Learn about how you can use Device-ID to create device-based policy.
Whether or not your environment supports a “Bring Your Own Device” (BYOD) policy, you likely already have a large number of devices in your network; maybe even more than you realize. Combined with the need for scalability as the number of users and their accompanying devices on your network increases, not to mention the growing infrastructure of the Internet of Things (IoT), this presents a constantly growing area of risk with many possibilities for exploitation by malicious users. Additionally, once you identify these devices, how do you secure them from vulnerabilities such as outdated operating software? Using Device-ID™ on your firewall or to push policy from Panorama, you can get device context for events on your network, obtain policy rule recommendations for those devices, write policies based on devices, and enforce Security policy based on the recommendations.
Similar to how User-ID provides user-based policy and App-ID provides app-based policy, Device-ID provides policy rules that are based on a device, regardless of changes to its IP address or location. By providing traceability for devices and associating network events with specific devices, Device-ID allows you to gain context for how events relate to devices and write policies that are associated with devices, instead of users, locations, or IP addresses, which can change over time. You can use Device-ID in Security, Decryption, Quality of Service (QoS) and Authentication policies.
If you use PAN-OS version 8.1.0 through PAN-OS 9.1.x on a firewall, the IoT Security license provides device classification, behavior analysis, and threat analysis for your devices. If you use PAN-OS 10.0 or later, you can use Device-ID to obtain IP address-to-device mappings to view device context for network events, use IoT Security to obtain policy rule recommendations for these devices and gain visibility for devices in reports and the ACC.
To identify and classify devices, the IoT Security app uses metadata from logs, network protocols, and sessions on the firewall. This does not include private or sensitive information or data that is not relevant for device identification. Metadata also forms the basis of the expected behavior for the device, which then establishes the criteria for the policy rule recommendation that defines what traffic and protocols to allow for that device.
To obtain policy rule recommendations for devices in your network, the firewall observes traffic to generate Enhanced Application logs (EALs). The firewall then forwards the EALs to the Cortex Data Lake (CDL) for processing. The IoT Security app on the hub receives logs from CDL for analysis, provides IP address-to-device mappings, and generates the latest policy rule recommendations for your devices. Using the IoT Security app, you can review these policy rule recommendations and create a Security policy for these devices. After you activate the policy rules in the IoT Security app, import them to the firewall or Panorama and commit your Security policy.
The firewall must be able to observe DHCP broadcast and unicast traffic on your network to identify devices. The more traffic the firewall can observe, the more accurate the policy rule recommendations are for the device and the more rapid and accurate the IP address-to-device mappings are for the device. When a device sends DHCP traffic to obtain an IP address, the firewall observes this type of request, it generates EALs to send to the Cortex Data Lake for processing and then analysis by IoT Security.
To observe traffic on an L2 interface, you must configure a VLAN for that interface. By allowing the firewall to treat the interface as an L3 interface for a DHCP relay, it can observe the DHCP broadcast traffic without impacting traffic or performance.
Each application has an individual recommendation that you import to the firewall or Panorama as a rule. When you import the recommendation, the firewall or Panorama creates at least two objects to define the device behavior from the recommendation:
- A source device object that identifies the device where the traffic originates
- One or more destination objects that identify the permitted destinations for the traffic, which can be a device, IP address, or Fully Qualified Domain Name (FQDN)
If any of the device objects already exist on the firewall or Panorama appliance, the firewall or Panorama updates the device object instead of creating a new device object. You can use these device objects in Security, authentication, decryption, and Quality of Service (QoS) policies.
Additionally, the firewall assigns two tags to each rule:
- One that identifies the source device, including the category (such asNetworkDevice - TrendNet).
- One that indicates that the rule is an IoT policy rule recommendation (IoTSecurityRecommended).
Because the tags that the firewall assigns to the rule are the only way to restore your mappings if they become out of sync, do not edit or remove the tags.
For optimal deployment and operation of Device-ID, we recommend the following:
- Deploy Device-ID on firewalls that are centrally located in your network. For example, if you have a large environment, deploy Device-ID on a firewall that is upstream from the IP address management (IPAM) device. If you have a small environment, deploy Device-ID on a firewall that is acting as a DHCP server.
- During initial deployment, allow Device-ID to collect metadata from your network for at least fourteen days. If devices are not active daily, the identification process may take longer.
- Write device-based policy in order of your most critical devices to least critical. Prioritize by:
- Class (secure networked devices first)
- Critical devices (such as servers or MRI machines)
- Environment-specific devices (such as fire alarms and badge readers)
- Consumer-facing IoT devices (such as a smart watch or smart speaker)
- Enable Device-ID on a per-zone basis for internal zones only.
To deploy Device-ID, complete the following procedures:
Device-ID Predeployment Tasks
To prepare your network for Device-ID deployment, complete the following predeployment tasks to enable your firewall to generate and send EALs to the Cortex Data Lake for processing and analysis by IoT Security for policy rule recommendation generation.
- (L2 interfaces only) Create a VLAN interface for each L2 interface so the firewall can observe the DHCP broadcast traffic.
- (Optional) Configure a service route to allow the necessary traffic for Device-ID.
- Selectthen selectDeviceSetupServicesService Route Configuration.
- Customizea service route.
- Select theIPv4protocol.Device-ID and IoT Security do not support IPv6.
- SelectData Servicesin the Service column.
- Select aSource InterfaceandSource Address.
- Use App-IDs to allow the necessary traffic for Device-ID and IoT Security.
If you have a non-Palo Alto Networks firewall between the firewall using Device-ID and the internet, verify that the non-Palo Alto Networks firewall can access iot.services-edge.paloaltonetworks.com:443.
- Use thepaloalto-iot-securityApp-ID to allow traffic between the IoT Security and your firewall or Panorama.This App-ID is not needed if the firewall sends traffic from the management interface through a data interface in the same zone as the CDL and IoT Security, only if the traffic traverses more than one security zone.
- Use thepaloalto-logging-serviceApp-ID to allow traffic for all EALs and all session logs.
- Use thepaloalto-updatesApp-ID to allow retrieval of IoT Security dynamic updates and updates for the Device Dictionary.
- Use thepaloalto-iot-securityApp-ID to allow retrieval of policy rule recommendations.
- Configure your firewall to observe and generate logs for DHCP traffic then forward the logs for processing and analysis by IoT Security.
- If the firewall is not a DHCP server, configure an interface as a DHCP relay agent so that the firewall can generate EALs for the DHCP traffic it receives from clients.
- If your DHCP server is on the same network segment as the interface your firewall, deploy a virtual wire interface in front of the DHCP server to ensure the firewall generates EALs for all packets in the initial DHCP exchange with minimal performance impact.
- Configure a rule to allow DHCP traffic to and from the DHCP server between the virtual wire zones. The policy must allow all existing traffic that the server currently observes and use the same log forwarding profile as the rest of your rules.
- To allow the DHCP servers to check if an IP address is active before assigning it as a lease to a new request, configure a rule to allow pings from the DHCP server to the rest of the subnet.
- Configure a rule to allow all other traffic to and from the DHCP server that does not forward logs for traffic matches.
- Configure the DHCP server host to use the first virtual wire interface and the network switch to use the second virtual wire interface. To minimize cabling, you can use an isolated VLAN in the switching infrastructure instead of connecting the DHCP server host directly to the firewall.
- If you want to use a tap interface to gain visibility into DHCP traffic that the firewall doesn’t usually observe due to the current configuration or topology of the network, use the following configuration to minimize performance impact.
- Configure a rule to match DHCP traffic that uses the same log forwarding profile as the rest of your rules.
- To minimize the session load on the firewall, configure a rule to drop all other traffic.
- Connect the tap interface to the port mirror on the network switch.
- Add session log types to the log forwarding profile.If there are no existing entries in the log forwarding profile, selecting theEnable enhanced application logging to Cortex Data Lake (including traffic and url logs)option adds all logs types.
- Adda new profile and enter a name.
- Selecttrafficas theLog type.
- SelectAll logsas theFilter.
- Select theCortex Data Lakeoption.
- Repeat substeps 1-5 for thethreatand, if you have a subscription,wildfirelog types.
Device-ID Deployment Tasks
Complete the following tasks to import the policy rule recommendations and IP address-to-device mappings to your firewall or Panorama.
- Activate your IoT Security license on the hub.
- Log in to the hub.
- Follow the instructions you received in your email to activate your IoT Security license.
- Apply the license to the firewalls you want to use to enforce the IoT Security policy.
- Refresh your license on the firewall or Panorama.
- Define your IoT Security policy on the IoT Security app.
- On the IoT Security app, select the source device object.
- Createa new set of policy rules for the source device object.For more information about creating security policies with the IoT Security app, please refer to Recommend Security Policies.
- Activatethe policy rules to confirm your changes.
- Import the policy rule recommendation and IP address-to-device mappings to the firewall or Panorama.
- Import the policy rule recommendation and mappings.
When you select Policy Recommendation, the firewall or Panorama communicates with the IoT Security to obtain the latest policy rule recommendations. The policy rule recommendations are not cached on the firewall or Panorama.Because IoT Security creates the policy rule recommendation using the trusted behavior for the device, the default action for the rule is allow.
- On the firewall, select.DevicePolicy Recommendation
- For Panorama, select.PanoramaPolicy Recommendation
- Select theSource Device Profile.
- Verify that theDestination Device Profileand permittedApplicationsare correct.
- SelectImport Policy Rulesto import the policy rules.
- (Panorama only) Select theLocationof the device group where you want to import the policy rules.
- Enter aNamefor the policy rules.
- (Panorama only) Select theDestination Type(Pre-RulebaseorPost-Rulebase).
- SelectAfter Ruleto define the placement of the rule in the rulebase.
In your Security policy, Device-ID rules must precede any existing rules that apply to the devices.
- No Rule Selection—Places the rule at the top of the rulebase.
- Default One—Places the rule after the listed rule.
- Repeat this process for each policy rule recommendation to create rules to allow access for each device object to the necessary destination(s).
- ClickOKandCommityour changes.
- Enable Device-ID in each zone where you want to use Device-ID to detect devices and enforce your Security policy.By default, Device-ID maps all subnetworks in the zones where you enable it. You can modify which subnetworks Device-ID maps in theInclude ListandExclude List.As a best practice, enable Device-ID in the source zone to detect devices and enforce security policy. You should only enable Device-ID for internal zones.
- Select the zone where you want to enable Device-ID.
- Enable Device Identificationthen clickOK.
- Commityour changes.
- Create custom device objects for any devices that do not have IoT Security policy rule recommendations.For example, you cannot secure devices such as laptops and smartphones using policy rule recommendations, so you must manually create device objects for these types of devices to use in your Security policy. For more information on custom device objects, see Device-ID Post-Deployment Tasks.
- Use the device objects in policy and to monitor and identify potential issues.The following list includes some example use cases for device objects.
- Use source and destination device objects for Security, Authentication, QoS, & decryption policies.
- Use the decryption log to identify failures and which assets are the most critical to decrypt.
- View device object activity in ACC.
- Use device objects to create a custom report (for example, for incident reports or audits).
Device-ID Post-Deployment Tasks
Perform the following tasks as needed to ensure your policy rule recommendations and device objects are current or to restore policy rule recommendation mappings.
- Verify your Security policy is correct.
- SelectPoliciesthen select the rule you created from the policy rule recommendation.IoT Security assigns aDescriptionthat contains the source device object andTagsto identify the source device object and that this rule is a recommendation from IoT Security.Device object names must be unique.
- Select theSourcetab, then verify theSource Device Profilepolicy profile.
- Select theDestinationtab and verify theDestination Device Profile.
- Select theApplicationtab and verify theApplications.
- Select theActionstab and verify theAction(default isAllow).
- Use Explore to verify CDL receives your logs and review which logs CDL receives.
- Update your policy rule recommendation whenever theNew Updates Availablecolumn displaysYesfor that recommendation.As devices gain new capabilities, IoT Security updates the policy rule recommendations to advise what additional traffic or protocols the firewall or Panorama should allow. Check IoT Security daily for updates and update your policy rule recommendations as soon as possible.
- On the IoT Security app,Editthe policy rules then clickNext.
- Select the new recommendation then clickNext.
- Saveyour changes.
- On the firewall or Panorama, clickImport Policy Rulesthen clickYesto confirm that you want to overwrite the current rule.This action overwrites the recommendation for the rule, not the rule itself.
- (Panorama only) Repeat the previous step for all device groups.
- Commityour changes.
- Review, update, and maintain the device objects in the Device Dictionary.
- Adda device object.
- Browsethe list orSearchusing keywords.The search results can include multiple types of metadata (for example, bothCategoryandProfile).
- To add a custom device object, enter aNameand optionally aDescriptionfor the device object.Always use a unique name for each device object. Do not change the description for device objects from policy rule recommendations.
- (Panorama only) Select theSharedoption to make this device object available to other device groups.
- Select the metadata for the device object (Category,OS,Profile,Osfamily,Model, andVendor).
- ClickOKto confirm your changes.
- In some cases (for example, if you restore a previous configuration), the mappings may become out of sync. To restore the mappings:
The firewall or Panorama scans all of the rules in the rulebase to check the tag that identifies the rule as an IoT Security policy rule recommendation, obtains the source device object information, and repopulates the local policy rule recommendation database.
- On the firewall, select.DevicePolicy RecommendationSync Policy Rules
- For Panorama, select.PanoramaPolicy RecommendationSync Policy Rules
- Delete any policy rule recommendations that are no longer needed.If a policy rule recommendation no longer applies, you can remove the policy rule recommendation. You must also remove the rule for the policy rule recommendation to update your Security policy.
- On the IoT Security app, selectDelete.
- ClickMark as Removedto select this recommendation for removal.
- Remove the mapping.
- On the firewall, select.DevicePolicy RecommendationRemove Policy Mapping
- For Panorama, selectthen select theDevicePolicy RecommendationRemove Policy MappingLocationfrom which you want to remove the mapping.
- ClickYesto confirm the mapping removal.
- Select. For Panorama, selectPoliciesSecurity.PoliciesSecurityPre-Rules/Post-Rules
- Select the rule for the policy rule recommendation you want to remove then selectDelete.
- Commityour changes.
Recommended For You
Recommended videos not found.