Device-ID provides visibility into the devices connected to the network by collecting and correlating device attributes such as device type, OS version, vendor, and model. This information creates a unique device identity. This identity can then be used as a match criterion within Security policy rules, enabling administrators to enforce granular, device-aware access control. This aligns with Zero Trust principles by ensuring that only known and compliant devices are granted access to specific resources, thereby enhancing the overall security posture. It adds device context to the existing policy criteria (user, application, content, etc.).

A. Device-ID augments and enhances traditional security rules by adding device context; it does not replace them. Policies still rely on source/destination IP, user, and application.

C. While certificates from sources like GlobalProtect can be used for identification, Device-ID gathers information from multiple sources, including DHCP, SNMP, and telemetry, not just pre-installed certificates.

D. Device-ID provides the visibility to identify unmanaged devices, but it does not block them by default. An administrator must explicitly configure a security policy to take that action.

---

1. Palo Alto Networks. (2023). PAN-OS® Administrator’s Guide, Version 11.0. "Device-ID Overview".

This document states, "Device-ID enables you to create device-based security policies to allow or deny access to network resources based on the device type, operating system, or other device attributes." This directly supports the correct answer by explaining that Device-ID identifies devices by their characteristics to enforce policies.

2. Palo Alto Networks. (2023). PAN-OS® Administrator’s Guide, Version 11.0. "Device-ID Concepts" > "Sources for Device Information".

This section lists the various sources for device identification: "GlobalProtect, Captive Portal, DHCP, SNMP, log forwarding from other firewalls, and telemetry information collected from the dataplane." This refutes option C, which incorrectly limits the source to certificates.

3. Palo Alto Networks. (2023). Prisma Access Administrator’s Guide. "Device-ID for Prisma Access".

The guide explains, "Device-ID allows you to enforce security policies based on device characteristics... This allows you to create a consistent security policy for devices regardless of their location." This confirms the function of Device-ID in SASE products and supports the core mechanism described in option B.