>
    Strata Copilot
    Deploy Advanced Device-ID
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Advanced Device-ID Overview
    5. Deploy Advanced Device-ID
    Download PDF
    Network Security

    Deploy Advanced Device-ID

    Table of Contents

    Deploy Advanced Device-ID

    Deploy Advanced Device-ID on your NGFW and use Advanced Device-ID in Security policy rules and policy rule recommendations.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    • (Legacy) IoT Security (Standalone portal)
    • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
    You can define Security policy rules in PAN-OS using the Advanced Device-ID objects that you created. PAN-OS uses Advanced Device-ID to match traffic on the firewall and apply Security policy rules based on your security posture. Create Advanced Device-ID objects in Device Security, and create the Security policy rules in PAN-OS. Apply Advanced Device-ID in the Security policy rules in PAN-OS.
    Before creating Security policy rules that use Advanced Device-ID, make sure you’re familiar with what is a Security Policy, the Components of a Security Policy Rule, and how to Create a Security Policy Rule.

    Add an Advanced Device-ID Object to the Firewall

    Only PAN-OS can create a local object of an Advanced Device-ID on the firewall as part of Security policy rule configuration. You can't add local Advanced Device-ID objects to the firewall manually.
    When you create an Advanced Device-ID object in Device Security, associated firewalls automatically sync information from Device Security. All new Advanced Device-ID objects appear in PAN-OS under DevicesObjects with Locally Exists set to “No." This means that the Advanced Device-ID exists, but no Security policy rule currently uses it.
    When you create or edit a Security policy rule to apply the Advanced Device-ID, PAN-OS automatically creates a local copy of the Advanced Device-ID object. You can verify this by navigating to DevicesObjects and checking that the Locally Exists field is “Yes."

    Add an Advanced Device-ID to a Security Policy Rule

    Add an Advanced Device-ID to a Security policy rule to enforce the policy on traffic coming from devices that match the Advanced Device-ID criteria.
    1. Open the Security policy rules page.
      For PAN-OS managed by firewall, navigate to PoliciesSecurity.
      For PAN-OS managed by Panorama, navigate to PoliciesSecurityPre Rules.
    2. Select an existing policy that you want to modify, or follow the steps to Create a Security Policy Rule.
    3. Configure the following additional options under the Source tab and the Destination tab.
      When using Advanced Device-ID as part of a Security policy rule, either one or both the Source Device and the Destination Device can be an Advanced Device-ID object.
      1. Select the Source tab and Add an Advanced Device-ID under Source Device.
      2. Select the Destination tab and Add an Advanced Device-ID under Destination Device.
    4. Click OK to create the Security policy rule.
      Creating the Security policy rule also creates a local object for any Advanced Device-ID that you used in the Security policy rule. You can verify this by going to ObjectsDevices and checking that the Locally Exists field displays “Yes” for the Advanced Device-ID objects used.
    5. Commit your changes.

    Import a Policy Rule Recommendation Based on Advanced Device-ID

    Device Security provides policy rule recommendations based on outbound traffic behavior. You can view the policy rule recommendations by Advanced Device-ID and choose which recommendations to import to your rulebase.
    1. On your next-generation firewall or Panorama, select Device or PanoramaPolicy RecommendationIoTCreate Policy
    2. In the Select Device-ID drop-down, choose the Advanced Device-ID that you want to view policy rule recommendations for, and review the list of recommendations.
    3. Select the policy rule recommendations you want, and Import Policy Rule to bring up the Customize Policy pop-up.
    4. Optional In the Customize Policy pop-up, click on any policy rule recommendations for which you want to configure the destination information.
      This brings up the Customize Destination pop-up, where you can change the destination devices and destination device information. By default, the destination is set to any. When you're done, click OK to return to the Customize Policy pop-up.
    5. Import the customized policy rules to bring up the Import Policy Rule pop-up, enter the following, and click OK:
      Firewall
      Name: Enter a name to identify the new Security policy. The default name appends the Advanced Device-ID name with the timestamp.
      Optional After Rule: Choose a rule after which you want to add the imported rule or rules. The default, No Rule Selection, means the firewall imports the selected rules to the top.
      Optional Description: Add a description to help explain what this Security policy enforces.
      Panorama
      Location: Choose one or more device groups where you want to import the policy rules. You can import policy rule recommendations into firewall rulebases in multiple device groups.
      Suggested Location: If Device Security learns about zones and device groups in the logs it receives from the NGFW, it suggests device groups for various policy rules accordingly. You can choose these suggested device groups among those available in the Location list or any other device groups if you prefer.
      Name: Enter a name to identify the new Security policy. The default name appends the Advanced Device-ID name with the timestamp.
      Destination Type: Select either Pre-Rulebase to add the recommended policy rules before rules defined locally on a firewall or Post-Rulebase to add them after rules defined locally.
      Optional After Rule: Choose a rule after which you want to add the imported rule or rules. The default, No Rule Selection, means the firewall imports the selected rules to the top.
      Optional Description: Add a description to help explain what this Security policy enforces.
    6. Click OK to bring up the Confirm Change pop-up, and then click Yes to confirm importing the policy rule recommendations to the firewall, or to multiple firewalls if configuring on Panorama.
    7. When the Status pop-up appears, click OK to acknowledge that the policy was added to the rulebase.
    8. Verify that the firewall successfully imported the policy rule recommendation by navigating to PoliciesSecurityon the firewall, or to PoliciesSecurityPre Rules on Panorama. You should see the policy rule recommendation that you imported on the list.
    9. Commit your changes.

    Remove an Advanced Device-ID from a Security Policy Rule

    When you want to delete an Advanced Device-ID object from the firewall and Device Security, you need to remove the Advanced Device-ID from any Security policy rule that uses it. If you don't remove an Advanced Device-ID from a Security policy rule first, there can be undesirable behavior in terms of configuration management or policy enforcement.
    1. Open the Security policy rules page.
      For PAN-OS managed by firewall, navigate to PoliciesSecurity.
      For PAN-OS managed by Panorama, navigate to PoliciesSecurityPre Rules.
    2. Select an existing policy that you want to modify, and remove the Advanced Device-ID from the Source or the Destination.
      1. Navigate to SourceSource Device, select the Advanced Device-ID that you want to remove, and Delete the Advanced Device-ID.
      2. Navigate to DestinationDestination Device, select the Advanced Device-ID that you want to remove, and Delete the Advanced Device-ID.
    3. Click OK to save the changes to your Security policy rule.
    4. Commit your changes.

    © 2025 Palo Alto Networks, Inc. All rights reserved.