IoT Security onboarding is a six-step process that starts from an Activate link in an email from Palo Alto Networks. (If you have an Enterprise License Agreement, it starts either in the Customer Support Portal or in the hub). During the IoT Security onboarding process, do the following depending on what you’re activating:

For IoT Security to discover network-connected devices and assess their network behavior patterns, it needs quality network metadata from next-generation firewalls. Therefore, it’s essential that firewalls are placed on the network and configured to collect metadata from traffic and forward it for IoT Security to access. In particular, DHCP traffic is important because it links dynamically assigned IP addresses to device MAC addresses, making them trackable over time.

Firewalls must also provide IoT Security with metadata for other types of traffic that devices generate. They do this by enforcing policy on network traffic, creating logs, and then forwarding them to the logging service, which then streams the metadata to IoT Security.

Logging service and device licenses permit next-generation firewalls to connect to the logging service and IoT Security. Logging service and device certificates authenticate these connections. Firewalls need these licenses and certificates to integrate with IoT Security.

Firewalls running PAN-OS 8.1–10.0 use logging service certificates to secure communications with the logging service so they can forward various logs to it. From PAN-OS 10.0, when Device-ID was introduced, firewalls use device certificates to secure communications with IoT Security to get IP address-to-device mappings and recommended policy rules. (Note: Panorama-managed firewalls can get recommended policy rules either directly from IoT Security or indirectly from IoT Security through Panorama.) From PAN-OS 10.1, firewalls use just one device certificate to secure connections to both the logging service and IoT Security. Panorama also uses a device certificate to secure communications with IoT Security.

Configure Security policy rules on firewalls to log traffic and forward logs to the logging service where IoT Security accesses it. The more network traffic metadata IoT Security has for analysis, the more quickly and confidently it identifies devices and establishes a baseline of their normal network behaviors. This results in a broader application of Security policy rules based on Device-ID (IoT Security sends firewalls IP address-to-device mappings only when it has a high confidence in their identities and the devices have sent or received traffic within the past hour) and broader and deeper insight into device risk and real and potential security threats.