Onboard IoT Security on VM-Series with Software NGFW Credits

1. Create one or more deployment profiles for VM-Series.

   Create a deployment profile for each type of VM-Series model you want to deploy.

   1. Log in to the Customer Support Portal (CSP), and—if you have multiple accounts—choose the account you want to use.
   2. Select ProductsSoftware NGFW Credits to view the Software NGFW Credits Dashboard.
   3. Locate your purchased NGFW Credits pool on the dashboard and Create Deployment Profile.

   4. Select VM Series and either Fixed vCPU models (Valid for all currently supported PAN-OS releases) or Flexible vCPUs (PAN-OS 10.0.4 and above) and then click Next.
   5. Assuming you selected Fixed vCPU models (Valid for all currently supported PAN-OS releases), configure the following and then Create Deployment Profile:
      Profile Name: Enter a name for the deployment profile.
      Number of Firewalls: Enter the maximum number of firewalls that can be associated with this deployment profile.
      Fixed vCPU model: Choose a VM-Series model from the list.
      Security Use Case: Choose Custom.
      Customize Subscriptions: Clear all preselected items and select IOT.
      IOT Subscription: Choose the type of IoT Security subscription to activate on the VM-Series. The different types are based on vertical themes with or without traffic log retention in Strata Logging Service.
      Use Credits to Enable VM Panorama: (clear all)
      After creating the deployment profile, it appears in the Current Deployment Profiles table on the AssetsSoftware NGFW Credits page.
   6. (Optional) After you click Create Deployment Profile, you can return to the configuration and click Calculate Estimated Cost to see an estimation of how many Flex credits will be deducted from your account and your remaining balance. If you hover your cursor over the question mark next to the estimate, you can see the credit breakdown for each component.
   7. If you have other types of firewall models to deploy, create additional deployment profiles, one for each type.
2. Activate IoT Security subscriptions based on the deployment profile in Common Services.

   1. Log in to the hub with your Palo Alto Networks Customer Support credentials.
      The hub fetches available deployment profiles for this account from the CSP.
   2. Select Common ServicesSubscriptions & Add-ons.
      The deployment profile you created appears in the Ready for Activation section at the top of the page.

   3. Click Activate Now.
      The Activate Subscriptions based on Deployment Profile(s) page appears.
   4. Configure the following IoT Security subscription activation settings:
      Customer Support Account: Choose your CSP account with the deployment profile.
      Recipient: Use an existing tenant or create a new one.
      To create a new tenant, hover your cursor over All Tenants at the top of the Select Tenant drop-down list and then click the Add icon ( + ) that appears on the right. Enter a unique name for the tenant service group (TSG) and choose a business vertical.
      Select Region: When activating an IoT Security subscription that doesn’t require a Strata Logging Service, select the region where the logging service will ingest network traffic logs that the VM-Series send it for IoT Security to access and analyze.
      When activating an IoT Security subscription that does require a Strata Logging Service, you must first already have an activated Strata Logging Service instance in the same tenant service group (TSG). IoT Security will then use this instance by default. The TSG might already have another product with an activated Strata Logging Service (PA+CDL or AIOps+CDL for example), or you might have migrated an activated standalone to the TSG before activating the IoT Security subscription. In either case, the region will be automatically populated based on the region of the existing data lake in the TSG.
      Select Deployment Profile(s): Select the deployment profile you previously created.
      There are two sections for deployment profiles: Available and Unavailable. Deployment profiles appear in the Unavailable section if a required component is missing. For example, if the IoT Security subscription in the deployment profile requires a Strata Logging Service but the tenant service group (TSG) doesn’t have one, the deployment profile will be in the Unavailable section. You will need to activate the required before attempting to activate IoT Security in such scenarios.
      When you create multiple deployment profiles, it's possible that they have different IoT Security subscriptions. When using them in the same IoT tenant, the IoT Security subscription type in the first deployment profile takes precedence over others added afterward.
      Configure Subscription URL(s): Enter a unique subdomain to complete the <subdomain>.iot.paloaltonetworks.com URL for your IoT Security application. This will be the URL where you log in to the IoT Security portal.

   5. Agree to the Terms and Conditions and then Activate.
      The hub displays the Tenant Management page where you can see the IoT Security initialization status for the TSG. The initialization generally takes a few minutes to complete.
3. Associate firewalls through the deployment profile with the IoT Security subscription in the TSG.

   1. Register a VM-Series using one of the two methods described in Register the and then Submit the registration.
      When registering a VM-Series that cannot access the CSP, you must enter a UUID, a CPU ID, the number of vCPUs on the firewall, and the amount memory allocated to the firewall. This information is in the General Information section on the Dashboard page of the web interface on your firewall. You can copy it from there and paste it in the Register Firewall form. You can also download this information from the firewall web interface to a text file by selecting DeviceLicensesActivate Feature using Auth CodeDownload Authorization File. Then on the Register Firewall page in the CSP, Upload a File for UUID & CPUID.
      After you submit the firewall registration, the CSP associates this firewall through the deployment profile with the TSG. It typically takes a few minutes for the registration and association to complete. When completed, you can see the firewall on the Common ServicesDevice Associations tab in the hub.
      During the firewall registration, the number of Software NGFW credits needed to fund the virtual firewall are automatically deducted from your pool of credits.
   2. Associate more firewalls to the TSG through the same deployment profile or, if they are different types of firewall models, through other deployment profiles you have created for them.
      It’s not currently possible to extend, renew, or offboard IoT Security licenses that have been activated on VM-Series funded by Software NGFW credits. In addition, Enterprise License Agreements (ELA) and IoT Security FedRAMP Moderate licenses are not supported.
4. Configure the VM-Series to provide network traffic logs with IoT Security.

   Now that you’ve onboarded IoT Security onto your VM-Series, follow the steps in Prepare Your Firewall for IoT Security to configure it to log network traffic and forward the traffic logs to the logging service, which then streams network traffic metadata to IoT Security for analysis.