Palo Alto Device Security

on

 

Device Security works with NGFW to dynamically discover and maintain a real-time inventory of the IoT devices on your network.

Because Device Security requires network traffic data for analysis, you must enable firewalls to forward logs with that data to a cloud logging service that Device Security can access. Depending on the subscription license type that you have, you can activate or associate Strata Logging Service when activating Device Security.

License subscriptions:

1. Enterprise Device Security, Medical, or OT Subscription License 
    Per-firewall basis

2. Device Security X Subscription License 
     Per-device basis


License type

  • Enterprise, Medical, or OT Device Security Doesn't Require Data Lake (DRDL) - when you don't need to store streaming logs in a data lake
  • Enterprise, Medical, or OT Device Security (with Data Lake) - when you have Strata Logging Service and want to store the streaming logs



What Actually Happens with DRDL

The firewall sends Enhanced Application Logs (EALs) — not standard traffic/threat logs — to Strata Logging Service, which acts as a streaming conduit to Device Security, without storing them in a data lake.


"The term 'Strata Logging Service' is a bit of a misnomer. The firewall forwards logs to Strata Logging Service, which only saves them to Strata Logging Service if you're using it for data retention. An Device Security, Doesn't Require Data Lake subscription still uses Strata Logging Service to receive EAL logs from the firewall."

"With the second subscription [DRDL], firewalls send data logs to Strata Logging Service, which streams them to Device Security for analysis but not to a Strata Logging Service instance for storage."


The firewall generates and forwards Enhanced Application Logs (EALs) via the preconfigured "Device Security Default Profile" log forwarding profile. 

- IoT Security Default Profile

How This Works Without SLS License

  1. Cloud Logging is still enabled on the firewall — you must enable it even with DRDL
  2. The firewall forwards EALs to the Strata Logging Service ingestion endpoint
  3. Strata Logging Service streams these logs directly to Device Security for real-time analysis
  4. No storage occurs in Strata Logging Service — logs pass through but are not retained
==============

Here's a breakdown of the Palo Alto Networks IoT/Device Security subscription types, based on current documentation:

Palo Alto Networks Device Security (IoT) — Subscription Types

1. Device Security Subscription (per-firewall)

Comes in three vertical flavors — all licensed per firewall:

  • Enterprise Device Security — for general enterprise IoT devices (office IoT, wearables, printers, etc.)
  • Medical Device Security (IoMT) — for healthcare environments (imaging devices, infusion pumps, patient monitors, diagnostic equipment)
  • OT Device Security — for operational technology / industrial environments (ICS, SCADA, manufacturing)

Each of these comes in two data lake variants:

Variant Data Lake Required?
Standard (with Data Lake) Yes — requires Strata Logging Service
Doesn't Require Data Lake (DRDL) No — no Strata Logging Service needed

These per-firewall licenses are supported with next-generation firewalls, VM-Series, CN-Series, and Prisma Access.

2. Device Security X Subscription (per-device)

This subscription provides individual licenses for each device learned by Device Security, regardless of how many firewalls or VM-Series VMCs stream logs to it. It's suited for organizations where device count is more predictable than firewall count.

Device Security X is supported with next-generation firewalls, VM-Series, and CN-Series, as well as VM-Series bootstrapped in virtual metadata collector (VMC) mode.

Key Notes

  • Using Strata Logging Service requires a Premium Support license or better.
  • Trial/eval licenses are available for 60 days, extendable in 30-day increments through a Palo Alto sales rep.
  • You cannot convert between a per-firewall and per-device (X) license type.
  • Device Security requires firewalls to forward logs with network traffic data to a cloud logging service for analysis.

In summary, the main decision points are:

  1. Vertical — Enterprise, Medical, or OT
  2. Data lake — with Strata Logging Service or DRDL
  3. Licensing model — per-firewall (standard) or per-device (X)

Let me know if you need help comparing specific SKUs or sizing for a deployment!



Summary

You're correct that without an SLS license, you cannot forward standard traffic/threat logs to a data lake. However, Device Security/DRDL uses a separate mechanism: the firewall enables Cloud Logging and forwards Enhanced Application Logs through the Strata Logging Service ingestion pipeline purely as a transport layer, with no data lake storage. The "Strata Logging Service" name is misleading here — it's functioning as a streaming service, not a storage service.
Device Security then retains only its analyzed output (device identity, alerts, risks, vulnerabilities) for 1 month (traffic behavior) to 1 year (identity/alerts), not the raw logs.




Simplified IoT Security Onboarding

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-new-features/iot-security-features/simplified-iot-security-onboarding











Comments

Post a Comment