Offboard IoT Security Subscriptions
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use Network Discovery Polling to Discover Devices
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Network Segments Configuration
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
Offboard IoT Security Subscriptions
Deactivate IoT Security licenses, transfer IoT Security
subscriptions, or let them expire.
There are three ways to offboard IoT Security
services from a firewall:
- Deactivate the IoT Security license on a firewall and optionally transfer it to another firewall
- Transfer a firewall from one customer support portal (CSP) account to another
- Let the subscription expire
Deactivate Firewalls and Transfer Licenses
If you want to remove an IoT Security license
from a firewall—and perhaps then use the license on another firewall—you
can do so on the Customer Support Portal.
- Log in to your Customer Support Portal account.Disassociate IoT Security licenses from one or more firewalls.
- Select License ManagementActivated Licenses, select the license-to-firewall associations that you want to sever based on firewall serial numbers, and then Deactivate Licenses.
- Confirm the deactivation.If you want to apply the deactivated licenses to other firewalls and you have multiple IoT Security license purchase orders, note the number of available licenses in the orders on the Activate Products page before confirming the deactivation. Then when you return to this page after deactivating licenses, you can tell which order they were returned to because the license number will have increased.This dissociates the selected IoT Security licenses from the firewall serial numbers and returns them to the pool of available licenses in the original order on the Activate Products page.
Associate licenses with other firewalls or reassociate them with the same firewalls.- Select Activate ProductsReady for Activation and then click Activate Now for the order with licenses to activate.
- Follow the workflow described in Onboard IoT Security.When you reach the point in the onboarding workflow when you select firewalls to subscribe to IoT Security, you can see the length of time remaining for each license in the Purchased Term drop-down list. If you want to apply the same license that you just deactivated to another firewall, you’ll notice that its remaining length of unused time will be shorter than other licenses that haven’t yet been put in service. For example, if the original order contains licenses valid for three years and you used a license for one year before deactivating it, you can easily spot it because its remaining validity period will be the only one listed as just two years.
Transfer Firewalls between CSP Accounts
If you have two CSP accounts or are an MSSP managing multiple accounts, you can transfer a firewall from one account to another, perhaps because you’re moving it to a different location managed by a different team with their own account. When you transfer the firewall, all its licenses are transferred along with it. To do this, log in to the CSP and click Devices. Find the device you want to transfer, click its serial number to open a device details pane for it, and then click Transfer Ownership. In the Device Transfer dialog box that appears, enter the destination email address of the owner of the account to which you’re transferring the firewall.Let the IoT Security Subscription Expire
When a firewall no longer has an IoT Security subscription because it expired (and there is no pending license renewal), IoT Security services for that firewall stop and the connection between IoT Security and the firewall is terminated. IoT Security unsubscribes from the firewall log feed. As a result, it stops receiving and processing logs from that firewall. The firewall stops receiving new policy recommendations and IP address-to-device mappings, and it clears its cached mappings after 200 minutes (about three hours). At that point, none of the device-based policy rules using Device-ID will work and should be removed from your policy set. An efficient way to remove them is to check the Source Device and Destination Device columns on the PoliciesSecurity page and remove all rules that have entries in either of these two columns.