>
    Configure Device-ID
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Configure Device-ID
    Download PDF
    Network Security

    Configure Device-ID

    Table of Contents

    Configure Device-ID

    Complete the following tasks to import the IP address-to-device mappings and policy rule recommendations from Device Security to your firewall or Panorama.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    • (Legacy) IoT Security (Standalone portal)
    • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
    Complete the following tasks to import the IP address-to-device mappings and policy rule recommendations from Device Security to your firewall or Panorama.
    1. Activate your Device Security license on the hub.
      1. Follow the instructions that you received in your email to activate your Device Security license.
      2. Initialize your Device Security application. For more information, refer to Get Started with IoT Security.
    2. Import policy rule recommendations to the Security policy rulebase on a next-generation firewall or, through Panorama, to rulebases on multiple firewalls.
      1. Log in to a next-generation firewall or Panorama and select Device or PanoramaPolicy RecommendationIoT.
      2. Choose a device profile.
        When you choose a profile, the firewall or Panorama communicates with Device Security to obtain the latest policy rule recommendations and displays them. Device Security automatically generates policy rule names by concatenating the device profile name with the name of the application in each rule. Policy rule recommendations are not cached on the firewall or Panorama.
      3. Select one or more policy rule recommendations to import into the Security policy rulebase.
      4. Import Policy Rule, enter the following, and then click OK:
        (Firewall)
        Choose the name of a rule in the rulebase after which you want PAN-OS to place the imported rules. If you choose No Rule Selection, the firewall imports the selected rules to the top.
        (Panorama)
        Location: Choose one or more device groups where you want to import the policy rules. You can import policy rule recommendations into firewall rulebases in multiple device groups.
        Suggested Location: If Device Security learns about zones and device groups in the logs it receives from next-generation firewalls, it suggests device groups for various policy rules accordingly. You can choose these suggested device groups among those available in the Location list or any other device groups if you prefer.
        Destination Type: Select either Pre-Rulebase to add the recommended policy rules before rules defined locally on a firewall or Post-Rulebase to add them after rules defined locally.
        After Rule: Choose a rule after which you want to add the imported rule or rules. If you choose No Rule Selection, the firewall imports the selected rules to the top. This is an optional setting. If you don’t choose a rule, the imported rules are added to the top of the rulebase.
        Device-ID rules must precede any existing rules that apply to the same devices in the rulebase. Because Device Security creates the policy rule recommendation using the trusted behaviors for the device, the default action for each rule is allow.
      5. Repeat this process to import more rules to allow devices in the selected profiles to communicate with destinations using the specified applications.
      6. Commit your changes.
    3. Enable Device-ID in each zone where you want to use Device-ID to detect devices and enforce your Security policy rules.
      By default, Device-ID maps all subnetworks in the zones where you enable it. You can modify which subnetworks Device-ID maps in the Include List and Exclude List.
      As a best practice, enable Device-ID in the source zone to detect devices and enforce Device-ID Security policy rules. Only enable Device-ID for internal zones.
      1. Select NetworkZones.
      2. Select the zone where you want to enable Device-ID.
      3. Enable Device Identification then click OK.
      4. Repeat this as necessary for other zones for which you want to enforce Device-ID Security policy rules.
    4. Commit your changes.
    5. Verify your Security policy rules are correct.
      1. Select Policies and then select one of the rules you imported.
        Device Security assigns a Description that contains the source device object and Tags to identify the source device object and that this rule is a recommendation from Device Security.
      2. Select the Source tab, then verify the source device profile.
      3. Select the Application tab and verify the application.
      4. Select the Actions tab and verify the action (default is Allow).
      5. Use Explore to verify that the Strata Logging Service receives your logs, and review which logs it gets.
    6. Create custom device objects for any devices that don’t have Device Security policy rule recommendations.
      All device object names must be unique.
      For example, you can’t secure traditional IT devices such as laptops and smartphones using policy rule recommendations, so you must manually create device objects for these types of devices to use in your Security policy rules. For more information on custom device objects, see Manage Device-ID.
    7. Use the device objects to enforce policy rules and monitor and identify potential issues.
      The following list includes some example use cases for device objects.
      • Use source device objects and destination device objects in Security, Authentication, QoS, and decryption policies.
      • Use the decryption log to identify failures and which assets are the most critical to decrypt.
      • View device object activity in ACC to track new devices and device behavior.
      • Use device objects to create a custom report (for example, for incident reports or audits).

    © 2025 Palo Alto Networks, Inc. All rights reserved.