Configure Device-ID
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure Device-ID
Complete the following tasks to import the IP address-to-device
mappings and policy rule recommendations from IoT Security to your
firewall or Panorama.
Complete the following tasks to import the
IP address-to-device mappings and policy rule recommendations from
IoT Security to your firewall or Panorama.
If you use
Panorama to manage multiple firewalls, Palo Alto Networks strongly
recommends upgrading all firewalls in your Device-ID deployment
to PAN-OS 10.0 or a later version. If you create a rule that uses Device as
a match criteria and Panorama pushes the rule to a firewall that
uses PAN-OS 9.1 or an earlier version, the firewall omits the Device match
criteria because it is not supported, which may cause issues with
policy rule traffic matching.
- Activate your IoT Security license on the hub.
- Follow the instructions that you received in your email to activate your IoT Security license.Initialize your IoT Security app. For more information, refer to Get Started with IoT Security and the IoT Security Best Practices.Apply the license to the firewalls you want to use to enforce the IoT Security policy.Refresh your license on the firewall or Panorama.Define your IoT Security policy on the IoT Security app.
- On the IoT Security app, select the source device object.Create a new set of policy rules for the source device object.For more information about creating security policies with the IoT Security app, refer to Recommend Security Policies.Activate the policy rules to confirm your changes.Import the IP address-to-device mappings and policy rule recommendations to the firewall or Panorama.
- Import the policy rule recommendation.
- On the firewall, select DevicePolicy RecommendationIoT.
- For Panorama, select PanoramaPolicy RecommendationIoT then
push the policy rules to the firewalls that Panorama manages.After you push the policy to the firewalls, you must Sync Policy Rules on the firewalls to create the policy rule recommendation-to-policy rule mapping.
When you select Policy Recommendation, the firewall or Panorama communicates with IoT Security to obtain the latest policy rule recommendations. The policy rule recommendations are not cached on the firewall or Panorama.Because IoT Security creates the policy rule recommendation using the trusted behavior for the device, the default action for the rule is allow.Select the Source Device Profile.Verify that the Destination Device Profile and permitted Applications are correct.Select Import Policy Rules to import the policy rules.(Panorama only) Select the Location of the device group where you want to import the policy rules.Enter a Name for the policy rules.(Panorama only) Select the Destination Type (Pre-Rulebase or Post-Rulebase).Select After Rule to define the placement of the rule in the rulebase.- No Rule Selection—Places the rule at the top of the rulebase.
- Default One—Places the rule after the listed rule.
In your Security policy, Device-ID rules must precede any existing rules that apply to the devices.Repeat this process for each policy rule recommendation to create rules to allow access for each device object to the necessary destination(s).Click OK and Commit your changes.Enable Device-ID in each zone where you want to use Device-ID to detect devices and enforce your Security policy.By default, Device-ID maps all subnetworks in the zones where you enable it. You can modify which subnetworks Device-ID maps in the Include List and Exclude List.As a best practice, enable Device-ID in the source zone to detect devices and enforce security policy. Only enable Device-ID for internal zones.- Select NetworkZones.Select the zone where you want to enable Device-ID.Enable Device Identification then click OK.Commit your changes.Verify your Security policy is correct.
- Select Policies then select the rule you created from the policy rule recommendation.IoT Security assigns a Description that contains the source device object and Tags to identify the source device object and that this rule is a recommendation from IoT Security.Device object names must be unique.Select the Source tab, then verify the Source Device Profile.Select the Destination tab and verify the Destination Device Profile.Select the Application tab and verify the Applications.Select the Actions tab and verify the Action (default is Allow).Use Explore to verify Strata Logging Service receives your logs and review which logs Strata Logging Service receives.Create custom device objects for any devices that do not have IoT Security policy rule recommendations.For example, you cannot secure devices such as laptops and smartphones using policy rule recommendations, so you must manually create device objects for these types of devices to use in your Security policy. For more information on custom device objects, see Manage Device-ID.Use the device objects to enforce policy rules and to monitor and identify potential issues.The following list includes some example use cases for device objects.
- Use source device objects and destination device objects in Security, Authentication, QoS, & decryption policies.
- Use the decryption log to identify failures and which assets are the most critical to decrypt.
- View device object activity in ACC to track new devices and device behavior.
- Use device objects to create a custom report (for example, for incident reports or audits).