Advanced Device-ID Overview
Learn about Advanced Device-ID and how it helps manage your network security.
Where Can I Use This? | What Do I Need? |
Advanced Device-ID introduces a powerful new capability for Device Security
device management and Security policy enforcement in Palo Alto Networks
Next-Generation Firewall. With Advanced Device-ID, you can create flexible,
customizable device identification rules that provide more granular control without the
limitations of legacy Device-ID objects. To enable Advanced Device-ID,
you need an active Device Security subscription on a firewall running
PAN-OS 12.1.
The Advanced Device-ID feature addresses several key use cases that are
challenging to implement with legacy Device-ID.
Grouping multiple device categories under a single identifier, particularly
within medical or Industrial OT settings.
Creating policy rules based on complex criteria, such as all end-of-life
operating systems.
This feature enhances policy recommendation workflows, generating behaviors for both
system default and custom Advanced Device-ID objects. It also improves visibility
by adding Advanced Device-ID information to asset inventory views and Traffic logs.
Advanced Device-ID configurations are centrally managed in Device Security,
providing a unified location for defining complex device matching criteria. Users can
create Advanced Device-ID objects using a combination of over 20 device attributes,
including legacy Device-ID attributes, such as category, profile, vendor,
model, and OS version. The matching rules support nested conditional logic, enabling
precise device identification based on multiple criteria.
Once created, an Advanced Device-ID synchronizes to PAN-OS firewalls
through the PAN-OS Edge Service. The firewall receives a list of
Advanced Device-ID definitions, including UUIDs, names, and descriptions.
Additionally, Device Security IoT Device Context, also known as IoT verdicts, now
include Advanced Device-ID attributes for each device, enabling more
granular policy enforcement.
PAN-OS provides flexible enforcement options, letting administrators
choose to use legacy Device-ID objects, Advanced Device-ID objects, or a
hybrid mode supporting both. This flexibility ensures backward compatibility while
enabling the adoption of the new Advanced Device-ID capabilities.
By implementing Advanced Device-ID, you can create more precise and efficient
Security policy rules, reduce administrative overhead for monitoring network traffic,
and improve your overall security posture for assets on your networks. The
centralized management and flexible matching criteria enable security teams to adapt
quickly to new assets and evolving requirements in modern, complex network environments.