Focus

PAN-OS ® New Features Guide

Device-ID

Table of Contents

Device-ID

Learn about how you can use Device-ID to create device-based policy.

Whether or not your environment supports a “Bring Your Own Device” (BYOD) policy, you likely already have a large number of devices in your network; maybe even more than you realize. Combined with the need for scalability as the number of users and their accompanying devices on your network increases, not to mention the growing infrastructure of the Internet of Things (IoT), this presents a constantly growing area of risk with many possibilities for exploitation by malicious users. Additionally, once you identify these devices, how do you secure them from vulnerabilities such as outdated operating software? Using Device-ID™ on your firewall or to push policy from Panorama, you can get device context for events on your network, obtain policy rule recommendations for those devices, write policies based on devices, and enforce Security policy based on the recommendations.

Similar to how User-ID provides user-based policy and App-ID provides app-based policy, Device-ID provides policy rules that are based on a device, regardless of changes to its IP address or location. By providing traceability for devices and associating network events with specific devices, Device-ID allows you to gain context for how events relate to devices and write policies that are associated with devices, instead of users, locations, or IP addresses, which can change over time. You can use Device-ID in Security, Decryption, Quality of Service (QoS) and Authentication policies.

Device-ID requires an IoT Security license and a Cortex Data Lake (CDL) license.

If you use PAN-OS version 8.1.0 through PAN-OS 9.1.x on a firewall, the IoT Security license provides device classification, behavior analysis, and threat analysis for your devices. If you use PAN-OS 10.0 or later, you can use Device-ID to obtain IP address-to-device mappings to view device context for network events, use IoT Security to obtain policy rule recommendations for these devices and gain visibility for devices in reports and the ACC.

To identify and classify devices, the IoT Security app uses metadata from logs, network protocols, and sessions on the firewall. This does not include private or sensitive information or data that is not relevant for device identification. Metadata also forms the basis of the expected behavior for the device, which then establishes the criteria for the policy rule recommendation that defines what traffic and protocols to allow for that device.

To obtain policy rule recommendations for devices in your network, the firewall observes traffic to generate Enhanced Application logs (EALs). The firewall then forwards the EALs to the Cortex Data Lake (CDL) for processing. The IoT Security app on the hub receives logs from CDL for analysis, provides IP address-to-device mappings, and generates the latest policy rule recommendations for your devices. Using the IoT Security app, you can review these policy rule recommendations and create a Security policy for these devices. After you activate the policy rules in the IoT Security app, import them to the firewall or Panorama and commit your Security policy.

The firewall must be able to observe DHCP broadcast and unicast traffic on your network to identify devices. The more traffic the firewall can observe, the more accurate the policy rule recommendations are for the device and the more rapid and accurate the IP address-to-device mappings are for the device. When a device sends DHCP traffic to obtain an IP address, the firewall observes this type of request, it generates EALs to send to the Cortex Data Lake for processing and then analysis by IoT Security.

To observe traffic on an L2 interface, you must configure a VLAN for that interface. By allowing the firewall to treat the interface as an L3 interface for a DHCP relay, it can observe the DHCP broadcast traffic without impacting traffic or performance.

Each application has an individual recommendation that you import to the firewall or Panorama as a rule. When you import the recommendation, the firewall or Panorama creates at least two objects to define the device behavior from the recommendation:

A source device object that identifies the device where the traffic originates

One or more destination objects that identify the permitted destinations for the traffic, which can be a device, IP address, or Fully Qualified Domain Name (FQDN)

If any of the device objects already exist on the firewall or Panorama appliance, the firewall or Panorama updates the device object instead of creating a new device object. You can use these device objects in Security, authentication, decryption, and Quality of Service (QoS) policies.

Additionally, the firewall assigns two tags to each rule:

One that identifies the source device, including the category (such as

NetworkDevice - TrendNet

One that indicates that the rule is an IoT policy rule recommendation (

IoTSecurityRecommended

Because the tags that the firewall assigns to the rule are the only way to restore your mappings if they become out of sync, do not edit or remove the tags.

For optimal deployment and operation of Device-ID, we recommend the following:

Deploy Device-ID on firewalls that are centrally located in your network. For example, if you have a large environment, deploy Device-ID on a firewall that is upstream from the IP address management (IPAM) device. If you have a small environment, deploy Device-ID on a firewall that is acting as a DHCP server.

During initial deployment, allow Device-ID to collect metadata from your network for at least fourteen days. If devices are not active daily, the identification process may take longer.

Write device-based policy in order of your most critical devices to least critical. Prioritize by:

Class (secure networked devices first)

Critical devices (such as servers or MRI machines)

Environment-specific devices (such as fire alarms and badge readers)

Consumer-facing IoT devices (such as a smart watch or smart speaker)

Enable Device-ID on a per-zone basis for internal zones only.

To deploy Device-ID, complete the following procedures:

Device-ID Predeployment Tasks

Device-ID Deployment Tasks

Device-ID Post-Deployment Tasks

Device-ID Predeployment Tasks

To prepare your network for Device-ID deployment, complete the following predeployment tasks to enable your firewall to generate and send EALs to the Cortex Data Lake for processing and analysis by IoT Security for policy rule recommendation generation.

If you have not already done so, install the device certificate on your firewall or Panorama.

Activate your Cortex Data Lake (CDL) instance and connect your firewall to the instance.

Activate a Cortex Data Lake instance.

Connect your firewall to Cortex Data Lake.

(L2 interfaces only) Create a VLAN interface for each L2 interface so the firewall can observe the DHCP broadcast traffic.

(Optional) Configure a service route to allow the necessary traffic for Device-ID.

Select

Device

Setup

Services

then select

Service Route Configuration

Customize

a service route.

Select the

IPv4

protocol.

Device-ID and IoT Security do not support IPv6.

Select

Data Services

in the Service column.

Select a

Source Interface

and

Source Address

Click

twice.

Use App-IDs to allow the necessary traffic for Device-ID and IoT Security.

Use the

paloalto-iot-security

App-ID to allow traffic between the IoT Security and your firewall or Panorama.

This App-ID is not needed if the firewall sends traffic from the management interface through a data interface in the same zone as the CDL and IoT Security, only if the traffic traverses more than one security zone.

Use the

paloalto-logging-service

App-ID to allow traffic for all EALs and all session logs.

Use the

paloalto-updates

App-ID to allow retrieval of IoT Security dynamic updates and updates for the Device Dictionary.

Use the

paloalto-iot-security

App-ID to allow retrieval of policy rule recommendations.

If you have a non-Palo Alto Networks firewall between the firewall using Device-ID and the internet, verify that the non-Palo Alto Networks firewall can access iot.services-edge.paloaltonetworks.com:443.

Configure your firewall to observe and generate logs for DHCP traffic then forward the logs for processing and analysis by IoT Security.

If the firewall is a DHCP server:

Enable Enhanced Application logging.

Create a log forwarding profile to forward the logs to the CDL for processing.

Enable the

DHCP Broadcast Session

option (

Device

Setup

Session

Session Settings

Create a Security policy rule to allow

dhcp

as the

Application

type.

If the firewall is not a DHCP server, configure an interface as a DHCP relay agent so that the firewall can generate EALs for the DHCP traffic it receives from clients.

If your DHCP server is on the same network segment as the interface your firewall, deploy a virtual wire interface in front of the DHCP server to ensure the firewall generates EALs for all packets in the initial DHCP exchange with minimal performance impact.

Configure a virtual wire interface with corresponding zones and enable the

Multicast Firewalling

option (

Network

Virtual Wires

Add

Configure a rule to allow DHCP traffic to and from the DHCP server between the virtual wire zones. The policy must allow all existing traffic that the server currently observes and use the same log forwarding profile as the rest of your rules.

To allow the DHCP servers to check if an IP address is active before assigning it as a lease to a new request, configure a rule to allow pings from the DHCP server to the rest of the subnet.

Configure a rule to allow all other traffic to and from the DHCP server that does not forward logs for traffic matches.

Configure the DHCP server host to use the first virtual wire interface and the network switch to use the second virtual wire interface. To minimize cabling, you can use an isolated VLAN in the switching infrastructure instead of connecting the DHCP server host directly to the firewall.

If you want to use a tap interface to gain visibility into DHCP traffic that the firewall doesn’t usually observe due to the current configuration or topology of the network, use the following configuration to minimize performance impact.

Configure a tap interface and corresponding zone.

Configure a rule to match DHCP traffic that uses the same log forwarding profile as the rest of your rules.

To minimize the session load on the firewall, configure a rule to drop all other traffic.

Connect the tap interface to the port mirror on the network switch.

Add session log types to the log forwarding profile.

If there are no existing entries in the log forwarding profile, selecting the

Enable enhanced application logging to Cortex Data Lake (including traffic and url logs)

option adds all logs types.

Add

a new profile and enter a name.

Select

traffic

as the

Log type

Select

All logs

as the

Filter

Select the

Cortex Data Lake

option.

Click

Repeat substeps 1-5 for the

threat

and, if you have a subscription,

wildfire

log types.

Device-ID Deployment Tasks

Complete the following tasks to import the policy rule recommendations and IP address-to-device mappings to your firewall or Panorama.

Activate your IoT Security license on the hub.

Follow the instructions you received in your email to activate your IoT Security license.

Initialize your IoT Security app, making sure to follow the IoT Security Best Practices. For more information, refer to the IoT Security app documentation and Get Started with IoT Security.

Apply the license to the firewalls you want to use to enforce the IoT Security policy.

Refresh your license on the firewall or Panorama.

Define your IoT Security policy on the IoT Security app.

On the IoT Security app, select the source device object.

Create

a new set of policy rules for the source device object.

For more information about creating security policies with the IoT Security app, please refer to Recommend Security Policies.

Activate

the policy rules to confirm your changes.

Import the policy rule recommendation and IP address-to-device mappings to the firewall or Panorama.

Import the policy rule recommendation and mappings.

On the firewall, select

Device

Policy Recommendation

For Panorama, select

Panorama

Policy Recommendation

When you select Policy Recommendation, the firewall or Panorama communicates with the IoT Security to obtain the latest policy rule recommendations. The policy rule recommendations are not cached on the firewall or Panorama.

Because IoT Security creates the policy rule recommendation using the trusted behavior for the device, the default action for the rule is allow.

Select the

Source Device Profile

Verify that the

Destination Device Profile

and permitted

Applications

are correct.

Select

Import Policy Rules

to import the policy rules.

(Panorama only) Select the

Location

of the device group where you want to import the policy rules.

Enter a

Name

for the policy rules.

(Panorama only) Select the

Destination Type

(

Pre-Rulebase

Post-Rulebase

Select

After Rule

to define the placement of the rule in the rulebase.

No Rule Selection

—Places the rule at the top of the rulebase.

Default One

—Places the rule after the listed rule.

In your Security policy, Device-ID rules must precede any existing rules that apply to the devices.

Repeat this process for each policy rule recommendation to create rules to allow access for each device object to the necessary destination(s).

Click

and

Commit

your changes.

Enable Device-ID in each zone where you want to use Device-ID to detect devices and enforce your Security policy.

By default, Device-ID maps all subnetworks in the zones where you enable it. You can modify which subnetworks Device-ID maps in the

Include List

and

Exclude List

As a best practice, enable Device-ID in the source zone to detect devices and enforce security policy. You should only enable Device-ID for internal zones.

Select

Network

Zones

Select the zone where you want to enable Device-ID.

Enable Device Identification

then click

Commit

your changes.

Create custom device objects for any devices that do not have IoT Security policy rule recommendations.

For example, you cannot secure devices such as laptops and smartphones using policy rule recommendations, so you must manually create device objects for these types of devices to use in your Security policy. For more information on custom device objects, see Device-ID Post-Deployment Tasks.

Use the device objects in policy and to monitor and identify potential issues.

The following list includes some example use cases for device objects.

Use source and destination device objects for Security, Authentication, QoS, & decryption policies.

Use the decryption log to identify failures and which assets are the most critical to decrypt.

View device object activity in ACC.

Use device objects to create a custom report (for example, for incident reports or audits).

Device-ID Post-Deployment Tasks

Perform the following tasks as needed to ensure your policy rule recommendations and device objects are current or to restore policy rule recommendation mappings.

Verify your Security policy is correct.

Select

Policies

then select the rule you created from the policy rule recommendation.

IoT Security assigns a

Description

that contains the source device object and

PAN-OS ® New Features Guide

Device-ID

Device-ID

Device-ID Predeployment Tasks

Device-ID Deployment Tasks

Device-ID Post-Deployment Tasks

Recommended For You