installations and firewall configurations on the Subscribed Firewalls page.
    Logging Service Status
    During the firewall activation process, IoT Security begins monitoring the status of firewalls forwarding logs to the logging service. A firewall can be in one of several states.
    Red “Configuration Error” – This indicates that the firewall does not have the required certificate installed and is not forwarding any logs to the logging service. Hover your cursor over it to see a tooltip stating, “Certificate not set on firewall”. In this case, do the following:
    • Set up your logging service instance.
    • Check that the Logging Service license on the firewall is active and set a service route for Palo Alto Networks Services using either the mgt interface or a data interface.
    Red “Not receiving any logs” – This indicates that the firewall has the required certificate but is not yet configured to forward logs. In this case, do the following:
    • Configure the firewall to log traffic and forward the logs to the logging service.
    Yellow “Not receiving EAL logs” – This means that the logging service is receiving logs but not Enhanced Application logs (EALs). Make sure that log forwarding has EAL enabled and that a log forwarding profile is configured to include EALs.
    Yellow “Not receiving Traffic logs” – This means that the firewall is forwarding logs but not traffic logs. Make sure the log forwarding profile includes traffic logs.
    Yellow “Not receiving DHCP logs” – This means that none of the traffic logs include DHCP traffic. Make sure that the firewall is applying a policy rule to DHCP traffic and that it has log forwarding for traffic logs and EALs enabled.
    Green “Good” – This means that the firewall is configured and deployed properly to send the logging service all the logs that IoT Security requires to function.
    To be cautious, IoT Security waits a full hour before determining it's not receiving one or more log types. It then displays a red or yellow “Not receiving...” status. On the other hand, once it starts receiving all the required logs, it immediately displays the status as green “Good”.
    Device Certificate
    IoT Security also checks if each firewall has a device certificate installed. The Device Certificate column shows the status either as green “Installed” or gray “Absent”. When a firewall doesn’t have a device certificate, it is considered to be “absent” rather than “missing”. Because firewalls with a software version earlier than PAN-OS 10.0 do not support device certificates, not having one is normal and their status will always be gray “Absent”. However, if a firewall is running PAN-OS 10.0 or later and the status is gray “Absent”, do the following:
    Then check the Device Certificate status on the Subscribed Firewalls page again. It should now be green “Installed”.
  9. Activate more products if available.
    To close the Subscribed Firewalls page and return to the IoT Security Portal Activated page, click
    Dismiss
    . If you have unused IoT Security licenses that you want to activate, click
    Activate More Products
    . This allows you to repeat the onboarding steps to activate IoT Security licenses on additional firewalls.
    After the activation process completes, a button appears at the top of the page.
  10. Start using the IoT Security portal.
    To view the IoT Security portal, click
    Launch IoT Security
    . A welcome page appears displaying the status of the logging service and several links to useful learning resources.
    When activation completes—which can take up to 20 minutes—you will also be sent an email confirmation with a
    Launch IoT Security
    link. If you navigate away from this page during activation, you can also use the link in the email to reach the IoT Security portal.
    To access the rest of the web interface, use the navigation menu on the left.
    There might not be any data in the portal when you first log in. Firewalls create network traffic data logs and forward them to the logging service, which streams them to the IoT Security Cloud. On average, devices begin showing up in the IoT Security portal within the first 30 minutes. Depending on the size of the network and the amount of activity of the devices on it, it can take several days for all the data to show up.
    Click
    Administration
    Sites and Firewalls
    Firewalls
    in the IoT Security portal to see the status of logs that the logging service is streaming to the IoT Security app. For more information, see IoT Security Integration Status with Firewalls
    After the IoT Security portal has had time to use its machine-learning algorithms to analyze the network behavior of your IoT devices (1-2 days), consider following the typical workflow of an IoT Security user:
    • Device visibility – Learn about the IoT devices on the network
    • Application visibility – Learn about the applications and protocols these devices use
    • Device vulnerabilities – Learn about IoT device vulnerabilities and take steps to mitigate them, first on the most critical devices and then on others
    • Security alerts – Respond to security alerts as they occur, prioritizing your response on the urgency of the alert and the importance of the targeted device or network segment
    • Security policy rule recommendations – Based on observed network behavior, the IoT Security app can generate recommended security policy rules that you can then sync with those on your next-generation firewall.

Recommended For You