: IoT Security Integration with Next-generation Firewalls
Focus
Focus

IoT Security Integration with Next-generation Firewalls

Table of Contents

IoT Security Integration with Next-generation Firewalls

IoT Security integrates with the logging service and next-generation firewalls using Device-ID.
The IoT Security solution involves the integration of three key architectural components to process network data:
  • Palo Alto Networks next-generation firewalls collect device data and send it to the logging service.
  • The logging service uses a cloud-based log-forwarding process to direct the logs from firewalls to destinations like IoT Security and Strata Logging Service. Depending on the type of IoT Security subscription you have, the logging service either streams metadata to your IoT Security account and Strata Logging Service instance or just to your IoT Security account.
  • IoT Security is an app that runs on a cloud-based platform in which machine learning, artificial intelligence, and threat intelligence are used to discover, classify, and secure the IoT devices on the network. The app ingests firewall logs with network traffic data and provides Security policy recommendations and IP address-to-device mappings to the firewall for use in Security policy rules. Administrators access the dynamically enriched IoT device inventory, detected device vulnerabilities, security alerts, and recommended policy sets through the IoT security portal.
The IoT Security app integrates with next-generation firewalls through Device-ID, which is a construct that uses device identity as a means to apply policy. The integration uses three mechanisms.
  • Device dictionary – This is an XML file that IoT Security generates and makes available for Panorama and firewalls to import. The dictionary file provides the Panorama and firewall administrator with a list of device attributes for selection when importing recommended Security policy rules from IoT Security and when creating rules themselves. These attributes are profile, category, vendor, model, OS family, and OS version and are for both IoT and traditional IT devices. Although it’s not possible to download a device dictionary file, you can see the release notes summarizing the new content added to a file that your firewall has imported. To do this, log in to the PAN-OS web portal, select DeviceDynamic Updates and then click Release Notes for the device dictionary file you want to learn about.
  • Policy rule recommendations – After an IoT Security administrator creates a set of Security policy rules based on traffic from IoT devices in the same device profile, a firewall administrator can import them as recommendations for use in its policy set.
  • IP address-to-device mappings – These mappings tell firewalls which attributes a device with a particular IP address has. When traffic to or from that IP address reaches a firewall, it checks if one of its attributes matches a policy and, if so, the firewall applies the policy. IoT Security sends IP address-to-device mappings to firewalls for both IoT and IT devices if the confidence score for device identities is high (90-100%) and they’ve sent or received traffic within the past hour.
The goal of Device-ID is to leverage the intelligence of IoT Security to enforce firewall policy on IoT devices.

Device-ID

PAN-OS 10.0 introduces a new concept for policy enforcement: Device-ID. Device-ID is a way to enforce policy rules based on device attributes. IoT Security provides the firewall with a device dictionary file containing a list of device attributes such as profiles, categories, vendors, and models. For various attributes in the dictionary file, it lists a set of entries. For example, three entries for the profile attribute might be Advidia Camera, BK Medical UltraSound Machine, and Carefusion Infusion Pump Base Station.
Currently, Device-ID is not supported on multi-vsys firewalls.
When configuring a Security policy rule, firewall administrators have the option to select device attributes from the device dictionary. If they select profile, they can choose one of the profile entries: Polycom IP Phone, for example. The policy rule then applies to all devices that match this profile. But how does the firewall know what the profile is for a device? It knows this from the IP address-to-device mappings that IoT Security also gives the firewall. These mappings identify attributes for each device. When traffic from an IP address that's mapped to a device attribute specified in the policy rule reaches the firewall, the policy rule lookup will find a match with this rule and apply whatever action it enforces.
A firewall downloads a device dictionary file from the update server. The dictionary file populates entries in all the Device-ID attribute lists for profile, category, vendor, and so on. These attribute entries are then available for use as policy rule configuration elements. The firewall administrator next configures a firewall policy rule using the profile attribute “Polycom IP Phone”. After a Polycom Trio 8800 device joins the network and IoT Security identifies it, IoT Security provides the firewall with an IP address-to-device mapping for it. The two key elements in the mapping for this example are its device profile (Polycom IP Phone profile, highlighted in yellow) and its IP address (10.1.2.3, highlighted in blue). When traffic from the Polycom Trio 8800 device at 10.1.2.3 reaches the firewall, it does a Device-ID policy rule lookup, finds that the profile for the device at this IP address matches one specified in a policy rule, and then applies the rule.
If a firewall becomes disconnected from IoT Security, the firewall retains its IP address-to-device mappings and continues enforcing Device-ID policy rules with them until the connection is re-established.
Every next-generation firewall model has the same maximum of 1000 unique Device-ID objects.
The maximum of 1000 Device-ID objects is not the same as that for IP address-to-device mappings. The maximum number of IP address-to-device mappings varies based on firewall model and is the same as the User-ID maximums listed in the + Show More sections for each firewall model on the Product Selection page.
More information about the Device-ID feature is in the PAN-OS Administrator’s Guide.
Device Dictionary
The device dictionary is an XML file for firewalls to use in Security policy rules. It contains entries for the following device attributes: profile, category, vendor, model, OS family, and OS version. These entries come from devices across all IoT Security tenants and are completely refreshed on a regular basis and posted as a new file on the update server. If there are any changes to a dictionary entry, a revised file will be posted on the update server so that Panorama and firewalls will automatically download and install it the next time they check the update server, which they do automatically every two hours.
IP Address-to-device Mappings
After IoT Security identifies a device, it bundles the following set of identifying characteristics about it:
  • IP address
  • MAC address
  • Hostname
  • Device type
  • Device category
  • Device profile
  • Vendor
  • Model
  • OS family
  • OS version
  • Risk score
  • Risk level
Firewalls poll IoT Security for these IP address-to-device mappings for use in policy enforcement. A firewall polls for new or modified mappings every second, and IoT Security returns mappings that it has identified with high confidence (a confidence score of 90-100%) for devices that were active within the last hour. For each IP address-to-device mapping that a firewall receives, the firewall generates an entry in its host information profile (HIP) Match log.
If IoT Security discovers duplicate IP address-to-device mappings—that is, there are two IP addresses mapped to the same device MAC address—it resolves it to the MAC address with the latest network activity.
There is no time limit for how long a firewall retains IP address-to-device mappings. It only begins deleting them when its cache fills up, starting with the oldest first.
Policy Rule Recommendations
You can generate Security policy rule recommendations based on the normal, acceptable network behaviors of the IoT devices in the same device profile and manually import them into firewalls for enforcement. PAN-OS 8.1 and later supports the importing of IoT Security.
For Panorama-managed firewalls that have an IoT Security subscription requiring Strata Logging Service – Panorama can only import policy rule recommendations if it was used to onboard its managed firewalls to .
Firewall and Panorama Communications Related to IoT Security
IoT Security communications from firewalls without Panorama management:
  • Firewalls download device dictionary files from the update server at updates.paloaltonetworks.com on TCP port 443.
  • Firewalls forward logs to the logging service on TCP ports 443 (for Enhanced Application logs) and 3978 (for all other firewall logs).
    For details about the ports and FQDNs required for next-generation firewalls to communicate with the logging service, see Strata Logging Service.
  • Firewalls retrieve IP address-to-device mappings and policy recommendations from IoT Security on TCP port 443. Depending on their region, they use one of the following edge services URLs:
    • United States: iot.services-edge.paloaltonetworks.com
    • Canada: ca.iot.services-edge.paloaltonetworks.com
    • EU: eu.iot.services-edge.paloaltonetworks.com
    • Switzerland: ch.iot.services-edge.paloaltonetworks.com
    • United Kingdom: uk.iot.services-edge.paloaltonetworks.com
    • APAC: apac.iot.services-edge.paloaltonetworks.com
    • Japan: jp.iot.services-edge.paloaltonetworks.com
    • Australia: au.iot.services-edge.paloaltonetworks.com
    The following table summarizes the relationship of different data lake regions/ingestion regions with IoT Security application regions:
    Data Lake Region/Ingestion Region
    IoT Security Application Region
    Americas
    Canada
    Canada, United States*
    United States
    United States
    FedRAMP
    FedRAMP
    European Union
    France
    Germany
    Germany
    Germany
    Italy
    Germany
    Netherlands
    Germany
    Poland
    Germany
    Spain
    Germany
    Switzerland
    Switzerland, Germany*
    United Kingdom
    United Kingdom, Germany*
    Asia-Pacific
    Australia
    Australia, Singapore*
    India
    Singapore
    Indonesia
    Singapore
    Japan
    Japan
    Singapore
    Singapore
    *Switzerland and the United Kingdom were added as IoT Security application regions on 7/31/2023. When onboarding IoT Security after this date to existing firewall deployments established before it, the firewalls continue to use Germany as the IoT Security application region. When onboarding IoT Security to new deployments in Switzerland or the United Kingdom established after 7/31/2023, the firewalls will use the local IoT Security application region for each country.
    A similar situation exists in Canada, which continues to use United States – Americas as the IoT Security application region for deployments existing before 1/25/2023 and Canada for new deployments after this date. Likewise, deployments existing before 10/25/2022 in Australia still use the IoT Security application in Singapore while new deployments after this date use Australia.
  • During the certificate exchange between a firewall and the edge server in front of the IoT Security cloud, they verify each other’s certificates. The firewall validates the certificate it receives by checking these sites:
    • *.o.lencr.org
    • x1.c.lencr.org
    Communications to these sites occur over HTTP on TCP port 80.
IoT Security communications from Panorama:
  • A Panorama management server imports policy recommendations from IoT Security through the same URLs listed above that firewalls use. When validating the certificate the edge server presents, Panorama checks the same sites listed above that firewalls check.
    Firewalls under Panorama management still contact IoT Security through regional edge services URLs for IP address-to-device mappings, they still download device dictionaries from the update server, and they still forward logs to the logging service.
  • A Panorama management server sends queries for logs to the logging service on TCP port 444.