IoT Security Integration with Next-generation Firewalls
Table of Contents
IoT Security Integration with Next-generation Firewalls
IoT Security
Integration with Next-generation FirewallsIoT Security
integrates with the logging service and
next-generation firewalls using Device-ID.The
IoT Security
solution involves the
integration of three key architectural components to process network
data:- Palo Alto Networks next-generation firewallscollect device data and send it to the logging service.
- The logging serviceuses a cloud-based log-forwarding process to direct the logs from firewalls to destinations likeIoT SecurityandCortex Data Lake. Depending on the type ofIoT Securitysubscription you have, the logging service either streams metadata to yourIoT Securityaccount andCortex Data Lakeinstance or just to yourIoT Securityaccount.
- is an app that runs on a cloud-based platform in which machine learning, artificial intelligence, and threat intelligence are used to discover, classify, and secure the IoT devices on the network. The app ingests firewall logs with network traffic data and provides Security policy recommendations and IP address-to-device mappings to the firewall for use in Security policy rules. Administrators access the dynamically enriched IoT device inventory, detected device vulnerabilities, security alerts, and recommended policy sets through the IoT security portal.IoT Security
The
IoT Security
app integrates with next-generation firewalls
through Device-ID, which is a construct that uses device identity
as a means to apply policy. The integration uses three mechanisms.- Device dictionary– This is an XML file thatIoT Securitygenerates and makes available for Panorama and firewalls to import. The dictionary file provides the Panorama and firewall administrator with a list of device attributes for selection when importing recommended Security policy rules fromIoT Securityand when creating rules themselves. These attributes are profile, category, vendor, model, OS family, and OS version and are for both IoT and traditional IT devices. Although it’s not possible to download a device dictionary file, you can see the release notes summarizing the new content added to a file that your firewall has imported. To do this, log in to the PAN-OS web portal, select and then clickRelease Notesfor the device dictionary file you want to learn about.
- Policy rule recommendations– After anIoT Securityadministrator creates a set of Security policy rules based on traffic from IoT devices in the same device profile, a firewall administrator can import them as recommendations for use in its policy set.
- IP address-to-device mappings– These mappings tell firewalls which attributes a device with a particular IP address has. When traffic to or from that IP address reaches a firewall, it checks if one of its attributes matches a policy and, if so, the firewall applies the policy.IoT Securitysends IP address-to-device mappings to firewalls for both IoT and IT devices if the confidence score for device identities is high (90-100%) and they’ve sent or received traffic within the past hour.
The goal of Device-ID is to leverage the intelligence of
IoT Security
to enforce firewall
policy on IoT devices.Device-ID
PAN-OS 10.0 introduces a new
concept for policy enforcement: Device-ID. Device-ID is a way to
enforce policy rules based on device attributes.
IoT Security
provides
the firewall with a device dictionary file containing a list of
device attributes such as profiles, categories, vendors, and models.
For various attributes in the dictionary file, it lists a set of
entries. For example, three entries for the profile attribute might
be Advidia Camera, BK Medical UltraSound Machine, and Carefusion
Infusion Pump Base Station.When configuring a Security policy
rule, firewall administrators have the option to select device attributes
from the device dictionary. If they select
profile
,
they can choose one of the profile entries: Polycom IP
Phone
, for example. The policy rule then applies to
all devices that match this profile. But how does the firewall know
what the profile is for a device? It knows this from the IP address-to-device
mappings that IoT Security
also gives the firewall. These mappings
identify attributes for each device. When traffic from an IP address
that's mapped to a device attribute specified in the policy rule
reaches the firewall, the policy rule lookup will find a match with
this rule and apply whatever action it enforces.
A firewall downloads
a device dictionary file from the update server. The dictionary
file populates entries in all the Device-ID attribute lists for
profile, category, vendor, and so on. These attribute entries are
then available for use as policy rule configuration elements. The
firewall administrator next configures a firewall policy rule using
the profile attribute “Polycom IP Phone”. After a Polycom Trio 8800 device
joins the network and
IoT Security
identifies it, IoT Security
provides
the firewall with an IP address-to-device mapping for it. The two
key elements in the mapping for this example are its device profile
(Polycom IP Phone profile, highlighted in yellow) and its IP address (10.1.2.3,
highlighted in blue). When traffic from the Polycom Trio 8800 device
at 10.1.2.3 reaches the firewall, it does a Device-ID policy rule
lookup, finds that the profile for the device at this IP address
matches one specified in a policy rule, and then applies the rule.If
a firewall becomes disconnected from
IoT Security
, the firewall
retains its IP address-to-device mappings and continues enforcing
Device-ID policy rules with them until the connection is re-established.Every
next-generation firewall model has the same maximum of 1000 unique
Device-ID objects.
The maximum of 1000 Device-ID objects is
not the same as that for IP address-to-device mappings. The maximum
number of IP address-to-device mappings varies based on firewall
model and is the same as the User-ID maximums listed in the + Show
More sections for each firewall model on the Product Selection page
More
information about the Device-ID feature is in
the PAN-OS Administrator’s Guide.
Device Dictionary
The
device dictionary is an XML file for firewalls to use in Security
policy rules. It contains entries for the following device attributes: profile,
category, vendor, model, OS family, and OS version. These entries
come from devices across all
IoT Security
tenants and are completely
refreshed on a regular basis and posted as a new file on the update
server. If there are any changes to a dictionary entry, a revised
file will be posted on the update server so that Panorama and firewalls
will automatically download and install it the next time they check
the update server, which they do automatically every two hours.IP
Address-to-device Mappings
After
IoT Security
identifies
a device, it bundles the following set of identifying characteristics
about it:- IP address
- MAC address
- Hostname
- Device type
- Device category
- Device profile
- Vendor
- Model
- OS family
- OS version
- Risk score
- Risk level
Firewalls poll
IoT Security
for these IP address-to-device mappings for use in policy
enforcement. A firewall polls for new or modified mappings every second, and IoT Security
returns mappings that it has identified with high confidence (a
confidence score of 90-100%) for devices that were active within the last hour. For
each IP address-to-device mapping that a firewall receives, the firewall generates
an entry in its host information profile (HIP) Match log.If
IoT Security
discovers duplicate IP address-to-device mappings—that is, there are two IP
addresses mapped to the same device MAC address—it resolves it to the MAC address
with the latest network activity.There is no time
limit for how long a firewall retains IP address-to-device mappings.
It only begins deleting them when its cache fills up, starting with
the oldest first.
Policy Rule Recommendations
You
can generate Security policy rule recommendations based on the normal,
acceptable network behaviors of the IoT devices in the same device
profile and manually import them into firewalls for enforcement.
PAN-OS 8.1 and later supports the importing of
IoT Security
.For Panorama-managed firewalls
that have an
IoT Security
subscription requiring Cortex
Data Lake
– Panorama can only import policy rule recommendations if it was
used to onboard its managed firewalls
to .Firewall and Panorama
Communications Related to
IoT Security
IoT Security
communications
from firewalls without Panorama management:- Firewalls download device dictionary files from the update server at updates.paloaltonetworks.com on TCP port 443.
- Firewalls forward logs to the logging service on TCP ports 443 (for Enhanced Application logs) and 3978 (for all other firewall logs).For details about the ports and FQDNs required for next-generation firewalls to communicate with the logging service, seeCortex Data Lake.
- Firewalls retrieve IP address-to-device mappings and policy recommendations fromIoT Securityon TCP port 443. Depending on their region, they use one of the following edge services URLs:
- United States: iot.services-edge.paloaltonetworks.com
- Canada: ca.iot.services-edge.paloaltonetworks.com
- EU: eu.iot.services-edge.paloaltonetworks.com
- Switzerland: ch.iot.services-edge.paloaltonetworks.com
- United Kingdom: uk.iot.services-edge.paloaltonetworks.com
- APAC: apac.iot.services-edge.paloaltonetworks.com
- Japan: jp.iot.services-edge.paloaltonetworks.com
- Australia: au.iot.services-edge.paloaltonetworks.com
The following table summarizes the relationship of different data lake regions/ingestion regions withIoT Securityapplication regions:Data Lake Region/Ingestion RegionIoT SecurityApplication RegionAmericasCanadaCanada, United States*United StatesUnited StatesFedRAMPFedRAMPEuropean UnionFranceGermanyGermanyGermanyItalyGermanyNetherlandsGermanyPolandGermanySpainGermanySwitzerlandSwitzerland, Germany*United KingdomUnited Kingdom, Germany*Asia-PacificAustraliaAustralia, Singapore*IndiaSingaporeIndonesiaSingaporeJapanJapanSingaporeSingapore*Switzerland and the United Kingdom were added asIoT Securityapplication regions on 7/31/2023. When onboardingIoT Securityafter this date to existing firewall deployments established before it, the firewalls continue to useGermanyas theIoT Securityapplication region. When onboardingIoT Securityto new deployments in Switzerland or the United Kingdom established after 7/31/2023, the firewalls will use the localIoT Securityapplication region for each country.A similar situation exists in Canada, which continues to useUnited States – Americasas theIoT Securityapplication region for deployments existing before 1/25/2023 andCanadafor new deployments after this date. Likewise, deployments existing before 10/25/2022 in Australia still use theIoT Securityapplication inSingaporewhile new deployments after this date useAustralia. - During the certificate exchange between a firewall and the edge server in front of theIoT Securitycloud, they verify each other’s certificates. The firewall validates the certificate it receives by checking these sites:
- o.lencr.org
- c.lencr.org
Communications to these sites occur over HTTP on TCP port 80.
IoT Security
communications from Panorama:- A Panorama management server imports policy recommendations fromIoT Securitythrough the same URLs listed above that firewalls use. When validating the certificate the edge server presents, Panorama checks the same sites listed above that firewalls check.Firewalls under Panorama management still contactIoT Securitythrough regional edge services URLs for IP address-to-device mappings, they still download device dictionaries from the update server, and they still forward logs to the logging service.
- A Panorama management server sends queries for logs to the logging service on TCP port 444.