Prepare Your Firewall for IoT Security

Configure your firewall to collect network traffic metadata, forward it to the logging service, and (for PAN-OS 10.0 or later) install a device certificate.
The following steps describe how to enable logging service on a next-generation firewall and configure it to obtain and log network traffic metadata. It then explains how to forward the collected metadata to the cloud-based logging service where IoT Security uses it to identify various IoT devices on the network.
The steps below assume you already completed the IoT Security onboarding process but still need to do the following:
  • (
    PAN-OS 10.0 or later
    ) Install a device certificate on your firewalls.
  • Install a device license and a logging service license on your firewalls.
  • (
    PAN-OS 8.1–10.0
    ) Install a logging service certificate on your firewalls.
  • Configure your firewalls to collect network traffic metadata.
  • Configure your firewalls to forward the collected metadata in logs to the logging service.
  • Enable Device-ID on zones with devices that you want to monitor and protect with Security policy rules.
  • (
    Optional
    ) Create a service route and Security policy rule to permit firewalls to communicate with the logging service, IoT Security, and update server through a data interface.
For additional details about configuring a firewall for IoT Security, see Device-ID.
  1. (
    PAN-OS 10.0 or later
    ) Generate and install a device certificate on your firewalls to authenticate themselves when they connect to IoT Security.
    Firewalls running PAN-OS 10.1 or later require a device certificate to authenticate themselves when connecting to the logging service and IoT Security. PAN-OS 10.0 firewalls require a device certificate only when connecting to IoT Security. (A device certificate is not required on firewalls running a version of PAN-OS earlier than 10.0.)
    See IoT Security Integration with Next-generation Firewalls for information about the sites that next-generation firewalls contact to authenticate certificates when communicating with IoT Security.
  2. (
    PAN-OS 9.0.6–10.0 firewalls without Panorama management
    ) Copy the pre-shared key (PSK) that was created for your firewalls during the onboarding process.
    Entering the PSK on your firewalls enables them to connect securely with the customer support portal and download a logging service certificate. This certificate, in turn, allows the firewalls to connect securely with Palo Alto Networks cloud-based logging service so they can forward logs to it. The key is valid for 24 hours and will be used later in this process.
    Firewalls running PAN-OS 8.1–9.0.5 must be managed by Panorama to get a logging service certificate. Panorama does this through the cloud services plugin, which must be installed on Panorama. For installation instructions, see the Activate Cortex Data Lake (Panorama-Managed) chapter in Get Started with Cortex Data Lake.
  3. Log in to each of your firewalls, click
    Device
    Licenses
    , and then select
    Retrieve license keys from license server
    in the License Management section.
    This installs the licenses for IoT Security and the logging service on the firewall.
    When the time comes to renew IoT Security licenses, use this retrieval function on your firewalls so that they extend their license expiration dates.
  4. (
    PAN-OS 9.0.6–10.0 firewalls without Panorama management
    ) Set up the logging service on your firewall.
    1. Select
      Device
      Setup
      Management
      and click
      Connect
      next to Onboard without Panorama in the Cortex Data Lake section.
      This opens the Onboard without Panorama dialog box.
    2. Paste the PSK you copied when onboarding IoT Security and then click
      Connect
      .
      The firewall first connects to the customer support portal, submits the PSK, and downloads a logging service certificate. It then uses the certificate to authenticate itself and connect securely to the logging service.
      This step is unnecessary in PAN-OS 10.1 or later because firewalls use a device certificate to authenticate to the logging service. If you do this step anyway, the firewall will still download a logging service certificate but it won’t be used once there’s a device certificate on the firewall (refer to step 1).
    3. When done,
      Close
      the window.
  5. Set up the logging service on your firewall and choose the log ingestion region.
    1. Click the
      Edit
      icon (gear) for Cortex Data Lake. If you have an IoT Security license, select
      Enable Cortex Data Lake
      and
      Enable Enhanced Application Logging
      .
      If you have an IoT Security-Doesn’t Require Data Lake license, select
      Enable Duplicate Logging (Cloud and On-Premises)
      and
      Enable Enhanced Application Logging
      .
    2. Choose the region where the logging service will ingest logs from your firewalls. Because the IoT Security app must be in the same region so it can access data from the ingested logs, the two choices are
      United States - Americas
      and
      Germany - Europe
      .
      For PA-7000 and PA-5200 models, enter the number of connections for sending logs from the firewall to the logging service. The range is 1-20 and the default is 5.
    3. When done, click
      OK
      .
  6. Make sure your firewall is set up to apply policy to DHCP traffic between DHCP clients and their DHCP server and to log their traffic.
    For detailed instructions about setting up firewalls to capture and log DHCP traffic, see Firewall Deployment for DHCP Visibility.
    (
    Not supported on the PA-3200, PA-5200, PA-5450, or PA-7000
    ) If the firewall is running a PAN-OS 10.0 release or later with a DHCP server on one of its interfaces, enable
    DHCP Broadcast Session
    on
    Device
    Setup
    Session
    . (For more information, see Firewall Deployment Options for IoT Security.)
    In addition to detecting devices with dynamically assigned IP addresses, IoT Security also discovers and identifies devices with static IP addresses. To learn about the multiple methods IoT Security uses to do this and how you can assist, see Devices with Static IP Addresses.
  7. To forward logs to the logging service, click
    Objects
    Log Forwarding
    and then click
    Add
    .
    Configure a log forwarding profile on the firewall to send enhanced application logs to the logging service so the IoT Security app can ingest network traffic data. Optionally, instead of adding a new profile, you can edit an existing one.
  8. In the Log Forwarding Profile, enter a name such as Log-Forwarding, click
    Enable enhanced application logging to Cortex Data Lake (including traffic and url logs)
    , and then click
    OK
    .
    Enhanced application logging was introduced in PAN-OS 8.1.
    A list of enhanced application Logs automatically populates the page and forwards all logs per type to the logging service. Selecting
    Enable enhanced application logging to Cortex Data Lake (including traffic and url logs)
    enables the firewall to capture packet payload data (EALs) in addition to session metadata (regular logs) for these different log types. When this log forwarding profile is attached to a Security policy rule to control traffic, the firewall forwards both types of data to the logging service. You cannot delete any of these logs from the profile nor modify any of the filters in the Filter column, which are the default "All Logs" filter.
    The following describes each log type, explains if IoT Security uses it, and what its purpose is:
    • traffic
      – Traffic logs contain entries for the end of each network session and, optionally, the start of a network session. IoT Security uses traffic logs to identify devices, generate policy rule recommendations, risk assessment, device behavior anomaly detection, correlate sessions, and raise security alerts.
    • threat
      – Threat logs contain entries for when network traffic matches one of the security profiles attached to a next-generation firewall Security policy rule. IoT Security uses threat logs to assess risks, detect vulnerabilities, raise security alerts, and generate policy rule recommendations.
    • wildfire
      – WildFire® logs contain entries for when WildFire security profiles are attached to a Security policy rule and files are traversing the network. IoT security uses WildFire logs to detect IoT-specific file-based attacks, raise security alerts, and generate policy rule recommendations.
    • url
      – URL logs are written whenever network traffic matches a URL filtering profile attached to a Security policy rule. IoT Security does not currently use URL filtering logs.
    • data
      – Data logs can represent either a successful file data transfer or an attempted file transfer that was blocked by the firewall. IoT Security does not currently use data logs.
    • gtp
      (
      When GTP is enabled
      ) – GTP logs are written whenever a firewall is processing GPRS Tunneling Protocol traffic. IoT Security does not currently use GTP logs.
    • sctp
      (
      When SCTP is enabled
      ) – SCTP logs are written whenever a firewall is processing Stream Control Transmission Protocol traffic. IoT Security does not currently use SCTP logs.
    • tunnel
      – Tunnel logs are written whenever a firewall is processing Generic Routing Encapsulation (GRE) or null encryption IPsec traffic. They contain metadata about the traffic inside these types of tunnels. IoT Security does not currently use tunnel logs.
    • auth
      – Auth logs contain information about authentication events seen by the firewall. These occur when users access network resources which are controlled by authentication policy rules. IoT Security does not currently use auth logs.
    • decryption
      – Although IoT Security uses decrypted SSL data to improve device identification, risk assessment, and threat detections, it doesn’t use decryption logs, which are helpful when troubleshooting issues with decryption.
    If you name the log forwarding profile “default” (all lowercase), the firewall will automatically apply it to new Security policy rules when they’re created—or when they’re imported from IoT Security. Doing this will save you time and effort when importing Security policy rule recommendations from IoT Security. Because imported rule recommendations don’t include a log forwarding profile, you have to add one manually to each rule after you import it. However, by naming the profile “default”, you can avoid this step. (Note that the “default” log forwarding profile will be applied when adding new Security policy rules, but it won’t be retroactively applied to existing rules.)
  9. Enable log forwarding on Security policy rules.
    On Security policy rules that apply to traffic whose data you want to collect, enable log forwarding and choose the log forwarding profile you just created to send enhanced application logs for this traffic to the logging service. For information, see Configure Policies for Log Forwarding.
  10. Enable Device-ID in each zone where you want to use it to detect devices and enforce your Security policy rules.
    For detailed configuration instructions, see Configure Device-ID in the PAN-OS Administrator’s Guide.
  11. (
    Optional
    ) Create a service route and Security policy rule.
    By default, a firewall uses its Management interface to send data logs to the logging service, get recommended policy rule sets and IP address-to-device mappings from IoT Security, and download device dictionary files from the update server. When a firewall uses its Management interface for all this, a service route and a Security policy rule are not needed.
    However, when a firewall accesses the logging service, IoT Security, and update server through a data interface, then you must add a service route identifying the source interface, source interface IP address, and service type (Data Services). In addition, you must add an interzone Security policy rule permitting Data Services from 127.168.0.0/16 to the destination zone where the logging service, IoT Security, and update server are.
    When a firewall generates traffic that it sends through a data interface, it uses an IP address in the 127.168.0.0/16 subnet as its internal source and then translates it to the IP address of the source interface. Because Security policy rules are applied to the original source IP address before NAT, the source IP address must be 127.168.0.0/16 instead of the IP address of the source interface.
    1. If necessary, configure the data interface you want to use as the source interface.
    2. Click
      Device
      Setup
      Services
      and, on the IPv4 tab, select
      Data Services
      and then click
      Set Selected Service Routes
      .
    3. Choose the Source Interface and the IP address of the interface as the Source Address.
    4. Click
      OK
      twice to save your configuration changes.
    5. Add a Security policy rule permitting Data Services from 127.168.0.0/16 to the destination zone with the logging service, IoT Security, and update server.
  12. Commit
    your configuration changes.
    After the configuration is committed, the firewall begins generating logs and forwarding them to the logging service. You can use the Explore app in the hub to see the progress of log forwarding between the firewall and the logging service.

Recommended For You