Device-ID Overview

According to cybersecurity research, a significant percentage (e.g., 30%) of network-connected devices in typical enterprises are Internet of Things (IoT) devices. This presents a growing attack surface. Device-ID on Palo Alto Networks firewalls helps address this risk by providing device context for network events, enabling device-based policy rules, offering policy recommendations, and enforcing security based on those recommendations.

Similar to how User-ID enables user-based policies and App-ID enables application-based policies, Device-ID enables policies based on the device itself, regardless of IP address or location changes. This traceability provides valuable context for network events and allows for more precise security controls.

Device-ID can be used in Security, Decryption, Quality of Service (QoS), and Authentication policy rules.

Device-ID Concept Flowchart

graph TD A[IoT Security License Subscription or DRDL] --> B{Firewall PAN-OS 10.0+}; B -- Sends Enhanced App Logs EALs --> C[Logging Service CDL]; C -- Streams Logs --> D[IoT Security Cloud Service Analyzes Logs]; D -- Determines --> E{Device Attributes Category Profile Model OS Vendor}; D -- Generates --> F{Policy Recommendations Allowed Apps Destinations}; B -- Receives & Caches --> E; G[Panorama Firewall Admin Action] -- Imports --> F; G -- Uses Attributes --> E; E --> H[Device-ID Feature IP-to-Device Mapping]; H --> I[Security Policy Rules Match on Source Dest Device]; F -- Becomes Basis For --> I; style B fill:#f9f,stroke:#333,stroke-width:2px style D fill:#ccf,stroke:#333,stroke-width:2px style H fill:#cfc,stroke:#333,stroke-width:2px style I fill:#cfc,stroke:#333,stroke-width:2px

This diagram shows how the IoT Security subscription enables the Device-ID feature by analyzing logs to identify devices and recommend policies, which are then used by the firewall/Panorama.

Requirements and Licensing

To use Device-ID features on a firewall, you must purchase an IoT Security subscription and select the firewall during the IoT Security onboarding process. Two subscription types exist:

IoT Security Subscription: Sends logs via the logging service to IoT Security for analysis AND to a Cortex Data Lake instance for storage.
IoT Security Doesnt Require Data Lake (DRDL) Subscription: Sends logs via the logging service to IoT Security for analysis but does NOT require or send logs to Cortex Data Lake for storage.

Both subscriptions provide the same core IoT Security analysis and Device-ID functionality. Additionally:

A device certificate is required on the firewall/Panorama to authenticate to the logging service and IoT Security.
A logging service license might be required depending on the setup (often bundled or implied with IoT Security).
Device-ID for policy enforcement requires PAN-OS 10.0 or later . Earlier versions (8.1-9.1) with an IoT license provide classification and analysis but not device-based policy enforcement via Device-ID.
All firewall platforms supporting PAN-OS 10.0 support Device-ID, except VM-50, VM-100, VM-200, and CN-Series firewalls.

When importing policy recommendations or mappings, the firewall/Panorama validates the IoT Security edge server certificate via OCSP checks (HTTP, TCP port 80) to *.o.lencr.org and x1.c.lencr.org .

Device Classification Levels

IoT Security classifies devices using metadata from logs, network protocols, and sessions. It assigns up to six attributes:

Attribute	Example
Category	Printer
Profile	Sharp Printer
Model	MX-6070N
OS Version	ThreadX 5
OS Family	ThreadX RTOS
Vendor	SHARP Corporation

Device-ID Workflow (Policy Recommendations)

The firewall observes traffic and generates Enhanced Application Logs (EALs).
EALs are forwarded to the logging service.
IoT Security receives logs from the logging service for analysis.
IoT Security identifies devices, determines IP-to-device mappings, learns behavior, and generates policy rule recommendations.
An administrator reviews policy recommendations in the IoT Security portal.
The administrator activates desired policy rule sets in IoT Security.
Activated rules (definitions and device objects) are automatically pushed/made available to subscribed firewalls/Panorama.
An administrator imports the recommended rules into the Security policy rulebase on the firewall or Panorama.
Device-ID is enabled on relevant zones on the firewall.
The firewall enforces the imported Security policy rules using the IP-to-device mappings provided by IoT Security.

DHCP traffic visibility (via DHCP server logs, DHCP relay config, VLAN/L3 on L2 interface, SPAN/ERSPAN, or virtual wire) is crucial for accurately mapping dynamic IP addresses to devices.

Imported rules are tagged (e.g., NetworkDevice - TrendNet , IoTSecurityRecommended ). Do not remove these tags, as they are used for mapping synchronization.

Deployment Best Practices

Deploy firewalls acting as Device-ID sensors centrally where they can see relevant traffic (e.g., upstream of IPAM or on a DHCP server firewall).
Allow at least 14 days initially for device discovery and behavior learning.
Prioritize creating device-based policies: secure networked devices > critical devices > environment-specific devices > consumer IoT.
Enable Device-ID per-zone, focusing on internal zones only.

Prepare to Deploy Device-ID

Before configuring Device-ID, ensure the following prerequisites are met:

Install a device certificate on the firewall or Panorama.
Install/retrieve necessary licenses (IoT Security, potentially logging service) on the firewalls. ( Device > Licenses > Retrieve license keys from license server ).
(If using L2 interfaces for device segments) Configure a VLAN interface for each L2 interface to allow DHCP visibility.
(Optional) Configure Service Routes ( Device > Setup > Services > Service Route Configuration ) to use specific data interfaces for:
- Data Services: For forwarding EALs to the logging service.
- IoT: For pulling mappings/recommendations from IoT Security.
- Palo Alto Networks Services: For other logs and device dictionary updates.
(Optional, if using Service Routes) Create Security policy rules allowing necessary traffic from the service route source interface/IP:
- Allow App-ID paloalto-iot-security to the appropriate regional IoT edge service FQDN (see tables below).
- Allow App-IDs paloalto-shared-services , paloalto-logging-service , and paloalto-updates to the logging service and update server FQDNs (or use an existing trusted outbound rule).
Ensure any upstream third-party firewalls allow the required traffic (see tables below).
Configure DHCP visibility mechanisms (DHCP server logging, DHCP relay, virtual wire, tap interface, ERSPAN) as needed for your environment.
Apply a Log Forwarding profile (forwarding required log types to the logging service) to relevant Security policy rules.

Required FQDNs/Ports (Ensure firewalls/Panorama can reach these)

Note: PAN-OS 10.0.3+ typically discovers the correct regional FQDN automatically. Manual configuration might be needed for 10.0.0-10.0.2 if not in the US region.

Purpose	Address/FQDN	TCP Port
Regional FQDN Discovery (PAN-OS 10.0.3+)	`enforcer.iot.services-edge.paloaltonetworks.com`	443
Receive Policy Recommendations & Mappings (Regional Endpoints)	`iot.services-edge.paloaltonetworks.com` (US) `ca.iot.services-edge.paloaltonetworks.com` (Canada) `eu.iot.services-edge.paloaltonetworks.com` (EU) `apac.iot.services-edge.paloaltonetworks.com` (APAC) `jp.iot.services-edge.paloaltonetworks.com` (Japan) `au.iot.services-edge.paloaltonetworks.com` (Australia)	443
Download Device Dictionary Files	`updates.paloaltonetworks.com`	443
Forward Logs to Logging Service / Cortex Data Lake	Refer to Cortex Data Lake documentation for required FQDNs/ports based on region.
OCSP Check for Server Cert Validation	`*.o.lencr.org` `x1.c.lencr.org`	80 (HTTP)

Configure Device-ID

After preparation, configure Device-ID by importing recommendations:

Activate your IoT Security license and initialize the IoT Security app via the hub.
Define and activate your desired Security policy rule sets within the IoT Security portal.
Import the policy rule recommendations into Panorama or the firewall:
1. Navigate to Policy Recommendation > IoT (under Device or Panorama tab). Refresh the page if needed.
2. Select the desired recommendations (up to 10 at a time).
3. Click Import Policy Rule(s) .
4. (Panorama) Select target Device Group(s) and Pre/Post Rulebase location.
5. Choose an existing rule to insert after (optional; defaults to top).
6. Click OK . Repeat import process as needed.
7. Commit changes on Panorama/firewall.
Enable Device-ID on relevant internal zones:
1. Navigate to Network > Zones .
2. Select the zone.
3. Check Enable Device Identification .
4. (Optional) Refine subnet scope using Include/Exclude lists.
5. Click OK . Repeat for other zones.
Commit changes.
Verify imported Security policy rules ( Policies > Security ) - check source device, destination, application, action, description, and tags.
Create custom device objects ( Objects > Devices > Add ) for devices not covered by IoT recommendations (e.g., laptops, servers). Define by Category, Profile, Model, OS, Vendor as needed.
Use imported and custom device objects in Security, Decryption, QoS, and Authentication policies. Monitor activity via ACC and logs.

Manage Device-ID

Maintain your Device-ID deployment:

Update Recommendations: As IoT Security learns and updates, check for new recommendations daily.
- With Panorama: Edit/save policy set in IoT Security. In Panorama, go to Policy Recommendation > IoT, select rules, click Import, choose DGs, confirm overwrite. Commit.
- Without Panorama: Edit/save policy set in IoT Security. In firewall GUI, go to Policy Recommendation > IoT, note rules with "New Updates Available". Edit corresponding rules under Policies > Security. Return to Policy Recommendation > IoT and click "Sync Policy Rules". Commit.
Manage Custom Objects: Review and update custom device objects under Objects > Devices as needed.
Remove Unneeded Rules:
1. Delete recommendations from the policy set in IoT Security.
2. Remove policy mapping in Panorama/firewall ( Policy Recommendation > IoT > Remove Policy Mapping ).
3. Delete the corresponding rule from the Security policy rulebase ( Policies > Security ).
4. Commit changes.
Troubleshoot: Use CLI commands if issues arise.

CLI Commands for Device-ID

Use these CLI commands on the firewall to view information for troubleshooting:

Note: Commands with eal generally show outgoing data counters (to Logging Service/CDL), while commands with icd show incoming data counters (from IoT Security).

Command	Description
`show iot eal all`	View overall Enhanced Application Logging (EAL) counters.
`show iot eal conn`	View connection details between firewall and Logging Service/CDL.
`show iot eal dpi-eal`	View EAL counters summary by plane (DP/MP).
`show iot eal dpi-stats all`	View EAL counters by plane and protocol.
`show iot eal dpi-stats subtype`	View EAL counters for a specific protocol.
`show iot eal hipreport-eal`	View HIP Match report EAL counters summary.
`show iot eal response-time`	View EAL log response time counters.
`show iot icd statistics all`	View overall IoT Cloud Daemon (ICD) stats (connection health, mappings, recommendations).
`show iot icd statistics conn`	View ICD connection counters to the IoT edge service.
`show iot icd statistics verdict`	View ICD IP-to-device mapping counters.
`show iot ip-device-mapping-mp all`	View all IP-to-device mappings on the management plane.
`show iot ip-device-mapping-mp ip`	View mapping for a specific IP on the management plane.
`show iot ip-device-mapping all`	View IP-to-device mappings on the data plane.
`debug iot clear-all type device`	Clear IP-to-device mappings on the management plane.
`clear user-cache all`	Clear user/device mappings on the data plane (use with caution).

?? Device-ID Interactive Quiz

1. What core Palo Alto Networks feature is enabled by purchasing and configuring the IoT Security subscription?

User-ID App-ID Device-ID Content-ID

2. Which PAN-OS version introduced the ability to use Device-ID for policy enforcement?

PAN-OS 8.1 PAN-OS 9.0 PAN-OS 9.1 PAN-OS 10.0

3. What type of logs does the firewall primarily send to the logging service for IoT Security analysis?

Traffic Logs Threat Logs Enhanced Application Logs (EALs) System Logs

4. Which device attribute is NOT one of the six standard classification levels provided by Device-ID/IoT Security?

Category Model MAC Address Vendor

5. What action must an administrator take in the IoT Security portal before policy recommendations can be imported into Panorama/Firewall?

Manually create device objects for all devices. Activate the desired policy rule set(s). Configure service routes for IoT traffic. Download the device dictionary.

6. In which type of policy rules can Device-ID objects be used?

Security policies only NAT policies only Security, Decryption, QoS, and Authentication policies PBF policies only

7. What protocol's traffic visibility is crucial for accurately mapping dynamic IP addresses to devices for Device-ID?

DNS SNMP DHCP NTP

8. What is the recommended best practice regarding enabling Device-ID on zones?

Enable it on all zones, including external/untrust. Enable it only on the zone containing the DHCP server. Enable it on internal zones only. Enable it only if using Panorama.

9. What are the two tags automatically assigned to Security policy rules imported from IoT Security recommendations?

'DeviceID' and 'AutoGenerated' 'SourceDevice - [Profile]' and 'IoTSecurityRecommended' 'IoT' and '[DeviceCategory]' 'ManagedByPanorama' and 'CloudDelivered'

10. Which CLI command would you use to see the IP-to-Device mappings currently held on the firewall's management plane?


        show iot icd statistics verdict


        show iot ip-device-mapping all


        show iot ip-device-mapping-mp all


        show arp all

Table of Contents