IoT Security Solution Setup
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use Network Discovery Polling to Discover Devices
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Network Segments Configuration
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
IoT Security Solution Setup
Set up the multiple components that constitute the IoT Security solution.
The following is an overview of the main steps involved
in setting up the IoT Security solution with particular focus on
the following three components:
- Palo Alto Networks Next-Generation Firewalls with or without Panorama management
- Logging service with or without a Strata Logging Service instance
- IoT Security application
The solution also makes use of the update server for device dictionary file updates and
the Customer Support Portal and hub for IoT Security user management. Optionally, IoT Security integrates with Prisma Access and SD-WAN and, through XSOAR,
with third-party products.
Learn about the main steps involved in the IoT Security solution
setup:
1 - Check Firewall Support and Prerequisites
Most current Palo Alto Networks firewall models support
IoT Security with a few exceptions and
with different degrees of functionality depending on the PAN-OS
release:
- PAN-OS 8.1, PAN-OS 9.0, and PAN-OS 9.1: Device visibility and manually configured Security policy enforcement
- PAN-OS 10.0 or later: Device visibility and automated Security policy enforcement through Device-ID
Although IoT Security is a cloud application and is always running its latest software version,
make sure the firewall models and PAN-OS versions on them support the level of
functionality you want.
In addition, there are several prerequisites. For example,
each firewall that integrates with IoT Security must have an IoT Security
subscription. Not all firewalls on your network must subscribe to IoT Security; only
those that collect network traffic and forward logs to it and those after PAN-OS
10.0 that receive policy rule recommendations and IP address-to-device mappings from
it.
Detailed Instructions
2 - Onboard IoT Security
IoT Security onboarding is a six-step process that starts
from an Activate link in an email from Palo
Alto Networks. (If you have an Enterprise License Agreement, it
starts either in the Customer Support Portal or in the hub). During
the IoT Security onboarding process, do the following depending
on what you’re activating:
- Create an IoT Security tenant
- (IoT Security Subscription) Activate a new Strata Logging Service instance or associate an existing one with your IoT Security tenantor(IoT Security Subscription - Doesn’t Require Data Lake) Specify the data ingestion region
- Subscribe firewalls to IoT Security services
- Optionally activate a third-party integrations add-on
Detailed Instructions
3 - Prepare Firewalls
For IoT Security to discover network-connected devices
and assess their network behavior patterns, it needs quality network
metadata from next-generation firewalls. Therefore, it’s essential
that firewalls are placed on the network and configured to collect
metadata from traffic and forward it for IoT Security to access.
In particular, DHCP traffic is important because it links dynamically
assigned IP addresses to device MAC addresses, making them trackable
over time.
Firewalls must also provide IoT Security with metadata for other
types of traffic that devices generate. They do this by enforcing
policy on network traffic, creating logs, and then forwarding them
to the logging service, which then streams the metadata to IoT Security.
Detailed Instructions
4 - Install Certificates and Licenses
Logging service and device licenses permit next-generation
firewalls to connect to the logging service and IoT Security. Logging
service and device certificates authenticate these connections.
Firewalls need these licenses and certificates to integrate with
IoT Security.
Firewalls running PAN-OS 8.1–10.0 use logging service certificates
to secure communications with the logging service so they can forward various logs to
it. From PAN-OS 10.0, when Device-ID was
introduced, firewalls use device certificates to secure communications
with IoT Security to get IP address-to-device mappings and recommended
policy rules. (Note: Panorama-managed firewalls can get recommended
policy rules either directly from IoT Security or indirectly from
IoT Security through Panorama.) From PAN-OS 10.1, firewalls use
just one device certificate to secure connections to both the logging
service and IoT Security. Panorama also uses a device certificate
to secure communications with IoT Security.
Detailed Instructions
5 - Configure Logging
Configure Security policy rules on firewalls to log traffic and forward logs to the logging
service where IoT Security accesses it. The more network traffic metadata IoT Security has for analysis, the more quickly and confidently it identifies devices
and establishes a baseline of their normal network behaviors. This results in a
broader application of Security policy rules based on Device-ID (IoT Security sends
firewalls IP address-to-device mappings only when it has a high confidence in their
identities and the devices have sent or received traffic within the past hour) and
broader and deeper insight into device risk and real and potential security
threats.
Detailed Instructions