Device-ID
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
Device-ID
Learn about how you can use Device-ID to create device-based
policy.
Whether or not your environment supports a
“Bring Your Own Device” (BYOD) policy, you likely already have a
large number of devices in your network; maybe even more than you
realize. Combined with the need for scalability as the number of
users and their accompanying devices on your network increases,
not to mention the growing infrastructure of the Internet of Things
(IoT), this presents a constantly growing area of risk with many
possibilities for exploitation by malicious users. Additionally,
once you identify these devices, how do you secure them from vulnerabilities
such as outdated operating software? Using Device-ID™ on your firewall
or to push policy from Panorama, you can get device context for
events on your network, obtain policy rule recommendations for those
devices, write policies based on devices, and enforce Security policy
based on the recommendations.
Similar to how User-ID provides
user-based policy and App-ID provides app-based policy, Device-ID provides policy
rules that are based on a device, regardless of changes to its IP
address or location. By providing traceability for devices and associating
network events with specific devices, Device-ID allows you to gain
context for how events relate to devices and write policies that
are associated with devices, instead of users, locations, or IP
addresses, which can change over time. You can use Device-ID in
Security, Decryption, Quality of Service (QoS) and Authentication
policies.
Device-ID requires an IoT Security license and
a Cortex Data Lake (CDL) license.
If
you use PAN-OS version 8.1.0 through PAN-OS 9.1.x on a firewall,
the IoT Security license provides device classification, behavior
analysis, and threat analysis for your devices. If you use PAN-OS
10.0 or later, you can use Device-ID to obtain IP address-to-device
mappings to view device context for network events, use IoT Security
to obtain policy rule recommendations for these devices and gain
visibility for devices in reports and the ACC.
To identify
and classify devices, the IoT Security app uses metadata from logs,
network protocols, and sessions on the firewall. This does not include
private or sensitive information or data that is not relevant for
device identification. Metadata also forms the basis of the expected
behavior for the device, which then establishes the criteria for
the policy rule recommendation that defines what traffic and protocols
to allow for that device.
To obtain policy rule recommendations
for devices in your network, the firewall observes traffic to generate
Enhanced Application logs (EALs). The firewall then forwards the
EALs to the Cortex Data Lake (CDL) for processing. The IoT Security
app on the hub receives logs from CDL for
analysis, provides IP address-to-device mappings, and generates
the latest policy rule recommendations for your devices. Using the
IoT Security app, you can review these policy rule recommendations
and create a Security policy for these devices. After you activate
the policy rules in the IoT Security app, import them to the firewall
or Panorama and commit your Security policy.
The firewall
must be able to observe DHCP broadcast and unicast traffic on your
network to identify devices. The more traffic the firewall can observe,
the more accurate the policy rule recommendations are for the device
and the more rapid and accurate the IP address-to-device mappings
are for the device. When a device sends DHCP traffic to obtain an
IP address, the firewall observes this type of request, it generates
EALs to send to the Cortex Data Lake for processing and then analysis
by IoT Security.
To observe traffic on an L2 interface,
you must configure a VLAN for that interface. By allowing the firewall
to treat the interface as an L3 interface for a DHCP relay, it can
observe the DHCP broadcast traffic without impacting traffic or
performance.
Each application has an individual recommendation
that you import to the firewall or Panorama as a rule. When you
import the recommendation, the firewall or Panorama creates at least
two objects to define the device behavior from the recommendation:
- A source device object that identifies the device where the traffic originates
- One or more destination objects that identify the permitted destinations for the traffic, which can be a device, IP address, or Fully Qualified Domain Name (FQDN)
If any of the
device objects already exist on the firewall or Panorama appliance,
the firewall or Panorama updates the device object instead of creating
a new device object. You can use these device objects in Security,
authentication, decryption, and Quality of Service (QoS) policies.
Additionally,
the firewall assigns two tags to each rule:
- One that identifies the source device, including the category (such as NetworkDevice - TrendNet).
- One that indicates that the rule is an IoT policy rule recommendation (IoTSecurityRecommended).
Because
the tags that the firewall assigns to the rule are the only way
to restore your mappings if they become out of sync, do not edit
or remove the tags.
For optimal deployment and operation
of Device-ID, we recommend the following:
- Deploy Device-ID on firewalls that are centrally located in your network. For example, if you have a large environment, deploy Device-ID on a firewall that is upstream from the IP address management (IPAM) device. If you have a small environment, deploy Device-ID on a firewall that is acting as a DHCP server.
- During initial deployment, allow Device-ID to collect metadata from your network for at least fourteen days. If devices are not active daily, the identification process may take longer.
- Write device-based policy in order of your most critical devices
to least critical. Prioritize by:
- Class (secure networked devices first)
- Critical devices (such as servers or MRI machines)
- Environment-specific devices (such as fire alarms and badge readers)
- Consumer-facing IoT devices (such as a smart watch or smart speaker)
- Enable Device-ID on a per-zone basis for internal zones only.
To
deploy Device-ID, complete the following procedures:
Device-ID Predeployment Tasks
To prepare your network for Device-ID deployment,
complete the following predeployment tasks to enable your firewall
to generate and send EALs to the Cortex Data Lake for processing
and analysis by IoT Security for policy rule recommendation generation.
- If you have not already done so, install the device certificate on your firewall or Panorama.
- Activate your Cortex Data Lake (CDL) instance and connect your firewall to the instance.
- (L2 interfaces only) Create a VLAN interface for each L2 interface so the firewall can observe the DHCP broadcast traffic.
- (Optional) Configure a service route to allow
the necessary traffic for Device-ID.
- Select DeviceSetupServices then select Service Route Configuration.
- Customize a service route.
- Select the IPv4 protocol. Device-ID and IoT Security do not support IPv6.
- Select Data Services in the Service column.
- Select a Source Interface and Source Address.
- Click OK twice.
- Use App-IDs to allow the necessary traffic for Device-ID
and IoT Security.
- Use the paloalto-iot-security App-ID
to allow traffic between the IoT Security and your firewall or Panorama. This App-ID is not needed if the firewall sends traffic from the management interface through a data interface in the same zone as the CDL and IoT Security, only if the traffic traverses more than one security zone.
- Use the paloalto-logging-service App-ID to allow traffic for all EALs and all session logs.
- Use the paloalto-updates App-ID to allow retrieval of IoT Security dynamic updates and updates for the Device Dictionary.
- Use the paloalto-iot-security App-ID to allow retrieval of policy rule recommendations.
If you have a non-Palo Alto Networks firewall between the firewall using Device-ID and the internet, verify that the non-Palo Alto Networks firewall can access iot.services-edge.paloaltonetworks.com:443. - Use the paloalto-iot-security App-ID
to allow traffic between the IoT Security and your firewall or Panorama.
- Configure your firewall to observe and generate logs
for DHCP traffic then forward the logs for processing and analysis
by IoT Security.
- If the firewall is a DHCP server:
- Enable Enhanced Application logging.
- Create a log forwarding profile to forward the logs to the CDL for processing.
- Enable the DHCP Broadcast Session option (DeviceSetupSessionSession Settings).
- If the firewall is not a DHCP server, configure an interface as a DHCP relay agent so that the firewall can generate EALs for the DHCP traffic it receives from clients.
- If your DHCP server is on the same network segment as the interface your firewall, deploy a virtual wire interface in front of the DHCP server to ensure the firewall generates EALs for all packets in the initial DHCP exchange with minimal performance impact.
- Configure a virtual wire interface with corresponding zones and enable the Multicast Firewalling option (NetworkVirtual WiresAdd).
- Configure a rule to allow DHCP traffic to and from the DHCP server between the virtual wire zones. The policy must allow all existing traffic that the server currently observes and use the same log forwarding profile as the rest of your rules.
- To allow the DHCP servers to check if an IP address is active before assigning it as a lease to a new request, configure a rule to allow pings from the DHCP server to the rest of the subnet.
- Configure a rule to allow all other traffic to and from the DHCP server that does not forward logs for traffic matches.
- Configure the DHCP server host to use the first virtual wire interface and the network switch to use the second virtual wire interface. To minimize cabling, you can use an isolated VLAN in the switching infrastructure instead of connecting the DHCP server host directly to the firewall.
- If you want to use a tap interface to gain visibility into DHCP
traffic that the firewall doesn’t usually observe due to the current
configuration or topology of the network, use the following configuration
to minimize performance impact.
- Configure a tap interface and corresponding zone.
- Configure a rule to match DHCP traffic that uses the same log forwarding profile as the rest of your rules.
- To minimize the session load on the firewall, configure a rule to drop all other traffic.
- Connect the tap interface to the port mirror on the network switch.
- If the firewall is a DHCP server:
- Add session log types to the log forwarding profile. If there are no existing entries in the log forwarding profile, selecting the Enable enhanced application logging to Cortex Data Lake (including traffic and url logs) option adds all logs types.
- Add a new profile and enter a name.
- Select traffic as the Log type.
- Select All logs as the Filter.
- Select the Cortex Data Lake option.
- Click OK.
- Repeat substeps 1-5 for the threat and, if you have a subscription, wildfire log types.
Device-ID Deployment Tasks
Complete the following tasks to import the
policy rule recommendations and IP address-to-device mappings to
your firewall or Panorama.
- Activate your IoT Security license on the hub.
- Log in to the hub.
- Follow the instructions you received in your email to activate your IoT Security license.
- Initialize your IoT Security app, making sure to follow the IoT Security Best Practices. For more information, refer to the IoT Security app documentation and Get Started with IoT Security.
- Apply the license to the firewalls you want to use to enforce the IoT Security policy.
- Refresh your license on the firewall or Panorama.
- Define your IoT Security policy on the IoT Security app.
- On the IoT Security app, select the source device object.
- Create a new set of policy
rules for the source device object. For more information about creating security policies with the IoT Security app, please refer to Recommend Security Policies.
- Activate the policy rules to confirm your changes.
- Import the policy rule recommendation and IP address-to-device
mappings to the firewall or Panorama.
- Import the policy rule recommendation and
mappings.
- On the firewall, select DevicePolicy Recommendation.
- For Panorama, select PanoramaPolicy Recommendation.
When you select Policy Recommendation, the firewall or Panorama communicates with the IoT Security to obtain the latest policy rule recommendations. The policy rule recommendations are not cached on the firewall or Panorama.Because IoT Security creates the policy rule recommendation using the trusted behavior for the device, the default action for the rule is allow. - Select the Source Device Profile.
- Verify that the Destination Device Profile and permitted Applications are correct.
- Select Import Policy Rules to import the policy rules.
- (Panorama only) Select the Location of the device group where you want to import the policy rules.
- Enter a Name for the policy rules.
- (Panorama only) Select the Destination Type (Pre-Rulebase or Post-Rulebase).
- Select After Rule to define
the placement of the rule in the rulebase.
- No Rule Selection—Places the rule at the top of the rulebase.
- Default One—Places the rule after the listed rule.
In your Security policy, Device-ID rules must precede any existing rules that apply to the devices. - Repeat this process for each policy rule recommendation to create rules to allow access for each device object to the necessary destination(s).
- Click OK and Commit your changes.
- Import the policy rule recommendation and
mappings.
- Enable Device-ID in each zone where you want to use Device-ID
to detect devices and enforce your Security policy. By default, Device-ID maps all subnetworks in the zones where you enable it. You can modify which subnetworks Device-ID maps in the Include List and Exclude List.As a best practice, enable Device-ID in the source zone to detect devices and enforce security policy. You should only enable Device-ID for internal zones.
- Select NetworkZones.
- Select the zone where you want to enable Device-ID.
- Enable Device Identification then click OK.
- Commit your changes.
- Create custom device objects for any devices that do
not have IoT Security policy rule recommendations. For example, you cannot secure devices such as laptops and smartphones using policy rule recommendations, so you must manually create device objects for these types of devices to use in your Security policy. For more information on custom device objects, see Device-ID Post-Deployment Tasks.
- Use the device objects in policy and to monitor and identify
potential issues. The following list includes some example use cases for device objects.
- Use source and destination device objects for Security, Authentication, QoS, & decryption policies.
- Use the decryption log to identify failures and which assets are the most critical to decrypt.
- View device object activity in ACC.
- Use device objects to create a custom report (for example, for incident reports or audits).
Device-ID Post-Deployment Tasks
Perform the following tasks as needed to ensure
your policy rule recommendations and device objects are current
or to restore policy rule recommendation mappings.
- Verify your Security policy is correct.
- Select Policies then
select the rule you created from the policy rule recommendation.IoT Security assigns a Description that contains the source device object and Tags to identify the source device object and that this rule is a recommendation from IoT Security.Device object names must be unique.
- Select the Source tab, then verify the Source Device Profile policy profile.
- Select the Destination tab and verify the Destination Device Profile.
- Select the Application tab and verify the Applications.
- Select the Actions tab and verify the Action (default is Allow).
- Use Explore to verify CDL receives your logs and review which logs CDL receives.
- Select Policies then
select the rule you created from the policy rule recommendation.
- Update your policy rule recommendation whenever the New
Updates Available column displays Yes for
that recommendation.As devices gain new capabilities, IoT Security updates the policy rule recommendations to advise what additional traffic or protocols the firewall or Panorama should allow. Check IoT Security daily for updates and update your policy rule recommendations as soon as possible.
- On the IoT Security app, Edit the policy rules then click Next.
- Select the new recommendation then click Next.
- Save your changes.
- On the firewall or Panorama, click Import
Policy Rules then click Yes to
confirm that you want to overwrite the current rule. This action overwrites the recommendation for the rule, not the rule itself.
- (Panorama only) Repeat the previous step for all device groups.
- Commit your changes.
- Review, update, and maintain the device objects in the
Device Dictionary.
- Select ObjectsDevices
- Add a device object.
- Browse the list or Search using
keywords. The search results can include multiple types of metadata (for example, both Category and Profile).
- To add a custom device object, enter a Name and
optionally a Description for the device object. Always use a unique name for each device object. Do not change the description for device objects from policy rule recommendations.
- (Panorama only) Select the Shared option to make this device object available to other device groups.
- Select the metadata for the device object (Category, OS, Profile, Osfamily, Model, and Vendor).
- Click OK to confirm your changes.
- In some cases (for example, if you restore a previous
configuration), the mappings may become out of sync. To restore
the mappings:
- On the firewall, select DevicePolicy RecommendationSync Policy Rules.
- For Panorama, select PanoramaPolicy RecommendationSync Policy Rules.
The firewall or Panorama scans all of the rules in the rulebase to check the tag that identifies the rule as an IoT Security policy rule recommendation, obtains the source device object information, and repopulates the local policy rule recommendation database. - Delete any policy rule recommendations that are no longer
needed. If a policy rule recommendation no longer applies, you can remove the policy rule recommendation. You must also remove the rule for the policy rule recommendation to update your Security policy.
- On the IoT Security app, select Delete.
- Click Mark as Removed to select this recommendation for removal.
- Remove the mapping.
- On the firewall, select DevicePolicy RecommendationRemove Policy Mapping.
- For Panorama, select DevicePolicy RecommendationRemove Policy Mapping then select the Location from which you want to remove the mapping.
- Click Yes to confirm the mapping removal.
- Select PoliciesSecurity. For Panorama, select PoliciesSecurityPre-Rules/Post-Rules.
- Select the rule for the policy rule recommendation you want to remove then select Delete.
- Commit your changes.