: Prepare Your Firewall for IoT Security
Focus
Focus

Prepare Your Firewall for IoT Security

Table of Contents

Prepare Your Firewall for
IoT Security

Configure your firewall to collect network traffic metadata, forward it to the logging service, and (for PAN-OS 10.0 or later) install a device certificate.
The following steps describe how to enable logging service on a next-generation firewall and configure it to obtain and log network traffic metadata. It then explains how to forward the collected metadata to the cloud-based logging service where
IoT Security
uses it to identify various IoT devices on the network.
The steps below assume you already completed the
IoT Security
onboarding process but still need to do the following:
  • Install a device license and a logging service license on your firewalls.
  • Install certificates on your firewalls (if they aren't installed already).
  • Configure your firewalls to collect network traffic metadata.
  • Configure your firewalls to forward the collected metadata in logs to the logging service.
  • Enable Device-ID on zones with devices that you want to monitor and protect with Security policy rules.
  • (
    Optional
    ) Create service routes and Security policy rules to permit firewalls to communicate with the logging service,
    IoT Security
    , and update server through a data interface.
For additional details about configuring a firewall for
IoT Security
, see Device-ID.
  1. Install licenses required for IoT Security to function.
    After onboarding , take one of the following actions to install the licenses your firewalls need to use IoT Security:
    Next-generation firewalls
    : Log in to each of your firewalls, select
    Device
    Licenses
    , and then select
    Retrieve license keys from license server
    in the License Management section.
    or
    Panorama
    : Log in to Panorama, select
    Panorama
    Device Deployment
    Licenses
    , and then
    Refresh
    . Select the devices onboarded with IoT Security and
    Refresh
    .
    This installs the licenses for
    IoT Security
    and the logging service on the firewall.
    When the time comes to renew
    IoT Security
    licenses, use this retrieval function on your firewalls so that they extend their license expiration dates.
  2. If necessary, generate a one-time password (OTP) and pre-shared key (PSK) to get device and logging service certificates.
    This step only applies to firewalls with an
    IoT Security
    , Doesn't Require Data Lake Subscription. If your firewalls have an
    IoT Security
    Subscription, which requires a
    Cortex Data Lake
    , see the
    Cortex Data Lake
    for details about generating certificates and installing them on your firewalls.
    • Firewalls with PAN-OS 10.1 or later
      Skip this step if your firewalls run PAN-OS 10.1 or later and already have a device certificate installed. Any firewalls on which you’ve previously installed a device certificate for another Palo Alto Networks product already have this certificate and don’t require a new one. You can check if your firewall has a valid certificate in the General Information section on the Dashboard page in the PAN-OS web user interface.
      Firewalls running PAN-OS 10.1 or later require a device certificate but not a logging service certificate.
      The following next-generation firewall models automatically install a device certificate when they first connect to the Customer Support Portal (CSP); therefore, you don’t have to install one manually on any of these firewalls running these PAN-OS versions:
      • PAN-OS 10.1
        : PA-410, PA-440, PA-450, PA-460, and PA-5450 firewalls
      • PAN-OS 10.2
        : PA-410, PA-440, PA-450, and PA-460 firewalls; PA-1400 Series and PA-3400 Series firewalls; and PA-5410, PA-5420, PA-5430, and PA-5450 firewalls
      • PAN-OS 11.0
        : PA-400 Series, PA-1400 Series, PA-3400 Series, PA-5400 Series, and PA-5450 firewalls
      Also any firewalls on which you’ve previously installed a device certificate for another Palo Alto Networks product already have a device certificate and don’t require a new one.
      Check the following questions and answers to determine when to generate and install a device certificate on a firewall.
      Do firewalls already have a device certificate?
      Do firewalls already have a logging service certificate?
      Are firewalls managed by Panorama?
      What to do?
      Yes
      N/A
      N/A
      Skip this step.
      No
      N/A
      Yes
      Enter the Panorama serial number, generate an OTP in the Customer Support Portal, and enter it in Panorama to generate a device certificate.
      No
      N/A
      No
      Generate an OTP in the Customer Support Portal and install a device certificate on the firewall.
    • Firewalls with PAN-OS 10.0
      Skip this step if your firewalls run PAN-OS 10.0 and already have device and logging service certificates installed. Any firewalls on which you’ve previously installed a device certificate and logging service certificate for another Palo Alto Networks product already have these certificates and don’t require new ones. You can check if your firewall has valid certificates in the General Information section on the Dashboard page in the PAN-OS web user interface.
      Check the following questions and answers to determine when to generate and install a device and logging service certificate on a firewall.
      Do firewalls already have a device certificate?
      Do firewalls already have a logging service certificate?
      Are firewalls managed by Panorama?
      What to do?
      Yes
      Yes
      N/A
      Skip this step.
      Yes
      No
      Yes
      Enter the Panorama serial number, copy the OTP, and enter it when installing the Cloud Services plugin on Panorama.
      Yes
      No
      No
      Copy the preshared key and paste it in a PAN-OS firewall to generate a logging service certificate.
      No
      Yes
      Yes
      Enter the Panorama serial number and use Panorama to generate and install a device certificate on one or more firewalls.
      No
      Yes
      No
      Generate an OTP in the Customer Support Portal and install a device certificate on the firewall.
      No
      No
      Yes
      Copy the OTP, and enter it when installing the Cloud Services plugin on Panorama. When Panorama pushes a configuration requiring logging services and
      IoT Security
      to a firewall that doesn’t have a logging service and device certificate, the firewall responds to Panorama by requesting the certificates.
      No
      No
      No
      Generate an OTP in the Customer Support Portal and install a device certificate on the firewall.
      Copy the preshared key and paste it in a PAN-OS firewall to generate a logging service certificate.
    • Panorama-managed Firewalls Running PAN-OS 8.1 – 9.1
      Skip this step if your firewalls are managed by Panorama, run PAN-OS 8.1-9.1, and already have a logging service certificate installed. Any firewalls on which you’ve previously installed a logging service certificate for another Palo Alto Networks product don’t require a new one. You can check if your firewall has a valid certificate in the General Information section on the Dashboard page in the PAN-OS web user interface.
      Check the following questions and answers to determine when to generate and install a logging service certificate on a firewall.
      Do firewalls already have a device certificate?
      Do firewalls already have a logging service certificate?
      Are firewalls managed by Panorama?
      What to do?
      N/A
      Yes
      Yes
      Skip this step.
      N/A
      Yes
      No
      Skip this step if the firewalls are running PAN-OS 9.0.3-9.1 with or without Panorama management.
      Panorama is required for firewalls running PAN-OS 8.1–9.0.2 to get a logging service certificate. If you aren’t using Panorama to manage firewalls with these PAN-OS versions, then your firewalls cannot send logs to the logging service to support
      IoT Security
      .
      N/A
      No
      Yes
      Copy the OTP, and enter it when installing the Cloud services plugin on Panorama. When Panorama pushes a configuration requiring logging services to a firewall that doesn’t have a logging service certificate, the firewall responds to Panorama by requesting it.
      N/A
      No
      No
      Firewalls running PAN-OS 8.1–9.0.2 require Panorama management to get a logging service certificate; they cannot support
      IoT Security
      without Panorama. For firewalls running PAN-OS 9.0.3-9.1 without Panorama management, copy the preshared key and paste it in a PAN-OS firewall to generate a logging service certificate.
    For information about the sites that next-generation firewalls contact to authenticate certificates when communicating with
    IoT Security
    , see IoT Security Integration with Next-generation Firewalls.
    1. Log in to the
      IoT Security
      portal as a user with owner privileges. To be able to generate OTPs and PSKs, your user account must have been created in the Customer Support Portal (CSP) and assigned a superuser role in the relevant tenant service group (TSG) in Identity & Access. A superuser role in the hub provides owner privileges in
      IoT Security
      .
    2. Select
      Administration
      Firewalls
      Certificate Generation
      .
    3. If you manage your firewalls with Panorama, choose
      Yes
      and enter its serial number. This will link your Panorama management server with the applications in this TSG. You can find the Panorama serial number in your Customer Service Portal account in
      Assets
      Devices
      . After you choose
      Yes
      and enter your Panorama serial number,
      IoT Security
      displays the materials you need to get the certificate or certificates that firewalls need to secure their connections with
      IoT Security
      and the logging service.
      To get a device certificate, click the link to the Customer Support Portal, log in to your account, and then follow the instructions below. To generate a logging service certificate, copy the OTP or PSK and follow the instructions below.
      If you don’t use Panorama, choose
      No
      . Because an OTP for a logging service certificate applies only to Panorama, it isn’t shown.
      Consider the following points when deciding which certificates you need and how to generate them:
      Device Certificate
      : From PAN-OS 10.0, firewalls require a device certificate to authenticate with
      IoT Security
      and, from PAN-OS 10.1, to also authenticate with the logging service. To generate and install a device certificate on firewalls directly and through Panorama:
      • Generate and install a device certificate on each firewall.
      • Use Panorama to generate and install a device certificate on one or more firewalls.
        When a device certificate is installed on a firewall so it can authenticate itself to the logging service and
        IoT Security
        , the firewall cannot decrypt encrypted traffic to inspect it and enforce policy rules on it. Therefore, don't try to use decryption policy rules on firewalls that have a device certificate installed on them.
      Logging Service Certificate – One-Time Password
      : An OTP is necessary for Panorama to verify itself with its logging service instance and obtain logging service certificates for Panorama-managed firewalls running PAN-OS 8.1-10.0. A logging service certificate authenticates firewalls with the logging service.
      1. Regenerate the OTP if necessary and copy it.
      2. Log in to the Panorama web interface as an admin user. and select
        Panorama
        Setup
        Management
        Device Certificate
        and
        Get certificate
        .
      3. Paste the OTP and then click
        OK
        .
      Logging Service Certificate – Pre-Shared Key
      : A PSK is necessary to generate a logging service certificate on firewalls without Panorama management running PAN-OS 9.0.3-10.0.x. A logging service certificate authenticates firewalls with the logging service. To generate a logging service certificate:
      1. Regenerate the PSK if necessary and copy it.
      2. Log in to your PAN-OS 9.0.3-10.0.x firewall and select
        Device
        Setup
        Management
        .
      3. In the
        Cortex Data Lake
        section, click
        Connect
        next to Onboard without Panorama.
        This opens the Onboard without Panorama dialog box.
      4. Paste the PSK and
        Connect
        .
        The firewall first connects to the Customer Support Portal, submits the PSK, and downloads a logging service certificate. It then uses the certificate to authenticate itself and connect securely to the logging service.
      5. Click the
        Edit
        icon (gear) for
        Cortex Data Lake
        . Select
        Enable
        Cortex Data Lake
        and
        Enable Enhanced Application Logging
        .
        or
        If you have an
        IoT Security
        –Doesn’t Require Data Lake license, select
        Enable Duplicate Logging (Cloud and On-Premises)
        and
        Enable Enhanced Application Logging
        .
      6. Choose the region where the logging service will ingest logs from your firewalls.
        For PA-7000 and PA-5200 models, enter the number of connections for sending logs from the firewall to the logging service. The range is 1-20 and the default is 5.
      7. When done, click
        OK
        .
        The term “
        Cortex Data Lake
        ” is a bit of a misnomer. The firewall forwards logs to the logging service, which only streams them to
        Cortex Data Lake
        if you’re using it for data retention. An
        IoT Security
        , Doesn’t Require Data Lake subscription doesn’t use
        Cortex Data Lake
        at all, but it still requires that this setting be enabled.
  3. Make sure your firewall is set up to apply policy to DHCP traffic between DHCP clients and their DHCP server and to log their traffic.
    For detailed instructions about setting up firewalls to capture and log DHCP traffic, see Firewall Deployment for Device Visibility.
    If the firewall is running a PAN-OS 10.0 release or later with a DHCP server on one of its interfaces, enable
    DHCP Broadcast Session
    on
    Device
    Setup
    Session
    . This setting is supported on all firewalls running PAN-OS 10.1.10 or later, PAN-OS 10.2.4 or later, and PAN-OS 11.0.1 or later. (For more information, see Firewall Deployment Options for IoT Security.)
    In addition to detecting devices with dynamically assigned IP addresses,
    IoT Security
    also discovers and identifies devices with static IP addresses. To learn about the multiple methods
    IoT Security
    uses to do this and how you can assist, see Devices with Static IP Addresses.
  4. To forward logs to the logging service, click
    Objects
    Log Forwarding
    and then click
    Add
    .
    Configure a log forwarding profile on the firewall to send enhanced application logs to the logging service so the
    IoT Security
    app can ingest network traffic data. Optionally, instead of adding a new profile, you can edit an existing one.
  5. In the Log Forwarding Profile, enter a name such as Log-Forwarding, click
    Enable enhanced application logging to
    Cortex Data Lake
    (including traffic and url logs)
    , and then click
    OK
    .
    Enhanced application logging was introduced in PAN-OS 8.1.
    A list of enhanced application Logs automatically populates the page and forwards all logs per type to the logging service. Selecting
    Enable enhanced application logging to
    Cortex Data Lake
    (including traffic and url logs)
    enables the firewall to capture packet payload data (EALs) in addition to session metadata (regular logs) for these different log types. When this log forwarding profile is attached to a Security policy rule to control traffic, the firewall forwards both types of data to the logging service. You cannot delete any of these logs from the profile nor modify any of the filters in the Filter column, which are the default "All Logs" filter.
    The following describes each log type, explains if
    IoT Security
    uses it, and what its purpose is:
    • traffic
      – Traffic logs contain entries for the end of each network session and, optionally, the start of a network session.
      IoT Security
      uses traffic logs to identify devices, generate policy rule recommendations, risk assessment, device behavior anomaly detection, correlate sessions, and raise security alerts.
    • threat
      – Threat logs contain entries for when network traffic matches one of the security profiles attached to a next-generation firewall Security policy rule.
      IoT Security
      uses threat logs to assess risks, detect vulnerabilities, raise security alerts, and generate policy rule recommendations.
    • wildfire
      – WildFire® logs contain entries for when WildFire security profiles are attached to a Security policy rule and files are traversing the network. IoT security uses WildFire logs to detect IoT-specific file-based attacks, raise security alerts, and generate policy rule recommendations.
    • url
      – URL logs are written whenever network traffic matches a URL filtering profile attached to a Security policy rule.
      IoT Security
      does not currently use URL filtering logs.
    • data
      – Data logs can represent either a successful file data transfer or an attempted file transfer that was blocked by the firewall.
      IoT Security
      does not currently use data logs.
    • gtp
      (
      When GTP is enabled
      ) – GTP logs are written whenever a firewall is processing traffic from 3G, 4G, and 5G cellular devices.
      IoT Security
      uses the metadata from this traffic to identify cellular devices and their network behaviors. If such traffic isn't on the network, firewalls don't generate GTP logs, and you can safely ignore the red icon that appears in the Status column for it on
      Administration
      Firewalls
      in the
      IoT Security
      portal.
    • sctp
      (
      When SCTP is enabled
      ) – SCTP logs are written whenever a firewall is processing Stream Control Transmission Protocol traffic.
      IoT Security
      does not currently use SCTP logs.
    • tunnel
      – Tunnel logs are written whenever a firewall is processing Generic Routing Encapsulation (GRE) or null encryption IPsec traffic. They contain metadata about the traffic inside these types of tunnels.
      IoT Security
      does not currently use tunnel logs.
    • auth
      – Auth logs contain information about authentication events seen by the firewall. These occur when users access network resources which are controlled by authentication policy rules.
      IoT Security
      does not currently use auth logs.
    • decryption
      – Although
      IoT Security
      uses decrypted SSL data to improve device identification, risk assessment, and threat detections, it doesn’t use decryption logs, which are helpful when troubleshooting issues with decryption.
    If you name the log forwarding profile “default” (all lowercase), the firewall will automatically apply it to new Security policy rules when they’re created—or when they’re imported from . Doing this will save you time and effort when importing Security policy rule recommendations from
    IoT Security
    . Because imported rule recommendations don’t include a log forwarding profile, you have to add one manually to each rule after you import it. However, by naming the profile “default”, you can avoid this step. (Note that the “default” log forwarding profile will be applied when adding new Security policy rules, but it won’t be retroactively applied to existing rules.)
  6. Enable log forwarding on Security policy rules.
    On Security policy rules that apply to traffic whose data you want to collect, enable log forwarding and choose the log forwarding profile you just created to send enhanced application logs for this traffic to the logging service. For information, see Configure Policies for Log Forwarding.
  7. Enable Device-ID in each zone where you want to use it to detect devices and enforce your Security policy rules.
    For detailed configuration instructions, see Configure Device-ID in the PAN-OS Administrator’s Guide.
  8. (
    Optional
    ) Create service routes.
    By default, firewall uses its Management interface to send data logs to the logging service, get recommended policy rule sets and IP address-to-device mappings from
    IoT Security
    , and download device dictionary files from the update server. When a firewall uses its Management interface for all this, a service route and a Security policy rule are not needed.
    However, when a firewall accesses the logging service,
    IoT Security
    , and update server through a data interface, then you must add a service route identifying the source data interface, source interface IP address, and service type. In addition, you must add an interzone Security policy rule permitting Data Services from 127.168.0.0/16 to the destination zone where the logging service,
    IoT Security
    , and update server are.
    When a firewall generates traffic that it sends through a data interface, it uses an IP address in the 127.168.0.0/16 subnet as its internal source and then translates it to the IP address of the source interface. Because Security policy rules are applied to the original source IP address before NAT, the source IP address must be 127.168.0.0/16 instead of the IP address of the source interface.
    1. If necessary, configure the data interface you want to use as the source interface for required
      IoT Security
      communications.
    2. Select
      Device
      Setup
      Services
      Service Route Configuration
      and then select
      Customize
      .
    3. On the IPv4 tab, select
      Data Services
      and then choose the data interface you want to use as the Source Interface.
      Its IP address autofills the Source Address field. This service route is for forwarding enhanced application logs (EALs) to the logging service.
      Device-ID and
      IoT Security
      do not support IPv6.
    4. Click
      OK
      .
    5. Click
      IoT
      , choose the same data interface as the Source Interface, and then click
      OK
      .
      This service route is for pulling IP address-to-device mappings and policy recommendations from
      IoT Security
      .
    6. Click
      Palo Alto Networks Services
      , choose the same data interface, and then click
      OK
      .
      This service route is for forwarding other logs besides EALs to the logging service and for pulling device dictionary files from the update server.
    7. Click
      OK
      to save your configuration changes.
  9. (
    Optional
    ) If you created service routes in the previous step, add Security policy rules permitting services required for the firewall to use
    IoT Security
    .
    1. Select
      Policies
      Security
      + Add
      .
    2. On the General tab, enter a name for the Security policy rule and choose
      interzone
      as the Rule Type.
    3. On the Source tab, select
      Any
      as the source zone and then
      Add 127.168.0.0/16
      as the source address.
    4. On the Destination tab,
      Add
      the destination zone with
      IoT Security
      , and
      Add
      the edge services FQDN for your region as the destination address.
    5. On the Application tab,
      Add paloalto-iot-security
      .
      The firewall uses this application to pull IP address-to-device mappings and policy recommendations from
      IoT Security
      .
    6. On the Actions tab, choose
      Allow
      and then click
      OK
      .
    7. If you have an intranet policy rule that allows all intranet traffic in the zone where the logging service and update server are, you can use that rule to allow the firewall to forward logs to the logging service and pull dictionary files from the update server.
      Otherwise, create an intranet policy rule that allows the firewall to send these three applications to the logging service and update server from the IP address of the firewall interface in the same zone:
      paloalto-shared-services
      to forward EALs and session logs to the logging service
      paloalto-logging-service
      to forward other logs besides EALs to the logging service
      paloalto-updates
      to pull device dictionary files from the update server
  10. Commit
    your configuration changes.
    After the configuration is committed, the firewall begins generating logs and forwarding them to the logging service. You can use the Explore app in the hub to see the progress of log forwarding between the firewall and the logging service.

Recommended For You