Device Security Policy Flow

paloalto device-security iot scm panorama


Overview

This document illustrates how Device Security (formerly IoT Security) generates policy recommendations and how those recommendations become enforced rules on the firewall. The key insight: traffic is only affected after rules are installed and pushed.

See also: PAN - Device Security - Dynamic Policies for deployment steps and configuration details.


Policy Recommendation Flow

flowchart TD
    subgraph R["Recommendation Stage - no traffic impact"]
        B[IoT Security Cloud]
        C[Strata Cloud Manager - SCM]
        D{Classify endpoint<br/>as internal?}
        E[Internal = Yes]
        F[Internal = No]
        G1[Recommendation Set A<br/>e.g. Camera to DHCP or NVR]
        G2[Recommendation Set B<br/>e.g. Camera to Vendor or NVR]
        H[SCM - Select or approve<br/>recommendations]
        I[Generate policy sets]
        J[Panorama or PAN-OS policy<br/>recommendation database]
        K[Firewall internal<br/>recommendation database]
    end

    subgraph P["Enforcement Stage - traffic changes only here"]
        L[Add to rulebase -<br/>Panorama or PAN-OS]
        M[Commit and push]
        N[NGFW dataplane<br/>enforcement]
    end

    A[IoT Devices<br/>such as cameras] -->|Observed traffic<br/>and metadata| B
    B -->|Device profiling<br/>and behavior models| C
    C --> D
    D -->|Yes| E
    D -->|No| F
    E --> G1
    F --> G2
    G1 --> H
    G2 --> H
    H --> I
    I --> J
    J -.->|Sync Policy Rules| K
    K --> L
    L --> M
    M --> N

    A ==>|Camera to DHCP/NVR<br/>in RFC1918 range| N
    A ==>|Camera to Internal-No endpoint<br/>that is actually inside| N

Flow Explanation

Stage 1: Data Collection

StepComponentDescription
1IoT DevicesCameras, medical devices, building systems, etc. generate network traffic
2IoT Security CloudCollects observed traffic patterns and device metadata from firewalls
3SCMReceives device profiles and behavior models for classification

Stage 2: Classification and Recommendations

StepComponentDescription
4Internal ClassificationSCM determines if endpoint should be classified as internal
5aInternal = YesDevice gets Recommendation Set A (internal destinations like DHCP, NVR)
5bInternal = NoDevice gets Recommendation Set B (external/vendor destinations)
6Approve RecommendationsAdmin reviews and selects which recommendations to activate

Note: The Internal flag only affects which recommendations are generated - it does not directly control enforcement.

Stage 3: Policy Generation

StepComponentDescription
7Generate Policy SetsSelected recommendations converted to policy rule format
8Panorama/PAN-OS DatabasePolicy recommendations stored, ready for import
9Firewall DatabaseRules synced to firewall’s internal recommendation storage

Stage 4: Enforcement (Traffic Impact Begins Here)

StepComponentDescription
10Add to RulebaseRules imported into Pre/Post rulebase in Panorama or PAN-OS
11Commit and PushCommit to Panorama, push to device groups
12NGFW EnforcementDataplane applies rules - this is where traffic is allowed/denied

Key Points

What Happens at Each Stage

Recommendation Stage          Enforcement Stage
       │                            │
       │  No traffic impact         │  Traffic allowed/denied
       │  Safe to experiment        │  Production impact
       │  Review and adjust         │  Test before production push
       ▼                            ▼

The “Internal” Flag

The internal classification determines which recommendations Device Security generates:

ClassificationRecommendation ScopeExample Rules
Internal = YesRFC1918 destinations, internal servicesCamera → DHCP Server (10.x.x.x)
Internal = NoVendor cloud, external servicesCamera → Vendor Update Server

Important: Internal classification does NOT control whether traffic is allowed or blocked. It only influences which policy recommendations are created.

Direct Traffic Paths

The thick arrows in the diagram represent traffic that flows regardless of recommendations:

  • Camera to DHCP or NVR in RFC1918 range
  • Camera to “Internal-No” endpoint that is actually inside the network

These represent traffic that will occur based on device behavior. The recommendation system observes this traffic and suggests appropriate policies.


Common Scenarios

Scenario 1: New Camera Deployment

  1. Camera connected to network, obtains DHCP lease
  2. Traffic observed: Camera → NVR (10.1.2.50), Camera → DHCP (10.1.1.1)
  3. Device Security classifies camera, marks as Internal
  4. Generates recommendations: Allow Camera → NVR (TCP/554), Allow Camera → DHCP
  5. Admin approves in SCM
  6. Import to Panorama, commit, push
  7. Rules now enforced on firewall

Scenario 2: Camera Reaching External Vendor

  1. Camera attempts to reach vendor.example.com for firmware updates
  2. Traffic observed but currently allowed by broader rule
  3. Device Security generates recommendation: Allow Camera → vendor.example.com (HTTPS)
  4. Admin reviews - decides this is expected behavior
  5. Approves, imports, commits, pushes
  6. Specific allow rule now in place, can tighten broader rules

Troubleshooting

SymptomLikely CauseResolution
No recommendations appearingEAL not enabled or logs not flowingVerify Enhanced Application Logging and Strata Logging Service
Recommendations seem genericInsufficient traffic observedAllow more time for behavior profiling
Rules not taking effectNot committed/pushedCheck Panorama commit status, verify push to device group
Wrong recommendation setIncorrect internal classificationReview endpoint classification in SCM, adjust if needed