The Palo Alto Networks IoT Security app uses machine learning to classify IoT devices based on the network traffic for which these devices are either a source or destination. To accomplish this, it relies on Enhanced Application logs (EALs) generated by the Palo Alto Networks next-generation firewall.

DHCP traffic is of particular importance to the IoT security solution. DHCP provides a way to create an IP address-to-device mapping (that is, an IP address-to-MAC address mapping) that is required for classification to take place. However, a firewall typically only generates an EAL entry when it receives a unicast DHCP message; for example, when there is centralized Internet Protocol address management (IPAM) and either the firewall or another local device acts as a DHCP relay agent. Below is an example architecture that illustrates a common case where the firewall generates EALs for unicast DHCP traffic.

The firewall generates an EAL entry for broadcast DHCP traffic when the packet is seen on a virtual wire (vWire) interface with multicast firewalling enabled, as shown below.