Configure Device-ID
Focus
Focus

Configure Device-ID

Table of Contents

Configure Device-ID

Complete the following tasks to import the IP address-to-device mappings and policy rule recommendations from IoT Security to your firewall or Panorama.
Complete the following tasks to import the IP address-to-device mappings and policy rule recommendations from IoT Security to your firewall or Panorama.
If you use Panorama to manage multiple firewalls, Palo Alto Networks strongly recommends upgrading all firewalls in your Device-ID deployment to PAN-OS 10.0 or a later version. If you create a rule that uses Device as a match criteria and Panorama pushes the rule to a firewall that uses PAN-OS 9.1 or an earlier version, the firewall omits the Device match criteria because it is not supported, which may cause issues with policy rule traffic matching.
  1. Activate your IoT Security license on the hub.
    1. Follow the instructions that you received in your email to activate your IoT Security license.
    2. Initialize your IoT Security application. For more information, refer to Get Started with IoT Security.
  2. Import policy rule recommendations to the Security policy rulebase on a next-generation firewall or, through Panorama, to rulebases on multiple firewalls.
    1. Log in to a next-generation firewall or Panorama and select Device or PanoramaPolicy RecommendationIoT.
    2. Choose a device profile.
      When you choose a profile, the firewall or Panorama communicates with IoT Security to obtain the latest policy rule recommendations and displays them. IoT Security automatically generates policy rule names by concatenating the device profile name with the name of the application in each rule. Policy rule recommendations are not cached on the firewall or Panorama.
    3. Select one or more policy rule recommendations to import into the Security policy rulebase.
    4. Import Policy Rule, enter the following, and then click OK:
      (Firewall)
      Choose the name of a rule in the rulebase after which you want PAN-OS to place the imported rules. If you choose No Rule Selection, the firewall imports the selected rules to the top.
      (Panorama)
      Location: Choose one or more device groups where you want to import the policy rules. You can import policy rule recommendations into firewall rulebases in multiple device groups.
      Suggested Location: If IoT Security learns about zones and device groups in the logs it receives from next-generation firewalls, it suggests device groups for various policy rules accordingly. You can choose these suggested device groups among those available in the Location list or any other device groups if you prefer.
      Destination Type: Select either Pre-Rulebase to add the recommended policy rules before rules defined locally on a firewall or Post-Rulebase to add them after rules defined locally.
      After Rule: Choose a rule after which you want to add the imported rule or rules. If you choose No Rule Selection, the firewall imports the selected rules to the top. This is an optional setting. If you don’t choose a rule, the imported rules are added to the top of the rulebase.
      Device-ID rules must precede any existing rules that apply to the same devices in the rulebase. Because IoT Security creates the policy rule recommendation using the trusted behaviors for the device, the default action for each rule is allow.
    5. Repeat this process to import more rules to allow devices in the selected profiles to communicate with destinations using the specified applications.
    6. Commit your changes.
  3. Enable Device-ID in each zone where you want to use Device-ID to detect devices and enforce your Security policy rules.
    By default, Device-ID maps all subnetworks in the zones where you enable it. You can modify which subnetworks Device-ID maps in the Include List and Exclude List.
    As a best practice, enable Device-ID in the source zone to detect devices and enforce Device-ID Security policy rules. Only enable Device-ID for internal zones.
    1. Select NetworkZones.
    2. Select the zone where you want to enable Device-ID.
    3. Enable Device Identification then click OK.
    4. Repeat this as necessary for other zones for which you want to enforce Device-ID Security policy rules.
  4. Commit your changes.
  5. Verify your Security policy rules are correct.
    1. Select Policies and then select one of the rules you imported.
      IoT Security assigns a Description that contains the source device object and Tags to identify the source device object and that this rule is a recommendation from IoT Security.
    2. Select the Source tab, then verify the source device profile.
    3. Select the Application tab and verify the application.
    4. Select the Actions tab and verify the action (default is Allow).
    5. Use Explore to verify that the logging service receives your logs and review which logs it gets.
  6. Create custom device objects for any devices that do not have IoT Security policy rule recommendations.
    All device object names must be unique.
    For example, you cannot secure traditional IT devices such as laptops and smartphones using policy rule recommendations, so you must manually create device objects for these types of devices to use in your Security policy rules. For more information on custom device objects, see Manage Device-ID.
  7. Use the device objects to enforce policy rules and monitor and identify potential issues.
    The following list includes some example use cases for device objects.
    • Use source device objects and destination device objects in Security, Authentication, QoS, and decryption policies.
    • Use the decryption log to identify failures and which assets are the most critical to decrypt.
    • View device object activity in ACC to track new devices and device behavior.
    • Use device objects to create a custom report (for example, for incident reports or audits).