: Onboard IoT Security
Focus
Focus
Table of Contents

Onboard IoT Security

Create a URL for your IoT Security portal and activate IoT Security subscriptions for firewalls and third-party integration add-ons.
Follow the onboarding workflow to create a URL for your IoT Security portal and activate IoT Security subscriptions for your firewalls. Through the onboarding process, you can optionally activate a Strata Logging Service instance to store data and a third-party integration add-on for IoT Security to expand its capabilities.
It is important to keep the IoT Security activation email you received from Palo Alto Networks. It not only contains confidential activation-related data but if you still have unused IoT Security licenses after completing the onboarding process, you can click the Activate button in the email again to repeat the process and activate more firewalls later.
(Enterprise License Agreement) When you have an Enterprise License Agreement (ELA), begin the activation process by entering the authorization code that Palo Alto Networks sends you in your Customer Support Portal account. For complete step-by-step instructions, see Activate an Add-on Enterprise License Agreement through Common Services.
When you have IoT Security subscriptions, the onboarding process consists of the following main steps.
  1. Click Activate in the IoT Security activation email from Palo Alto Networks.
  2. Log in to the Palo Alto Networks hub.
  3. Activate IoT Security.
  4. Add devices (firewalls) to the tenant service group (TSG) and associate IoT Security, and possibly other applications as well, with the firewalls.
  5. (Optional) Manage identity and access to IoT Security.
  6. Set up IoT Security and firewalls to work together.
    For instructions for these first six steps, see Common Services: Subscription & Tenant Management. Then return here to continue the setup.
  7. FedRAMP solution Submit a support request with the source IP addresses or source IP address blocks that you want to allow access to your FedRAMP IoT Security portal at https://<your-domain>.iot-gov.paloaltonetworks.com.
    1. Sign in to the Palo Alto Networks Customer Support Portal.
    2. Create a Case to open a support request and provide the IP addresses or IP address blocks to allow access to your FedRAMP IoT Security portal.
  8. Log in to the IoT Security portal.
    Click the IoT Security link on either the Tenant Management or Device Associations page.
    A welcome page appears displaying the status of the logging service and several links to useful learning resources.
  9. To access the rest of the web interface, use the navigation menu on the left.
    If you are a user with owner privileges and the portal doesn’t have a predetermined vertical theme, IoT Security will prompt you to select a theme when you attempt to navigate away from the welcome page: Enterprise IoT Security Plus, Industrial OT Security, or Medical IoT Security. If you don’t select a theme, you will use the Enterprise IoT Security Plus theme by default. IoT Security will continue to prompt you to select a theme every time you log in until you make a selection, or another user with owner privileges does.
    If you are a user without owner privileges and an owner hasn’t yet selected a vertical theme, you will see the Enterprise IoT Security Plus theme by default. Otherwise, if the portal theme was already determined by the IoT Security product purchased or if an owner already set a theme, then that is the one you see.
    There might not be any data in the portal when you first log in. Firewalls create network traffic data logs and forward them to the logging service, which streams them to the IoT Security Cloud. On average, devices begin showing up in the IoT Security portal within the first 30 minutes. Depending on the size of the network and the amount of activity of the devices on it, it can take several days for all the data to show up.
    Click AdministrationSites and FirewallsFirewalls in the IoT Security portal to see the status of logs that the logging service is streaming to the IoT Security app. For more information, see IoT Security Integration Status with Firewalls
    After the IoT Security portal has had time to use its machine-learning algorithms to analyze the network behavior of your IoT devices (1-2 days), consider following the typical workflow of an IoT Security user:
    • Device visibility – Learn about the IoT devices on the network
    • Application visibility – Learn about the applications and protocols these devices use
    • Device vulnerabilities – Learn about IoT device vulnerabilities and take steps to mitigate them, first on the most critical devices and then on others
    • Security alerts – Respond to security alerts as they occur, prioritizing your response on the urgency of the alert and the importance of the targeted device or network segment
    • Security policy rule recommendations – Based on observed network behavior, the IoT Security app can generate recommended security policy rules that you can then sync with those on your next-generation firewall.
    Depending on the PAN-OS versions running on your firewalls, you must generate an OTP or PSK and install certificates on firewalls so they will connect securely with the logging service and with IoT Security. There are also firewall configurations necessary to enable logging and log forwarding to IoT Security. For Enterprise IoT Security Plus, Industrial OT Security, and Medical IoT Security, you must also configure IoT Security and PAN-OS to apply Device-ID to enforce Security policy rules. To continue, see Prepare Your Firewall for IoT Security.