>
    Configure Device-ID
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Device-ID
    4. Configure Device-ID
    Download PDF

    Configure Device-ID

    Table of Contents

    Configure Device-ID

    Complete the following tasks to import the IP address-to-device mappings and policy rule recommendations from IoT Security to your firewall or Panorama.
    Complete the following tasks to import the IP address-to-device mappings and policy rule recommendations from IoT Security to your firewall or Panorama.
    If you use Panorama to manage multiple firewalls, Palo Alto Networks strongly recommends upgrading all firewalls in your Device-ID deployment to PAN-OS 10.0 or a later version. If you create a rule that uses
    Device
     as a match criteria and Panorama pushes the rule to a firewall that uses PAN-OS 9.1 or an earlier version, the firewall omits the
    Device
     match criteria because it is not supported, which may cause issues with policy rule traffic matching.
    1. Activate your IoT Security license on the hub.
      1. Follow the instructions that you received in your email to activate your IoT Security license.
      2. Initialize your IoT Security app. For more information, refer to Get Started with IoT Security and IoT Security Best Practices.
    2. Define your Security policy rules set in IoT Security.
      1. Create
         a new set of policy rules for the source device object.
        For information about creating security policy rule recommendations in IoT Security, refer to Recommend Security Policies.
      2. Activate
         the Security policy rules set.
        When you activate a policy rules set, IoT Security automatically generates policy rule names by concatenating the policy rules set name with the name of the application in each rule. It then automatically pushes the set of rules to Panorama and all next-generation firewalls subscribed to the IoT Security service.
    3. Import the policy rule recommendations to the Security policy rulebase on the firewall or in Panorama.
      1. Open or refresh the
        Policy Recommendation
        IoT
         page.
        When you select
        Policy Recommendation
        IoT
        , the firewall or Panorama communicates with IoT Security to obtain the latest policy rule recommendations. The policy rule recommendations are not cached on the firewall or Panorama. If you are already on this page when a new policy rule set was activated or modified in IoT Security, refreshing the page retrieves the new or updated recommendations from IoT Security.
        (
        Firewall
        ) Select
        Device
        Policy Recommendation
        IoT
        .
        (
        Panorama
        ) Select
        Panorama
        Policy Recommendation
        IoT
        .
      2. Select policy rule recommendations to import into the Security policy rulebase.
        Verify that the destination and permitted applications are correct in each rule you want to import. Then select up to ten policy rule recommendations to import into the rulebase. For Panorama you can import policy rule recommendations into multiple firewall rulebases in multiple device groups.
      3. Select
        Import Policy Rule(s)
        , enter the following, and then click
        OK
        :
        (
        Firewall
        )
        Choose the name of a rule in the rulebase after which you want PAN-OS to place the imported rules. If you choose
        No Rule Selection
        , the firewall imports the selected rules to the top.
        (
        Panorama
        )
        Location
        : Choose one or more device groups where you want to import the policy rules.
        Suggested Location
        : IoT Security learns about zones and device groups in the logs it receives from next-generation firewalls and suggests device groups for various policy rules accordingly. You can choose these suggested device groups among those available in the
        Location
         list or any other device groups if you prefer.
        Destination Type
        : Select either
        Pre-Rulebase
         to add the recommended policy rules before rules defined locally on a firewall or
        Post-Rulebase
         to add them after rules defined locally.
        After Rule
        : Choose a rule after which you want to add the imported rule or rules. If you choose
        No Rule Selection
        , the firewall imports the selected rules to the top. This is an optional setting. If you don’t choose a rule, the imported rules are added to the top of the rulebase.
        Device-ID rules must precede any existing rules that apply to the same devices in the rulebase. Because IoT Security creates the policy rule recommendation using the trusted behaviors for the device, the default action for each rule is allow.
      4. Repeat this process to import more rules to allow devices to communicate with the specified destinations with the specified applications.
      5. Click
        OK
         and
        Commit
         your changes.
    4. Enable Device-ID in each zone where you want to use Device-ID to detect devices and enforce your Security policy rules.
      By default, Device-ID maps all subnetworks in the zones where you enable it. You can modify which subnetworks Device-ID maps in the
      Include List
       and
      Exclude List
      .
      As a best practice, enable Device-ID in the source zone to detect devices and enforce Device-ID Security policy rules. Only enable Device-ID for internal zones.
      1. Select
        Network
        Zones
        .
      2. Select the zone where you want to enable Device-ID.
      3. Enable Device Identification
         then click
        OK
        .
      4. Repeat this as necessary for other zones for which you want to enforce Device-ID Security policy rules.
    5. Commit
       your changes.
    6. Verify your Security policy rules are correct.
      1. Select
        Policies
         and then select one of the rules you created from the policy rule recommendations.
        IoT Security assigns a
        Description
         that contains the source device object and
        Tags
         to identify the source device object and that this rule is a recommendation from IoT Security.
      2. Select the
        Source
         tab, then verify the source device pforile.
      3. Select the
        Destination
         tab and verify the destintation.
      4. Select the
        Application
         tab and verify the application.
      5. Select the
        Actions
         tab and verify the action (default is
        Allow
        ).
      6. Use Explore to verify that the logging service receives your logs and review which logs it gets.
    7. Create custom device objects for any devices that do not have IoT Security policy rule recommendations.
      For example, you cannot secure traditional IT devices such as laptops and smartphones using policy rule recommendations, so you must manually create device objects for these types of devices to use in your Security policy rules. For more information on custom device objects, see Manage Device-ID.
    8. Use the device objects to enforce policy rules and monitor and identify potential issues.
      The following list includes some example use cases for device objects.
      • Use source device objects and destination device objects in Security, Authentication, QoS, and decryption policies.
      • Use the decryption log to identify failures and which assets are the most critical to decrypt.
      • View device object activity in ACC to track new devices and device behavior.
      • Use device objects to create a custom report (for example, for incident reports or audits).

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.