Device Security Dynamic Policies

paloalto panorama device-security iot


Context

  • Environment: PAN-OS 11.1.10 (majority), policy enforcement managed in Panorama / PAN-OS
  • Strata Cloud Manager (SCM): used for Device Security visibility and for defining/activating policy recommendations / IoT policy rule sets (not for enforcing rulebase directly)
  • Enforcement only occurs after Panorama import + commit + push to firewalls

High-level model

  • Device Security (SCM app)

    • Builds inventory, device profiles, behavior baselines
    • Produces policy rule recommendations and Device-ID context (IP-to-device mappings, device attributes)
    • You “activate”/manage recommendation sets here
  • Panorama / PAN-OS

    • Imports the active recommendations into a device group rulebase (Pre/Post)
    • You commit and push for enforcement

Deployment steps (Panorama-managed)

StepWhereActionNotes
1Firewalls + PanoramaEnsure the logging pipeline existsDevice Security recommendations are built from metadata the firewalls collect and forward.
2FirewallsEnable Enhanced Application Logging (EAL) and forward to Strata Logging ServiceEAL is enabled globally and is typically enabled per Security rule via a Log Forwarding Profile where required.
3SCM (Device Security)Verify inventory + device profiles are populatingConfirms data flow and that Device Security can generate usable recommendations.
4SCM (Device Security)Activate the policy rule set / recommendations you intend to usePanorama will only see what’s active/available to import.
5PanoramaOpen Policy Recommendation → IoT (UI label may still say IoT), refresh, reviewPanorama fetches the latest active recommendations when you open/refresh the page.
6PanoramaImport policy into the target device group / rulebase locationChoose Pre/Post rulebase placement and insertion point.
7PanoramaCommit + pushCommit to Panorama, then push to device group(s). This is where enforcement becomes real.
8FirewallsEnforcement with Device-ID contextDevice-ID mappings are used so rules can match the right devices even as IPs change.
9OngoingMonitor and refineIterate: adjust what’s active in Device Security, re-import/adjust placement in Panorama, validate rule hits and behavior drift.

“Green user” clarifications (important)

  1. SCM does not enforce traffic policy. It provides visibility + recommendations. Enforcement happens only in firewall policy after Panorama commit/push.
  2. UI wording may still say “IoT” in Panorama. That’s normal during the transition to “Device Security” branding.

PAN-OS 11.1.10 note (recommendation coverage)

  • Treat policy recommendations as primarily aligned to the established behavior-based model.
  • If you’re expecting “newer” recommendation capabilities introduced in later 11.1.x releases, you may need to upgrade beyond 11.1.10.

Common gotchas (check early)

GotchaSymptomFix / check
EAL not enabled where it mattersInventory weak; missing app behaviors; recommendations look too genericConfirm EAL globally; confirm your traffic of interest is logging with the right profiles.
Activated set not visible in PanoramaPolicy Recommendation page looks staleRefresh the page; confirm the set is active in Device Security.
Multi-vsys constraintsRecommendations can’t be imported cleanlyValidate platform constraints; plan for more manual rule work if needed.

Suggested next checks for your environment

  • Confirm single-vsys vs multi-vsys
  • Confirm where logs are landing (Strata Logging Service) and that the correct log types are flowing
  • Decide your import strategy:
    • Pre-rulebase vs Post-rulebase
    • Insertion point relative to existing segmentation rules
  • Pick 1–2 “starter” device profiles (medical imaging, nurse station PCs, cameras, etc.) and pilot:
    • Activate recommendations in Device Security
    • Import into a test device group in Panorama
    • Commit/push
    • Validate rule hits and any unintended blocks