: Device Profile Policy
Focus
Focus

Device Profile Policy

Table of Contents

Device Profile Policy

View policy rule sets and ACL rule sets generated from IoT Security recommendations.
From PAN-OS 11.1, there's a different process for recommending Security policy rules to next-generation firewalls from that described here. The following workflow remains applicable to firewalls running PAN-OS versions prior to PAN-OS 11.1.
To access the Policy page of a device profile, select Profiles > profile_name > Policy.
This page lists all the policy sets that were created for the device profile, when they were last updated, whether they were activated, and if so, when. When there are no policy sets for a device profile, the Policy page is empty.
If you create a policy set for a device profile and save it without activating it, it’s added to the Policy page. In this case, there’s a dash in the Last Set as Active column.
After you activate a policy set, it’s marked with an Active label and IoT Security adds a timestamp in the Last Set as Active column.
If you later deactivate the policy set, the Active label is removed. However, the timestamp in the Last Set as Active column remains indicating that it once was active and when.
New behaviors are behaviors discovered on the network after the active policy set was activated or last updated. Unexpected behaviors are behaviors that were explicitly not permitted when the policy set was activated or last updated but have since appeared on the network, which means the enforcement implemented in a next-generation firewall is missing them. If IoT Security detects new or unexpected behaviors on the network after some time has passed since the policy set was first activated, it lists them on the AssetsProfiles > profile_name > Policy page and presents you with an opportunity to modify the active policy set to account for these behaviors.
When integrating IoT Security with Cisco ISE, you can send ISE automatically generated ACL rule sets for IoT devices. For information about providing ISE with access control lists for IoT devices, see Apply Access Control Lists through Cisco ISE.