Advanced Device-ID Overview
Focus
Focus
Network Security

Advanced Device-ID Overview

Table of Contents

Advanced Device-ID Overview

Learn about Advanced Device-ID and how it helps manage your network security.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by PAN-OS or Panorama)
  • (Legacy) IoT Security (Standalone portal)
  • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
Advanced Device-ID introduces a powerful new capability for Device Security device management and Security policy enforcement in Palo Alto Networks Next-Generation Firewall. With Advanced Device-ID, you can create flexible, customizable device identification rules that provide more granular control without the limitations of legacy Device-ID objects. To enable Advanced Device-ID, you need an active Device Security subscription on a firewall running PAN-OS 12.1.
The Advanced Device-ID feature addresses several key use cases that are challenging to implement with legacy Device-ID.
  • Grouping multiple device categories under a single identifier, particularly within medical or Industrial OT settings.
  • Creating policy rules based on complex criteria, such as all end-of-life operating systems.
This feature enhances policy recommendation workflows, generating behaviors for both system default and custom Advanced Device-ID objects. It also improves visibility by adding Advanced Device-ID information to asset inventory views and Traffic logs.
Advanced Device-ID configurations are centrally managed in Device Security, providing a unified location for defining complex device matching criteria. Users can create Advanced Device-ID objects using a combination of over 20 device attributes, including legacy Device-ID attributes, such as category, profile, vendor, model, and OS version. The matching rules support nested conditional logic, enabling precise device identification based on multiple criteria.
Once created, an Advanced Device-ID synchronizes to PAN-OS firewalls through the PAN-OS Edge Service. The firewall receives a list of Advanced Device-ID definitions, including UUIDs, names, and descriptions. Additionally, Device Security IoT Device Context, also known as IoT verdicts, now include Advanced Device-ID attributes for each device, enabling more granular policy enforcement.
PAN-OS provides flexible enforcement options, letting administrators choose to use legacy Device-ID objects, Advanced Device-ID objects, or a hybrid mode supporting both. This flexibility ensures backward compatibility while enabling the adoption of the new Advanced Device-ID capabilities.
By implementing Advanced Device-ID, you can create more precise and efficient Security policy rules, reduce administrative overhead for monitoring network traffic, and improve your overall security posture for assets on your networks. The centralized management and flexible matching criteria enable security teams to adapt quickly to new assets and evolving requirements in modern, complex network environments.