Configure Third-Party Device-ID in Prisma Access (Panorama)

1. Activate Third-Party Device-ID in the Cloud Identity Engine.

   This procedure includes uploading a signed certificate and using that with an API to communicate with, and download Device-ID information from, the third-party IoT vendor.
2. Activate Third-Party Device-ID in Prisma Access by going to PanoramaCloud ServicesConfigurationRemote NetworksSettings, clicking the gear to edit the Settings, and selecting Enable Device Identification.

3. Configure a device object and enter device attributes.

   1. Go to ObjectsDevices and Add a device object that matches all the Device ID attributes.

      Be sure that you are in the Remote_Network_Device_Group or the Shared device group.
   2. Add a device object that matches attributes for the third-party objects.

      The Cloud Identity Engine Mappings area displays the attributes of the third-party devices; you can use any attributes retrieved from there.

4. Go to PoliciesSecurityPre Rules and Add a security policy, adding the device objects you created in the Devices area as the Source Device.

   Be sure that you are in the Remote_Network_Device_Group or the Shared device group.

5. Commit and push your changes, making sure that Remote Networks is selected in the Push Scope.

   1. Click CommitCommit and Push.
   2. Edit Selections and, in the Prisma Access tab, make sure that Remote Networks is selected in the Push Scope, then click OK.

   3. Click Commit and Push.
6. Verify that Prisma Access is receiving the Device-ID logs by going to MonitorLogs, and searching the Traffic logs for traffic under the rule you created by entering rule_matched = rulename, where rulename is the security policy rule you created for the third-party IoT devices.

   The Device-ID to IP address mappings display in the logs.