Device Security Policy Flow
paloalto device-security iot scm panorama
Overview
This document illustrates how Device Security (formerly IoT Security) generates policy recommendations and how those recommendations become enforced rules on the firewall. The key insight: traffic is only affected after rules are installed and pushed.
See also: PAN - Device Security - Dynamic Policies for deployment steps and configuration details.
Policy Recommendation Flow
flowchart TD subgraph R["Recommendation Stage - no traffic impact"] B[IoT Security Cloud] C[Strata Cloud Manager - SCM] D{Classify endpoint<br/>as internal?} E[Internal = Yes] F[Internal = No] G1[Recommendation Set A<br/>e.g. Camera to DHCP or NVR] G2[Recommendation Set B<br/>e.g. Camera to Vendor or NVR] H[SCM - Select or approve<br/>recommendations] I[Generate policy sets] J[Panorama or PAN-OS policy<br/>recommendation database] K[Firewall internal<br/>recommendation database] end subgraph P["Enforcement Stage - traffic changes only here"] L[Add to rulebase -<br/>Panorama or PAN-OS] M[Commit and push] N[NGFW dataplane<br/>enforcement] end A[IoT Devices<br/>such as cameras] -->|Observed traffic<br/>and metadata| B B -->|Device profiling<br/>and behavior models| C C --> D D -->|Yes| E D -->|No| F E --> G1 F --> G2 G1 --> H G2 --> H H --> I I --> J J -.->|Sync Policy Rules| K K --> L L --> M M --> N A ==>|Camera to DHCP/NVR<br/>in RFC1918 range| N A ==>|Camera to Internal-No endpoint<br/>that is actually inside| N
Flow Explanation
Stage 1: Data Collection
| Step | Component | Description |
|---|---|---|
| 1 | IoT Devices | Cameras, medical devices, building systems, etc. generate network traffic |
| 2 | IoT Security Cloud | Collects observed traffic patterns and device metadata from firewalls |
| 3 | SCM | Receives device profiles and behavior models for classification |
Stage 2: Classification and Recommendations
| Step | Component | Description |
|---|---|---|
| 4 | Internal Classification | SCM determines if endpoint should be classified as internal |
| 5a | Internal = Yes | Device gets Recommendation Set A (internal destinations like DHCP, NVR) |
| 5b | Internal = No | Device gets Recommendation Set B (external/vendor destinations) |
| 6 | Approve Recommendations | Admin reviews and selects which recommendations to activate |
Note: The Internal flag only affects which recommendations are generated - it does not directly control enforcement.
Stage 3: Policy Generation
| Step | Component | Description |
|---|---|---|
| 7 | Generate Policy Sets | Selected recommendations converted to policy rule format |
| 8 | Panorama/PAN-OS Database | Policy recommendations stored, ready for import |
| 9 | Firewall Database | Rules synced to firewall’s internal recommendation storage |
Stage 4: Enforcement (Traffic Impact Begins Here)
| Step | Component | Description |
|---|---|---|
| 10 | Add to Rulebase | Rules imported into Pre/Post rulebase in Panorama or PAN-OS |
| 11 | Commit and Push | Commit to Panorama, push to device groups |
| 12 | NGFW Enforcement | Dataplane applies rules - this is where traffic is allowed/denied |
Key Points
What Happens at Each Stage
Recommendation Stage Enforcement Stage
│ │
│ No traffic impact │ Traffic allowed/denied
│ Safe to experiment │ Production impact
│ Review and adjust │ Test before production push
▼ ▼
The “Internal” Flag
The internal classification determines which recommendations Device Security generates:
| Classification | Recommendation Scope | Example Rules |
|---|---|---|
| Internal = Yes | RFC1918 destinations, internal services | Camera → DHCP Server (10.x.x.x) |
| Internal = No | Vendor cloud, external services | Camera → Vendor Update Server |
Important: Internal classification does NOT control whether traffic is allowed or blocked. It only influences which policy recommendations are created.
Direct Traffic Paths
The thick arrows in the diagram represent traffic that flows regardless of recommendations:
- Camera to DHCP or NVR in RFC1918 range
- Camera to “Internal-No” endpoint that is actually inside the network
These represent traffic that will occur based on device behavior. The recommendation system observes this traffic and suggests appropriate policies.
Common Scenarios
Scenario 1: New Camera Deployment
- Camera connected to network, obtains DHCP lease
- Traffic observed: Camera → NVR (10.1.2.50), Camera → DHCP (10.1.1.1)
- Device Security classifies camera, marks as Internal
- Generates recommendations: Allow Camera → NVR (TCP/554), Allow Camera → DHCP
- Admin approves in SCM
- Import to Panorama, commit, push
- Rules now enforced on firewall
Scenario 2: Camera Reaching External Vendor
- Camera attempts to reach vendor.example.com for firmware updates
- Traffic observed but currently allowed by broader rule
- Device Security generates recommendation: Allow Camera → vendor.example.com (HTTPS)
- Admin reviews - decides this is expected behavior
- Approves, imports, commits, pushes
- Specific allow rule now in place, can tighten broader rules
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
| No recommendations appearing | EAL not enabled or logs not flowing | Verify Enhanced Application Logging and Strata Logging Service |
| Recommendations seem generic | Insufficient traffic observed | Allow more time for behavior profiling |
| Rules not taking effect | Not committed/pushed | Check Panorama commit status, verify push to device group |
| Wrong recommendation set | Incorrect internal classification | Review endpoint classification in SCM, adjust if needed |
Related Documentation
- PAN - Device Security - Dynamic Policies - Deployment configuration and steps
- PAN DG Rule Processing - (Parent - Child) - Device group rule hierarchy
- PAN CLI - Validate Interfaces - Interface verification commands