Device Security Dynamic Policies
paloalto panorama device-security iot
Context
- Environment: PAN-OS 11.1.10 (majority), policy enforcement managed in Panorama / PAN-OS
- Strata Cloud Manager (SCM): used for Device Security visibility and for defining/activating policy recommendations / IoT policy rule sets (not for enforcing rulebase directly)
- Enforcement only occurs after Panorama import + commit + push to firewalls
High-level model
-
Device Security (SCM app)
- Builds inventory, device profiles, behavior baselines
- Produces policy rule recommendations and Device-ID context (IP-to-device mappings, device attributes)
- You “activate”/manage recommendation sets here
-
Panorama / PAN-OS
- Imports the active recommendations into a device group rulebase (Pre/Post)
- You commit and push for enforcement
Deployment steps (Panorama-managed)
| Step | Where | Action | Notes |
|---|---|---|---|
| 1 | Firewalls + Panorama | Ensure the logging pipeline exists | Device Security recommendations are built from metadata the firewalls collect and forward. |
| 2 | Firewalls | Enable Enhanced Application Logging (EAL) and forward to Strata Logging Service | EAL is enabled globally and is typically enabled per Security rule via a Log Forwarding Profile where required. |
| 3 | SCM (Device Security) | Verify inventory + device profiles are populating | Confirms data flow and that Device Security can generate usable recommendations. |
| 4 | SCM (Device Security) | Activate the policy rule set / recommendations you intend to use | Panorama will only see what’s active/available to import. |
| 5 | Panorama | Open Policy Recommendation → IoT (UI label may still say IoT), refresh, review | Panorama fetches the latest active recommendations when you open/refresh the page. |
| 6 | Panorama | Import policy into the target device group / rulebase location | Choose Pre/Post rulebase placement and insertion point. |
| 7 | Panorama | Commit + push | Commit to Panorama, then push to device group(s). This is where enforcement becomes real. |
| 8 | Firewalls | Enforcement with Device-ID context | Device-ID mappings are used so rules can match the right devices even as IPs change. |
| 9 | Ongoing | Monitor and refine | Iterate: adjust what’s active in Device Security, re-import/adjust placement in Panorama, validate rule hits and behavior drift. |
“Green user” clarifications (important)
- SCM does not enforce traffic policy. It provides visibility + recommendations. Enforcement happens only in firewall policy after Panorama commit/push.
- UI wording may still say “IoT” in Panorama. That’s normal during the transition to “Device Security” branding.
PAN-OS 11.1.10 note (recommendation coverage)
- Treat policy recommendations as primarily aligned to the established behavior-based model.
- If you’re expecting “newer” recommendation capabilities introduced in later 11.1.x releases, you may need to upgrade beyond 11.1.10.
Common gotchas (check early)
| Gotcha | Symptom | Fix / check |
|---|---|---|
| EAL not enabled where it matters | Inventory weak; missing app behaviors; recommendations look too generic | Confirm EAL globally; confirm your traffic of interest is logging with the right profiles. |
| Activated set not visible in Panorama | Policy Recommendation page looks stale | Refresh the page; confirm the set is active in Device Security. |
| Multi-vsys constraints | Recommendations can’t be imported cleanly | Validate platform constraints; plan for more manual rule work if needed. |
Suggested next checks for your environment
- Confirm single-vsys vs multi-vsys
- Confirm where logs are landing (Strata Logging Service) and that the correct log types are flowing
- Decide your import strategy:
- Pre-rulebase vs Post-rulebase
- Insertion point relative to existing segmentation rules
- Pick 1–2 “starter” device profiles (medical imaging, nurse station PCs, cameras, etc.) and pilot:
- Activate recommendations in Device Security
- Import into a test device group in Panorama
- Commit/push
- Validate rule hits and any unintended blocks