: How to Use Enterprise IoT Security
Focus
Focus

How to Use Enterprise IoT Security

Table of Contents

How to Use Enterprise IoT Security

Use Enterprise IoT Security to discover and manage the devices on your network.
After onboarding Enterprise IoT Security and setting up the firewall to gather network traffic and forward traffic logs to the logging service, allow one or two days for the firewall to gather enough network traffic for Enterprise IoT Security to analyze the traffic metadata and confidently identify devices.

Discover Devices and IP Endpoints

When Enterprise IoT Security receives sufficient network traffic metadata, it uses AI and machine learning to identify the devices generating the traffic. It displays these on the AssetsDevices page. However, there are times when it doesn’t receive enough information to identify devices uniquely. When Enterprise IoT Security is aware of an IP address that is the source and destination of traffic but it doesn’t know its MAC address and the network behavior isn’t stable enough to deduce that it’s a statically assigned IP address, Enterprise IoT Security categorizes it as an IP endpoint and displays it on the AssetsIP Endpoints page.
To check the coverage that Enterprise IoT Security is providing and increase it if necessary, view discovered devices and IP endpoints on the AssetsDevices and AssetsIP Endpoints pages. If IP endpoints constitute most of the devices on your network, that’s an indication that Enterprise IoT Security is not receiving enough quality information to identify the majority of devices definitively. In this case, you might want to make some adjustments. You might relocate the firewall to a different part of the network or add Enterprise IoT Security to more next-generation firewalls to gather more network traffic metadata. (For deployment recommendations, see the IoT Security Deployment Design Guide.)
Other ways to expand coverage without moving or adding firewalls are to integrate firewalls with network switches and DHCP servers and leverage their data. Network switches can mirror the traffic on them to a firewall, which then forwards traffic metadata in logs to the logging service for IoT Security to access. Similarly, you can also configure DHCP servers to send DHCP server logs to the firewall to forward through the logging service to IoT Security.

Add User-defined Static IP Devices

Devices with static IP address assignments—as opposed to those assigned dynamically through DHCP—can sometimes be difficult to link to a unique MAC address. If a static IP device is in the same Layer 2 broadcast domain as a firewall, the firewall receives its ARP traffic and learns the IP-to-MAC address mapping that way. However, if a static IP device is in a different broadcast domain, the firewall will never see its MAC address. In many cases, Enterprise IoT Security can apply AI and machine learning to network activity and deduce that a device at a particular IP address is not changing and must have a statically assigned IP address. In other cases, Enterprise IoT Security might not observe enough traffic to determine that a device has a static IP address. When this happens, Enterprise categorizes it as an IP endpoint.
If you know which devices have static IP addresses or which parts of the network address space is reserved for static IP addresses, you can add or import a file with this information into Enterprise IoT Security on AssetsUser-defined Static IP DevicesAdd and on NetworksNetworks and SitesNetworksAdd.

Check Data Quality

You can also learn about network coverage on the AdministrationData Quality page. This page shows the number of IP endpoints and low-confidence devices on the network and the percent of devices that fall into these two categories in relation to the overall number of devices on the network. You can infer the quality of device data that IoT Security is receiving from these numbers, which are taken from all devices over the last 30 days.
IP endpoints are devices without a unique identifier, making them untrackable over time. Low-confidence devices are devices that Enterprise IoT Security can identify with a confidence level below 70. When identifying network-connected devices and assigning device profiles to them, Enterprise IoT Security considers a host of factors and creates a confidence score for each identification. The score is a number between 0-100, with 100 being the most confident. There are three confidence levels based on calculated confidence scores: high (90-100), medium (70-89), and low (0-69). The confidence level is important because IoT Security only sends a firewall an IP address-to-device mapping if the confidence score for a device identity is high (90-100), and if it has sent or received traffic within the past hour. If there are more IP endpoints and low-confidence devices than you would like on your network, consider the recommendations offered on the Data Quality page and follow those you think will reduce these numbers.
If there are missing device attributes and you happen to know what they are, you can edit devices manually. Although it would be impractical to edit everything manually, you might want to edit important or business-critical devices if necessary. On the AssetsDevices page, select the check box of one or more devices and then click Edit. Set or change the device type, category, profile, vendor, model, OS family, and OS version for the selected devices, enter or change the description, and then Save and Confirm your edits. After you make your edits, Enterprise IoT Security automatically resets the confidence level to high and the confidence score to 100. The device confidence level and score are similarly reset as high and 100 if you select the check box of one or more devices and Confirm Device Identity.
It’s good practice to check Data Quality Diagnostics weekly for the first few months after deployment to make sure IoT Security is getting the data it needs to identify devices and, if not, make adjustments as needed. After you’re satisfied, return periodically for spot checks and as follow-up whenever there are changes to the network.

View and Organize Information

AssetsProfiles: As Enterprise IoT Security determines the identity of a device, it first determines its category (examples: Audio Streaming, Energy Management, Point-of-Sale System). It then constructs a device profile consisting of its vendor, make, and model (such as Profusion Media Player, Mood Media, and Mood Profusion iO). Finally, it identifies a device as a specific instance with behaviors and properties unique to itself. On the Profiles page, you can see which device profiles apply to most devices to help you prioritize the Device-ID policy rules that you create.
NetworksNetworks and SitesNetworks: As Enterprise IoT Security gathers network information, it organizes it hierarchically and displays the subnets and blocks on the Networks page. Blocks are logical partitions of IP address space that serve as an organizational tool for managing addresses. Large “parent” blocks can contain smaller “child” blocks and subnets, where devices are found. Use this information to check network coverage and see where IoT Security is and is not discovering devices and IP endpoints.
NetworksNetworks and SitesSites – Similar to the Networks page, you can see the number of devices per site and the subnets there, but this also helps you organize your inventory. Enterprise IoT Security supports a hierarchical structure of sites and site groups. Once you create the site hierarchy, you can use sites and site groups when controlling administrative access, setting device inventory filters, and defining the scope of summary reports and filtered inventory reports.
Logs & ReportsReports — Enterprise IoT Security supports the following scheduled reports:
  • Summary Report. This provides a summary of the device inventory. This can be scheduled to run weekly or monthly.
  • New Device Report. This reports all the new devices detected on your network since the last report. Enterprise IoT Security can generate reports on a daily, weekly, or monthly basis.
  • Filtered Inventory Report. This prepares a device inventory report using a previously defined filter of your choice from the Devices page. This can be scheduled to run daily, weekly, or monthly.
You can create, view, edit, and download reports on the Reports page. Also, although reports are scheduled to run on a recurring basis, you can generate a report on demand by clicking the Action icon ( ... ) > EditGenerate Now.
AdministrationFirewalls – View the status of logs that firewalls send and statistics about the type and amount of data that IoT Security is receiving in the logs. This information is helpful with monitoring and debugging data collection and firewall-to-IoT Security connections.
AdministrationSystem Events – Use system alerts to investigate any events of concern; for example, if Enterprise IoT Security stops receiving certain log types.
Logs & ReportsAudit Log – Use the audit log to check user logins and logouts, and feature modifications.

Create Security Policy Rules in PAN-OS

Although Enterprise IoT Security does not automatically generate Security policy rule recommendations, you can manually create rules based on Device-ID in next-generation firewalls or in Panorama. To do this, you’d first view the activity for a given group of devices, such as those in a device profile, in a category, or from a vendor. Then with this information, you’d choose appropriate Device-ID objects, which firewalls and Panorama learn through device dictionary updates, to use as the source or destination or both in the Security policy rules you create.
When specifying the source in a Security policy rule (PoliciesAddSource), click AddNew Device in the Source Device section, and then choose a Device-ID attribute in the Category, Vendor, OS Version, Profile, Model, or OS Family list. This defines when to apply the rule based on the chosen device attribute. All the attributes in these lists come from the Device Dictionary file that the firewall loads from the update server.
Specifying a Device-ID attribute as the destination in a Security policy rule is similar except the device object is chosen as the destination.

Create a Trial IoT Security Tenant

If you have a production license for Enterprise IoT Security, and want to see what Enterprise IoT Security Plus, Industrial IoT Security, or Medical IoT Security is like, you can create a one-time trial tenant and assign up to five of your firewalls to it. The trial is valid for 30 days. During that time, both the production and trial tenants consume log data that firewalls assigned to the trial tenant send to the logging service. When the trial period ends and the trial tenant is automatically deleted, the production IoT Security tenant alone continues consuming the log data from the firewalls.
  1. To initiate a trial, log in to a production Enterprise IoT Security portal with a user account that has Owner privileges.
  2. Select AdministrationAboutLicense and then click Request next to IoT Security in the Trial section.
  3. Choose up to five firewalls that you want to use for the trial and then Save.
    A message appears explaining that a trial tenant is being created, the chosen firewalls will be associated with it, and that the entire process typically takes about ten minutes.
    When the process is complete, another message appears stating that the trial tenant has been created and the chosen firewalls have been associated with it. This message also includes the URL for accessing the IoT Security portal for the trial tenant.
    The trial tenant creation and firewall assignments are also recorded in AdministrationAudit Logs.
  4. On the AdministrationAboutLicense page, the button next to IoT Security in the Trial section changes from Request to Enter. To access the trial tenant portal, click Enter.
    A login prompt appears for the trial tenant in a new browser window.
  5. Log in with the same credentials you used to log in to the production Enterprise IoT Security tenant.
    The Enterprise IoT Security Plus portal opens to the Resource Center and is ready for use as a trial tenant. During the 30-day trial, both the IoT Security tenant and the Enterprise IoT Security trial tenant will consume logs from the firewalls assigned to the trial tenant. You can log in to both tenants and compare the functionality of each.
  6. The IoT Security portal has different vertical themes: Enterprise Plus, Industrial, and Medical. If you want to see a different vertical theme, select AdministrationAboutLicense, click Switch next to Enterprise Plus in the Trial section.
  7. Select one of the other vertical themes and then Confirm your choice.
    You can switch between vertical themes as often and as many times as you like.
  8. To exit the trial tenant and return to the production tenant, navigate to AdministrationAboutLicense and then click Enter next to Enterprise IoT Security in the Production section.
    The trial tenant browser window remains open while the production tenant opens in a new browser window.
After the trial ends, the trial tenant is automatically deleted while the production tenant continues consuming log data from the firewalls.
If you have a trial license for Enterprise IoT Security and want to try out the IoT Security product, log in to the Enterprise IoT Security portal with a user account that has Owner privileges, select AdministrationAboutLicense, and then click Manage Trial. Select Enterprise Plus and then Confirm your decision. After changing to Enterprise Plus, you can switch to the Industrial or Medical IoT Security theme if you like. To do that, return to the License page, click Switch, select one of the vertical themes, and then Confirm. To go back to the Enterprise IoT Security product, return to the License page, click Manage Trial, select Enterprise, and Confirm.

Learn More

Here are resources where you can find more information about using Enterprise IoT Security: