IoT Automated Solution

scotchoaf · ‎09-11-2020

Brief Description

Simplify and validate the firewall configuration for the Cortex IoT security service. The skillets also include the Cortex Data Lake skillets due to Data Lake and IoT service integration.

Below is a quick summary of the solution, a how-to guide for setting up the solution, and an explanation of the solution workflow menu options.

Target Audience

PAN-OS Cortex IoT validations and configuration to ensure NGFW readiness. Also an IoT traffic generator for Linux endpoints.

Prerequisites

Active Cortex Data Lake license
Preshared key for on-boarding firewalls to Cortex Data Lake
panHandler version 4.0 or later
import of panos-logging-skillets
Linux hosts (tested with Ubuntu 18.04)

Skillet Details

Documentation: https://github.com/PaloAltoNetworks/iot-automated-solution/blob/master/README.md

Github Location: https://github.com/PaloAltoNetworks/iot-automated-solution.git

Github Branches: master

PAN-OS Versions Supported: 9.x, 10.0

Type of Skillet: panos

Collections:

CDL
IoT

Full Description

The suite of skillets are design to assist with and validate the Cortex Data Lake install and then implement required configuration elements for DHCP and traffic logging specific to the IoT security service.

IoT configuration assist is based on the Get Started with IoT Security documentation.

Workflow

Various selection options based on software version and deployment type for IoT. The workflow steps through the needed skillets required by the user.

Validation

The validation skillet checks required elements for a successful Cortex Data Lake (CDL) and Cortex IoT install. Key items include firewall licensing, global CDL configuration, fetch CDL certificates, and CDL/EAL enablement in log forwarding profiles.

Cortex Data Lake Playbook

Cortex Data Lake inline validation checks and configuration using an Ansible playbook.

Cortex Data Lake Optional Configurations

CDL specific configurations needed for select IoT deployments including:

update of existing log forwarding profiles with EAL/CDL enabled
add a log forwarding profile that is EAL/CDL ready
update security policies to include a selected log forwarding profile

IoT Configuration Elements

Based on the deployment scenario and software version, the firewall configuration may required additions or modifications:

10.0 firewall DHCP server: enable DHCP broadcast session
Virtual Wire deployments: enable multicast firewalling
Tap mode configuration with alert-all security profiles and policy
Pre-10.0 local DHCP: convert to a logical interface DHCP server + enable DHCP relay
Add a security policy specific to the DHCP application for traffic visibility

IoT Traffic Generator

Python script running on a Linux host to emulate multiple IoT endoints and mqtt traffic sessions. Requires an IoT broker host (eg. mosquitto) to receive and respond to mqtt session requests.

The key element of the generator is emulating DHCP sessions that create log events in the firewall and passed to Cortex Data Lake and Cortex IoT.

HomeSkillet POC Add-on Configurations

Using HomeSkillet as a quick-install base configuration, provide additional configuration elements for the IoT broker interface, zones, and security policy.