Device Security
Device Security Solution Setup
Table of Contents
Device Security Solution Setup
Set up the multiple components that constitute the Device Security solution.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
The following is an overview of the main steps involved
in setting up the Device Security solution with particular focus on
the following three components:
- Palo Alto Networks Next-Generation Firewalls with or without Panorama management
- Logging service with or without a Strata Logging Service instance
- Device Security application
The solution also makes use of the update server for device dictionary file updates and
the Customer Support Portal and hub for Device Security
user management. Optionally, Device Security integrates with Prisma Access and SD-WAN and, through XSOAR,
with third-party products.
Learn about the main steps involved in the Device Security solution
setup:
1 - Check Firewall Support and Prerequisites
Most current Palo Alto Networks firewall models support Device Security with a few
exceptions.
Although Device Security is a cloud application and is always running its latest software version,
make sure the firewall models and PAN-OS versions on them support the level of
functionality you want.
In addition, there are several prerequisites. For example,
each firewall that integrates with Device Security must have an Device Security
subscription, or be associated to a tenant with an active Device Security X
subscription license. Not all firewalls on your network must subscribe to Device Security;
only those that collect network traffic and forward logs to it and those
that receive policy rule recommendations and IP address-to-device mappings from
it.
Detailed Instructions
2 - Onboard Device Security
Device Security onboarding is a process that starts
from an Activate link in an email from Palo
Alto Networks. (If you have an Enterprise License Agreement, it
starts either in the Customer Support Portal or in the hub). During
the Device Security onboarding process, do the following depending
on what you’re activating:
- Create an Device Security tenant
- (Device Security Subscription) Activate a new Strata Logging Service instance or associate an existing one with your Device Security tenantor(Device Security Subscription - Doesn’t Require Data Lake) Specify the data ingestion region
- Subscribe firewalls to Device Security services
- Optionally activate a third-party integrations add-on
![]()
Detailed Instructions
3 - Prepare Firewalls
For Device Security to discover network-connected devices
and assess their network behavior patterns, it needs quality network
metadata from next-generation firewalls. Therefore, it’s essential
that firewalls are placed on the network and configured to collect
metadata from traffic and forward it for Device Security to access.
In particular, DHCP traffic is important because it links dynamically
assigned IP addresses to device MAC addresses, making them trackable
over time.
Firewalls must also provide Device Security with metadata for other
types of traffic that devices generate. They do this by enforcing
policy rules on network traffic, creating logs, and then forwarding them
to Strata Logging Service, which then streams the metadata to Device Security.
Detailed Instructions
4 - Install Certificates and Licenses
Strata Logging Service and device licenses permit next-generation
firewalls to connect to Strata Logging Service and Device Security.
Strata Logging Service and device certificates authenticate these connections.
Firewalls need these licenses and certificates to integrate with
Device Security.
Firewalls use a device certificate to secure connections to both Strata Logging Service
and Device Security. The firewall needs to secure communications with
Strata Logging Service so it can forward various logs
to it. The firewall also needs to secure communications with Device Security
to get IP address-to-device mappings and recommended policy rules. (Note: Panorama managed
firewalls can get recommended policy rules either directly from Device Security or
indirectly from Device Security through Panorama.)
Panorama also uses a device certificate
to secure communications with Device Security.
Detailed Instructions
5 - Configure Logging
Configure Security policy rules on firewalls to log traffic and forward logs to
Strata Logging Service where Device Security accesses it. The more
network traffic metadata Device Security has for analysis, the more quickly and confidently it identifies devices
and establishes a baseline of their normal network behaviors. This results in a
broader application of Security policy rules based on Device-ID (Device Security sends
firewalls IP address-to-device mappings only when it has a high confidence in their
identities and the devices have sent or received traffic within the past hour) and
broader and deeper insight into device risk and real and potential security
threats.
Detailed Instructions