Device-ID

Learn about how you can use Device-ID to create device-based policy.
Whether or not your environment supports a “Bring Your Own Device” (BYOD) policy, you likely already have a large number of devices in your network; maybe even more than you realize. Combined with the need for scalability as the number of users and their accompanying devices on your network increases, not to mention the growing infrastructure of the Internet of Things (IoT), this presents a constantly growing area of risk with many possibilities for exploitation by malicious users. Additionally, once you identify these devices, how do you secure them from vulnerabilities such as outdated operating software? Using Device-ID™ on your firewall or to push policy from Panorama, you can get device context for events on your network, obtain policy rule recommendations for those devices, write policies based on devices, and enforce Security policy based on the recommendations.
Similar to how User-ID provides user-based policy and App-ID provides app-based policy, Device-ID provides policy rules that are based on a device, regardless of changes to its IP address or location. By providing traceability for devices and associating network events with specific devices, Device-ID allows you to gain context for how events relate to devices and write policies that are associated with devices, instead of users, locations, or IP addresses, which can change over time. You can use Device-ID in Security, Decryption, Quality of Service (QoS) and Authentication policies.
Device-ID requires an IoT Security license and a Cortex Data Lake (CDL) license.
If you use PAN-OS version 8.1.0 through PAN-OS 9.1.x on a firewall, the IoT Security license provides device classification, behavior analysis, and threat analysis for your devices. If you use PAN-OS 10.0 or later, you can use Device-ID to obtain IP address-to-device mappings to view device context for network events, use IoT Security to obtain policy rule recommendations for these devices and gain visibility for devices in reports and the ACC.
To identify and classify devices, the IoT Security app uses metadata from logs, network protocols, and sessions on the firewall. This does not include private or sensitive information or data that is not relevant for device identification. Metadata also forms the basis of the expected behavior for the device, which then establishes the criteria for the policy rule recommendation that defines what traffic and protocols to allow for that device.
To obtain policy rule recommendations for devices in your network, the firewall observes traffic to generate Enhanced Application Logs (EAL logs). The firewall then forwards the EAL logs to the Cortex Data Lake (CDL) for processing. The IoT Security app on the hub receives logs from CDL for analysis, provides IP address-to-device mappings, and generates the latest policy rule recommendations for your devices. Using the IoT Security app, you can review these policy rule recommendations and create a Security policy for these devices. After you activate the policy rules in the IoT Security app, import them to the firewall or Panorama and commit your Security policy.
The firewall must be able to observe DHCP broadcast and unicast traffic on your network to identify devices. The more traffic the firewall can observe, the more accurate the policy rule recommendations are for the device and the more rapid and accurate the IP address-to-device mappings are for the device. When a device sends DHCP traffic to obtain an IP address, the firewall observes this type of request, it generates an EAL log to send to the Cortex Data Lake for processing and then analysis by IoT Security.
To observe traffic on an L2 interface, you must configure a VLAN for that interface. By allowing the firewall to treat the interface as an L3 interface for a DHCP relay, it can observe the DHCP broadcast traffic without impacting traffic or performance.
Each application has an individual recommendation that you import to the firewall or Panorama as a rule. When you import the recommendation, the firewall or Panorama creates at least two objects to define the device behavior from the recommendation:
  • A source device object that identifies the device where the traffic originates
  • One or more destination objects that identify the permitted destinations for the traffic, which can be a device, IP address, or Fully Qualified Domain Name (FQDN)
If any of the device objects already exist on the firewall or Panorama, the firewall or Panorama updates the device object instead of creating a new device objects. You can use these device objects in Security, authentication, decryption, and Quality of Service (QoS) policies.
The firewall also associates tags that identify the source device and that the rule is a IoT Security policy rule recommendation.
Because the tags associated with the rule are the only way to restore your mappings if they become out of sync, do not edit or remove the tags.
For optimal deployment and operation of Device-ID, we recommend the following:
  • Deploy Device-ID on firewalls that are centrally located in your network. For example, if you have a large environment, deploy Device-ID on a firewall that is upstream from the IP address management (IPAM) device. If you have a small environment, deploy Device-ID on a firewall that is acting as a DHCP server.
  • During initial deployment, allow Device-ID to collect metadata from your network for at least fourteen days. If devices are not active daily, the identification process may take longer.
  • Write device-based policy in order of your most critical devices to least critical. Prioritize by:
    1. Class (secure networked devices first)
    2. Critical devices (such as servers or MRI machines)
    3. Environment-specific devices (such as fire alarms and badge readers)
    4. Consumer-facing IoT devices (such as a smart watch or smart speaker)
  • Enable Device-ID on a per-zone basis for internal zones only.
To deploy Device-ID, complete the following procedures:

Device-ID Predeployment Tasks

To prepare your network for Device-ID deployment, complete the following predeployment tasks to enable your firewall to generate and send EAL logs to the Cortex Data Lake for processing and analysis by IoT Security for policy rule recommendation generation.
  1. If you have not already done so, install the device certificate on your firewall or Panorama.
  2. Activate your Cortex Data Lake (CDL) instance and connect your firewall to the instance.
    1. Activate a Cortex Data Lake instance.
    2. Connect your firewall to Cortex Data Lake.
  3. (
    L2 interfaces only
    ) Create a VLAN interface for each L2 interface so the firewall can observe the DHCP broadcast traffic.
  4. (
    Optional
    ) Configure a service route to allow the necessary traffic for Device-ID.
    1. Select
      Device
      Setup
      Services
      then select
      Service Route Configuration
      .
    2. Customize
      a service route.
    3. Select the
      IPv4
      protocol.
      Device-ID and IoT Security do not support IPv6.
    4. Select
      Data Services
      in the Service column.
    5. Select a
      Source Interface
      and
      Source Address
      .
    6. Click
      OK
      twice.
  5. Use App-IDs to allow the necessary traffic for Device-ID and IoT Security.
    • Use the
      paloalto-iot-security
      App-ID to allow traffic between the IoT Security and your firewall or Panorama.
      This App-ID is not needed if the firewall sends traffic from the management interface through a data interface in the same zone as the CDL and IoT Security, only if the traffic traverses more than one security zone.
    • Use the
      paloalto-logging-service
      App-ID to allow traffic for all EAL logs and all session logs.
    • Use the
      paloalto-updates
      App-ID to allow retrieval of IoT Security dynamic updates and updates for the Device Dictionary.
    • Use the
      paloalto-iot-security
      App-ID to allow retrieval of policy rule recommendations.
  6. Configure your firewall to observe and generate logs for DHCP traffic then forward the logs for processing and analysis by IoT Security.
    • If the firewall is a DHCP server:
      1. Enable EAL logs.
      2. Create a log forwarding profile to forward the logs to the CDL for processing.
      3. Enable the
        DHCP Broadcast Session
        option (
        Device
        Setup
        Session
        Session Settings
        ).
      4. Create a Security policy rule to allow
        dhcp
        as the
        Application
        type.
    • If the firewall is not a DHCP server, configure an interface as a DHCP relay agent so that the firewall can generate EAL logs for the DHCP traffic it receives from clients.
    • If your DHCP server is on the same network segment as the interface your firewall, deploy a virtual wire interface in front of the DHCP server to ensure the firewall generates EAL logs for all packets in the initial DHCP exchange with minimal performance impact.
      1. Configure a virtual wire interface with corresponding zones and enable the
        Multicast Firewalling
        option (
        Network
        Virtual Wires
        Add
        ).
      2. Configure a rule to allow DHCP traffic to and from the DHCP server between the virtual wire zones. The policy must allow all existing traffic that the server currently observes and use the same log forwarding profile as the rest of your rules.
      3. To allow the DHCP servers to check if an IP address is active before assigning it as a lease to a new request, configure a rule to allow pings from the DHCP server to the rest of the subnet.
      4. Configure a rule to allow all other traffic to and from the DHCP server that does not forward logs for traffic matches.
      5. Configure the DHCP server host to use the first virtual wire interface and the network switch to use the second virtual wire interface. To minimize cabling, you can use an isolated VLAN in the switching infrastructure instead of connecting the DHCP server host directly to the firewall.
    • If you want to use a tap interface to gain visibility into DHCP traffic that the firewall doesn’t usually observe due to the current configuration or topology of the network, use the following configuration to minimize performance impact.
      1. Configure a tap interface and corresponding zone.
      2. Configure a rule to match DHCP traffic that uses the same log forwarding profile as the rest of your rules.
      3. To minimize the session load on the firewall, configure a rule to drop all other traffic.
      4. Connect the tap interface to the port mirror on the network switch.
  7. Add session log types to the log forwarding profile.
    If there are no existing entries in the log forwarding profile, selecting the
    Enable enhanced application logging to Cortex Data Lake (including traffic and url logs)
    option adds all logs types.
    1. Add
      a new profile and enter a name.
    2. Select
      traffic
      as the
      Log type
      .
    3. Select
      All logs
      as the
      Filter
      .
    4. Select the
      Cortex Data Lake
      option.
    5. Click
      OK
      .
    6. Repeat substeps 1-5 for the
      threat
      and, if you have a subscription,
      wildfire
      log types.

Device-ID Deployment Tasks

Complete the following tasks to import the policy rule recommendations and IP address-to-device mappings to your firewall or Panorama.
  1. Activate your IoT Security license on the hub.
    1. Log in to the hub.
    2. Follow the instructions you received in your email to activate your IoT Security license.
    3. Initialize your IoT Security app. For more information, refer to the IoT Security app documentation and Get Started with IoT Security.
    4. Apply the license to the firewalls you want to use to enforce the IoT Security policy.
    5. Refresh your license on the firewall or Panorama.
  2. Define your IoT Security policy on the IoT Security app.
    1. On the IoT Security app, select the source device object.
    2. Create
      a new set of policy rules for the source device object.
      For more information on IoT Security, please refer to the IoT Security app documentation and Get Started with IoT Security.
    3. Activate
      the policy rules to confirm your changes.
  3. Import the policy rule recommendation and IP address-to-device mappings to the firewall or Panorama.
    1. Import the policy rule recommendation and mappings.
      • On the firewall, select
        Device
        Policy Recommendation
        .
      • For Panorama, select
        Panorama
        Policy Recommendation
        .
      When you select Policy Recommendation, the firewall or Panorama communicates with the IoT Security to obtain the latest policy rule recommendations. The policy rule recommendations are not cached on the firewall or Panorama.
      Because IoT Security creates the policy rule recommendation using the trusted behavior for the device, the default action for the rule is allow.
    2. Select the
      Source Device Profile
      .
    3. Verify that the
      Destination Device Profile
      and permitted
      Applications
      are correct.
    4. Select
      Import Policy Rules
      to import the policy rules.
    5. (
      Panorama only
      ) Select the
      Location
      of the device group where you want to import the policy rules.
    6. Enter a
      Name
      for the policy rules.
    7. (
      Panorama only
      ) Select the
      Destination Type
      (
      Pre-Rulebase
      or
      Post-Rulebase
      ).
    8. Select
      After Rule
      to define the placement of the rule in the rulebase.
      • No Rule Selection
        —Places the rule at the top of the rulebase.
      • Default One
        —Places the rule after the listed rule.
      In your Security policy, Device-ID rules must precede any existing rules that apply to the devices.
    9. Repeat this process for each policy rule recommendation to create rules to allow access for each device object to the necessary destination(s).
    10. Click
      OK
      and
      Commit
      your changes.
  4. Enable Device-ID in each zone where you want to use Device-ID to detect devices and enforce your Security policy.
    By default, Device-ID maps all subnetworks in the zones where you enable it. You can modify which subnetworks Device-ID maps in the
    Include List
    and
    Exclude List
    .
    As a best practice, enable Device-ID in the source zone to detect devices and enforce security policy. You should only enable Device-ID for internal zones.
    1. Select
      Network
      Zones
      .
    2. Select the zone where you want to enable Device-ID.
    3. Enable Device Identification
      then click
      OK
      .
  5. Commit
    your changes.
  6. Create custom device objects for any devices that do not have IoT Security policy rule recommendations.
    For example, you cannot secure devices such as laptops and smartphones using policy rule recommendations, so you must manually create device objects for these types of devices to use in your Security policy. For more information on custom device objects, see Device-ID Post-Deployment Tasks.
  7. Use the device objects in policy and to monitor and identify potential issues.
    The following list includes some example use cases for device objects.
    • Use source and destination device objects for Security, Authentication, QoS, & decryption policies.
    • Use the decryption log to identify failures and which assets are the most critical to decrypt.
    • View device object activity in ACC.
    • Use device objects to create a custom report (for example, for incident reports or audits).

Device-ID Post-Deployment Tasks

Perform the following tasks as needed to ensure your policy rule recommendations and device objects are current or to restore policy rule recommendation mappings.
  1. Verify your Security policy is correct.
    1. Select
      Policies
      then select the rule you created from the policy rule recommendation.
      IoT Security assigns a
      Description
      that contains the source device object and
      Tags
      to identify the source device object and that this rule is a recommendation from IoT Security.
      Device object names must be unique.
    2. Select the
      Source
      tab, then verify the
      Source Device Profile
      policy profile.
    3. Select the
      Destination
      tab and verify the
      Destination Device Profile
      .
    4. Select the
      Application
      tab and verify the
      Applications
      .
    5. Select the
      Actions
      tab and verify the
      Action
      (default is
      Allow
      ).
    6. Use Explore to verify CDL receives your logs and review which logs CDL receives.
  2. Update your policy rule recommendation whenever the
    New Updates Available
    column displays
    Yes
    for that recommendation.
    As devices gain new capabilities, IoT Security updates the policy rule recommendations to advise what additional traffic or protocols the firewall or Panorama should allow. Check IoT Security daily for updates and update your policy rule recommendations as soon as possible.
    1. On the IoT Security app,
      Edit
      the policy rules then click
      Next
      .
    2. Select the new recommendation then click
      Next
      .
    3. Save
      your changes.
    4. On the firewall or Panorama, click
      Import Policy Rules
      then click
      Yes
      to confirm that you want to overwrite the current rule.
      This action overwrites the recommendation for the rule, not the rule itself.
    5. (
      Panorama only
      ) Repeat the previous step for all device groups.
    6. Commit
      your changes.
  3. Review, update, and maintain the device objects in the Device Dictionary.
    1. Select
      Objects
      Devices
    2. Add
      a device object.
    3. Browse
      the list or
      Search
      using keywords.
      The search results can include multiple types of metadata (for example, both
      Category
      and
      Profile
      ).
    4. To add a custom device object, enter a
      Name
      and optionally a
      Description
      for the device object.
      Always use a unique name for each device object. Do not change the description for device objects from policy rule recommendations.
    5. (
      Panorama only
      ) Select the
      Shared
      option to make this device object available to other device groups.
    6. Select the metadata for the device object (
      Category
      ,
      OS
      ,
      Profile
      ,
      Osfamily
      ,
      Model
      , and
      Vendor
      ).
    7. Click
      OK
      to confirm your changes.
  4. In some cases (for example, if you restore a previous configuration), the mappings may become out of sync. To restore the mappings:
    • On the firewall, select
      Device
      Policy Recommendation
      Sync Policy Rules
      .
    • For Panorama, select
      Panorama
      Policy Recommendation
      Sync Policy Rules
      .
    The firewall or Panorama scans all of the rules in the rulebase to check the tag that identifies the rule as an IoT Security policy rule recommendation, obtains the source device object information, and repopulates the local policy rule recommendation database.
  5. Delete any policy rule recommendations that are no longer needed.
    If a policy rule recommendation no longer applies, you can remove the policy rule recommendation. You must also remove the rule for the policy rule recommendation to update your Security policy.
    1. On the IoT Security app, select
      Delete
      .
    2. Click
      Mark as Removed
      to select this recommendation for removal.
    3. Remove the mapping.
      • On the firewall, select
        Device
        Policy Recommendation
        Remove Policy Mapping
        .
      • For Panorama, select
        Device
        Policy Recommendation
        Remove Policy Mapping
        then select the
        Location
        from which you want to remove the mapping.
    4. Click
      Yes
      to confirm the mapping removal.
    5. Select
      Policies
      Security
      . For Panorama, select
      Policies
      Security
      Pre-Rules/Post-Rules
      .
    6. Select the rule for the policy rule recommendation you want to remove then select
      Delete
      .
    7. Commit
      your changes.

Recommended For You