: Onboard Enterprise IoT Security
Focus
Focus

Onboard Enterprise IoT Security

Table of Contents

Onboard Enterprise IoT Security

Create a URL for your Enterprise IoT Security portal and activate Enterprise IoT Security subscriptions for firewalls.
Follow the onboarding workflow to create a URL for your Enterprise IoT Security portal and activate Enterprise IoT Security subscriptions for your firewalls.
It is important to keep the Enterprise IoT Security activation email you received from Palo Alto Networks. It not only contains confidential activation-related data, but if you still have unused Enterprise IoT Security licenses after completing the onboarding process, you can click the Activate button in the email again to repeat the process and activate more firewalls later.
If you activate at least one IoT Security license and then lose the email, you can still start the activation process by logging in to your Customer Support Portal account and selecting Activate Products and then clicking Activate Now for the IoT Security license you want to use for onboarding.
(Enterprise License Agreement) When you have an Enterprise License Agreement (ELA), begin the activation process by entering the authorization code that Palo Alto Networks sends you in your Customer Support Portal account. For complete step-by-step instructions, see Activate an Add-on Enterprise License Agreement through Common Services.
When you have Enterprise IoT Security subscriptions, the onboarding process consists of the following main steps.
  1. Click Activate in the Enterprise IoT Security activation email from Palo Alto Networks.
  2. Log in to the Palo Alto Networks hub.
  3. Activate Enterprise IoT Security.
  4. Add firewalls to the tenant service group (TSG) and associate IoT Security, and possibly other applications as well, with the firewalls.
  5. (Optional) Manage identity and access to Enterprise IoT Security.
  6. Set up Enterprise IoT Security and firewalls to work together.
    For instructions for these first six steps, see Common Services: Subscription & Tenant Management. Then return here to continue the setup.
  7. Log in to the Enterprise IoT Security portal and generate a one-time password (OTP) and pre-shared key (PSK) to get device and logging service certificates.
    For information about the sites that next-generation firewalls contact to authenticate certificates when communicating with Enterprise IoT Security, see IoT Security.
    1. As a user with owner privileges, click the Enterprise IoT Security link on either the Tenant Management or Device Associations page and log in to the Enterprise IoT Security portal.
      To be able to generate OTPs and PSKs, your user account must have been created in the Customer Support Portal (CSP) and assigned a superuser role in the relevant tenant service group (TSG) in Identity & Access. A superuser role in the hub provides owner privileges in Enterprise IoT Security.
    2. Select AdministrationFirewallsOTP/PSK Generation.
    3. If you manage your firewalls with Panorama, choose Yes and enter its serial number. This will link your Panorama management server with the applications in this TSG. You can find the Panorama serial number in your Customer Service Portal account in AssetsDevices. After you choose Yes and enter your Panorama serial number, Enterprise IoT Security displays the materials you need to get the certificate or certificates that firewalls need to secure their connections with Enterprise IoT Security and the logging service.
      To get a device certificate, follow the link to the Customer Support Portal and log in to your account. To generate an OTP or PSK to get a logging service certificate, click the Generate icon next to each field.
      If you don’t use Panorama, choose No. Because an OTP for a logging service certificate applies only to Panorama, it isn’t shown.
      Consider the following points when deciding which certificates you need and how to generate them:
      Device Certificate: From PAN-OS 10.0, firewalls require a device certificate to authenticate with Enterprise IoT Security and, from PAN-OS 10.1, to also authenticate with the logging service. To generate and install a device certificate on firewalls directly and through Panorama:
      Logging Service Certificate – One-Time Password: An OTP is necessary for Panorama to verify itself with its logging service instance and obtain logging service certificates for Panorama-managed firewalls running PAN-OS 8.1-10.0. A logging service certificate authenticates firewalls with the logging service.
      1. Select AssetsDevice Certificates and Generate OTP.
      2. For the Device Type, select Generate OTP for Panorama and Generate OTP.
      3. Select the Panorama Device serial number.
      4. Generate OTP and then copy the OTP.
      5. Log in to the Panorama Web Interface as an admin user and select PanoramaSetupManagementDevice Certificate and Get certificate.
      6. Paste the OTP and then click OK.
      Logging Service Certificate – Pre-Shared Key: A PSK is necessary to generate a logging service certificate on firewalls without Panorama management running PAN-OS 9.0.6-10.0.x. A logging service certificate authenticates firewalls with the logging service. To generate a logging service certificate:
      1. Regenerate the PSK if necessary and copy it.
      2. Log in to your PAN-OS 9.0.6-10.0.x firewall and select DeviceSetupManagement.
      3. In the Strata Logging Service section, click Connect next to Onboard without Panorama.
        This opens the Onboard without Panorama dialog box.
      4. Paste the PSK and Connect.
        The firewall first connects to the Customer Support Portal, submits the PSK, and downloads a logging service certificate. It then uses the certificate to authenticate itself and connect securely to the logging service.
      5. Click the Edit icon (gear) for Strata Logging Service. Select Enable Duplicate Logging (Cloud and On-Premises) and Enable Enhanced Application Logging.
      6. Choose the region where the logging service will ingest logs from your firewalls.
        For PA-7000 and PA-5200 models, enter the number of connections for sending logs from the firewall to the logging service. The range is 1-20 and the default is 5.
      7. When done, click OK.
        The term “Strata Logging Service” is a bit of a misnomer. The firewall forwards logs to the logging service, which only streams them to Enterprise IoT Security. Enterprise IoT Security doesn’t use Strata Logging Service at all, but it still requires that this setting be enabled to do logging.
  8. Prepare the firewall for Enterprise IoT Security.
    • While logged in to your firewall, prepare it for IoT Security. Enable Device-ID in each zone where you want to use it to enforce Security policy rules. Select NetworkZones, select a zone, Enable Device Identification, and then click OK. Repeat this for other zones and then Commit your changes.
    • Ensure that logging is enabled on Security policy rules, which it is by default.
    • Create and apply a Log Forwarding profile to policy rules.
    • (Optional) If the firewall is using a data interface for Enterprise IoT Security communications, set the necessary service routes.
  9. Use the Enterprise IoT Security portal.
    To access the rest of the web interface, use the navigation menu on the left. For an overview of the Enterprise IoT Security portal, see the previous chapter, What Enterprise IoT Security Does.
    There might not be any data in the portal when you first log in. Firewalls create network traffic data logs and forward them to the logging service, which streams them to the IoT Security Cloud. On average, devices begin showing up in the Enterprise IoT Security portal within the first 30 minutes. Depending on the size of the network and the amount of activity of the devices on it, it can take several days for all the data to show up.
    To see the status of logs that the logging service is streaming to the Enterprise IoT Security application, click NetworksNetworks and SitesSites and AdministrationFirewalls in the Enterprise IoT Security portal.
    After Enterprise IoT Security has had time to use its machine-learning algorithms to analyze the network behavior of your IoT devices (1-2 days), you can begin examining the types and number of devices on your network and consider how to use this information when monitoring and securing your network and the devices in it. Some common ways to use Enterprise IoT Security are described in the next chapter.