Getting Started
  • Getting Started
  • IoT Security Documentation
  • All Documentation
>
Configure Service Routes for IoT Security
Focus
Download PDF
Focus
  1. Home
  2. IoT Security
  3. Prepare Your Firewall for IoT Security
  4. Configure Service Routes for IoT Security
Download PDF
IoT Security

Configure Service Routes for IoT Security

Table of Contents

Configure Service Routes for IoT Security

Configure service routes for your firewall to access IoT Security and Strata Logging Service through a data interface.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by PAN-OS or Panorama)
  • IoT Security (Managed by IoT Security)
  • IoT Security subscription for an advanced IoT Security product (Enterprise Plus, Industrial OT, or Medical)
When you configure your next-generation firewall to obtain and log network traffic metadata, you can use a data interface to access Strata Logging Service and IoT Security. To use a data interface, you need to configure service routes and Security policy rules, and commit your configuration changes once you are done.
By default, the firewall uses its management interface to send data logs to the logging service, get recommended policy rule sets and IP address-to-device mappings from IoT Security, and download device dictionary files from the update server. When a firewall uses its management interface for all this, a service route and a Security policy rule are not needed.
However, when a firewall accesses the logging service, IoT Security, and update server through a data interface, then you must add a service route identifying the source data interface, source interface IP address, and service type. In addition, you must add an interzone Security policy rule permitting Data Services from 127.168.0.0/16 to the destination zone where the logging service, IoT Security, and update server are.
When a firewall generates traffic that it sends through a data interface, it uses an IP address in the 127.168.0.0/16 subnet as its internal source and then translates it to the IP address of the source interface. Because Security policy rules are applied to the original source IP address before NAT, the source IP address must be 127.168.0.0/16 instead of the IP address of the source interface.

Configure Service Routes

  1. If necessary, configure the data interface you want to use as the source interface for required IoT Security communications.
  2. Select DeviceSetupServicesService Route Configuration and then select Customize.
  3. On the IPv4 tab, select Data Services, choose the data interface you want to use as the Source Interface, and then click OK.
    Its IP address autofills the Source Address field. This service route is for forwarding Enhanced Application logs (EALs) to the logging service.
    Device-ID and IoT Security don’t support IPv6.
  4. Click IoT, choose the same data interface as the Source Interface, and then click OK.
    This service route is for pulling IP address-to-device mappings and policy rule recommendations from IoT Security.
  5. Click Palo Alto Networks Services, choose the same data interface, and then click OK.
    This service route is for forwarding other logs besides EALs to the logging service and for pulling device dictionary files from the update server.
  6. Click OK to save your configuration changes.

Add Security Policy Rules

When you create services routes, you need to add Security policy rules permitting services required for the firewall to use IoT Security.
  1. Select PoliciesSecurity+ Add.
  2. On the General tab, enter a name for the Security policy rule and choose interzone as the Rule Type.
  3. On the Source tab, select Any as the source zone and then Add 127.168.0.0/16 as the source address.
  4. On the Destination tab, Add the destination zone with IoT Security, and Add the edge services FQDN for your region as the destination address.
  5. On the Application tab, Add paloalto-iot-security.
    The firewall uses this application to pull IP address-to-device mappings and policy rule recommendations from IoT Security.
  6. On the Actions tab, choose Allow and then click OK.
  7. Create or select an intrapent policy rule that allows all intranet traffic in the zone where Strata Logging Service and the update server are.
    If you have an intranet policy rule that allows all intranet traffi in the zone where the logging service and update server are, you can use that rule to allow the firewall to forward logs to Strata Logging Service and pull dictionary files from the update server.
    Otherwise, create an intranet policy rule that allows the firewall to send these three applications to Strata Logging Service and update server from the IP address of the firewall interface in the same zone:
    • paloalto-shared-services to forward EALs and session logs to the logging service
    • paloalto-logging-service to forward other logs besides EALs to the logging service
    • paloalto-updates to pull device dictionary files from the update server

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.