Configure Device-ID
Focus
Focus

Configure Device-ID

Table of Contents
End-of-Life (EoL)

Configure Device-ID

Complete the following tasks to import the IP address-to-device mappings and policy rule recommendations from IoT Security to your firewall or Panorama.
Complete the following tasks to import the IP address-to-device mappings and policy rule recommendations from IoT Security to your firewall or Panorama.
If you use Panorama to manage multiple firewalls, Palo Alto Networks strongly recommends upgrading all firewalls in your Device-ID deployment to PAN-OS 10.0 or a later version. If you create a rule that uses Device as a match criteria and Panorama pushes the rule to a firewall that uses PAN-OS 9.1 or an earlier version, the firewall omits the Device match criteria because it is not supported, which may cause issues with policy rule traffic matching.
  1. Activate your IoT Security license on the hub.
    1. Follow the instructions that you received in your email to activate your IoT Security license.
    2. Initialize your IoT Security app. For more information, refer to Get Started with IoT Security and IoT Security Best Practices.
  2. Define your Security policy rules set in IoT Security.
    1. Create a new set of policy rules for the source device object.
      For information about creating security policy rule recommendations in IoT Security, refer to Recommend Security Policies.
    2. Activate the Security policy rules set.
      When you activate a policy rules set, IoT Security automatically generates policy rule names by concatenating the policy rules set name with the name of the application in each rule. It then automatically pushes the set of rules to Panorama and all next-generation firewalls subscribed to the IoT Security service.
  3. Import the policy rule recommendations to the Security policy rulebase on the firewall or in Panorama.
    1. Open or refresh the Policy RecommendationIoT page.
      When you select Policy RecommendationIoT, the firewall or Panorama communicates with IoT Security to obtain the latest policy rule recommendations. The policy rule recommendations are not cached on the firewall or Panorama. If you are already on this page when a new policy rule set was activated or modified in IoT Security, refreshing the page retrieves the new or updated recommendations from IoT Security.
      (Firewall) Select DevicePolicy RecommendationIoT.
      (Panorama) Select PanoramaPolicy RecommendationIoT.
    2. Select policy rule recommendations to import into the Security policy rulebase.
      Verify that the destination and permitted applications are correct in each rule you want to import. Then select up to ten policy rule recommendations to import into the rulebase. For Panorama you can import policy rule recommendations into multiple firewall rulebases in multiple device groups.
    3. Select Import Policy Rule(s), enter the following, and then click OK:
      (Firewall)
      Choose the name of a rule in the rulebase after which you want PAN-OS to place the imported rules. If you choose No Rule Selection, the firewall imports the selected rules to the top.
      (Panorama)
      Location: Choose one or more device groups where you want to import the policy rules.
      Suggested Location: IoT Security learns about zones and device groups in the logs it receives from next-generation firewalls and suggests device groups for various policy rules accordingly. You can choose these suggested device groups among those available in the Location list or any other device groups if you prefer.
      Destination Type: Select either Pre-Rulebase to add the recommended policy rules before rules defined locally on a firewall or Post-Rulebase to add them after rules defined locally.
      After Rule: Choose a rule after which you want to add the imported rule or rules. If you choose No Rule Selection, the firewall imports the selected rules to the top. This is an optional setting. If you don’t choose a rule, the imported rules are added to the top of the rulebase.
      Device-ID rules must precede any existing rules that apply to the same devices in the rulebase. Because IoT Security creates the policy rule recommendation using the trusted behaviors for the device, the default action for each rule is allow.
    4. Repeat this process to import more rules to allow devices to communicate with the specified destinations with the specified applications.
    5. Click OK and Commit your changes.
  4. Enable Device-ID in each zone where you want to use Device-ID to detect devices and enforce your Security policy rules.
    By default, Device-ID maps all subnetworks in the zones where you enable it. You can modify which subnetworks Device-ID maps in the Include List and Exclude List.
    As a best practice, enable Device-ID in the source zone to detect devices and enforce Device-ID Security policy rules. Only enable Device-ID for internal zones.
    1. Select NetworkZones.
    2. Select the zone where you want to enable Device-ID.
    3. Enable Device Identification then click OK.
    4. Repeat this as necessary for other zones for which you want to enforce Device-ID Security policy rules.
  5. Commit your changes.
  6. Verify your Security policy rules are correct.
    1. Select Policies and then select one of the rules you created from the policy rule recommendations.
      IoT Security assigns a Description that contains the source device object and Tags to identify the source device object and that this rule is a recommendation from IoT Security.
    2. Select the Source tab, then verify the source device pforile.
    3. Select the Destination tab and verify the destintation.
    4. Select the Application tab and verify the application.
    5. Select the Actions tab and verify the action (default is Allow).
    6. Use Explore to verify that the logging service receives your logs and review which logs it gets.
  7. Create custom device objects for any devices that do not have IoT Security policy rule recommendations.
    For example, you cannot secure traditional IT devices such as laptops and smartphones using policy rule recommendations, so you must manually create device objects for these types of devices to use in your Security policy rules. For more information on custom device objects, see Manage Device-ID.
  8. Use the device objects to enforce policy rules and monitor and identify potential issues.
    The following list includes some example use cases for device objects.
    • Use source device objects and destination device objects in Security, Authentication, QoS, and decryption policies.
    • Use the decryption log to identify failures and which assets are the most critical to decrypt.
    • View device object activity in ACC to track new devices and device behavior.
    • Use device objects to create a custom report (for example, for incident reports or audits).