Policy Rule Recommendations
Table of Contents
Policy Rule Recommendations
IoT Security uses machine learning to recommend policy rule sets and ACL rule sets
based on the observed network behaviors of IoT devices.
IoT Security uses machine learning to automatically
generate Security policy rule recommendations based on the normal,
acceptable network behaviors of IoT devices in the same device profile.
It then provides these recommendations for next-generation firewalls
to control IoT device traffic.
IoT Security derives its recommendations from the network behaviors
it observes in traffic generated by IoT devices in the same profile
across multiple IoT Security tenants. It classifies the applications
in the observed behaviors into three groups:
- Common applications not locally observed – Applications commonly used by devices in the device profile in multiple IoT Security tenant environments but not observed in yours
- Common applications locally observed – Applications commonly used by devices in the device profile in multiple IoT Security tenant environments including yours
- Unique applications – Applications that are not typically used by devices in this device profile and were observed in use by devices in your environment only
Currently, policy rule recommendations are not supported in multi-vsys firewalls.
They must be manually created.
From PAN-OS 11.1, there's a different process
for recommending Security policy rules to next-generation firewalls from that described
here. The following workflow remains applicable to firewalls running PAN-OS versions
prior to PAN-OS 11.1.
IoT Security then formulates a set of policy rule recommendations.
These rules allow devices in this device profile to continue network
behaviors that are common among multiple tenant environments and
those that are unique to yours. The premise is that these behaviors
are necessary for devices belonging to this device profile to function.
You can accept all these recommendations or disable or modify individual
rules to meet the security requirements of your network. When you’re
satisfied with a policy set, save and activate it. Once activated,
it becomes available for firewalls to import—either through Panorama
or directly—and then add to their rule set.
When a Panorama or firewall administrator imports a set of Security
policy rules from IoT Security, the import operation automatically
creates device objects from source and destination profiles in the
recommended rules and uses those objects in the Security policy
rules it constructs. For the firewall to identify which IoT devices
to apply its policy rules to, it uses IP address-to-device mappings
that IoT Security provides through Device-ID. The firewall learns
the device profile of an IoT device from the mapping and applies
rules with matching device objects as the source.
The IoT Security app makes policy rule recommendations only for IoT devices that it has
identified with a high degree of confidence (a confidence score of 90-100%). It does
not consider the network behaviors of low- and medium-confidence IoT devices (0-69%
and 70-89% scores). In addition, IoT Security does not provide policy rule
recommendations, alert and vulnerability detection, and network behavior analysis
for IT devices, which are devices that aren’t built for a specific task, such as
personal computers, smart phones, and tablets for example. For IT devices, the IoT
Security app provides device identification only.
After allowing sufficient time for IoT Security to collect the
full behaviors of IoT devices in a profile, you’re ready to create
policy rule recommendations for it.
To begin, log in to the IoT Security portal, navigate to , and then click a profile name.
IoT Security displays three profile details pages:
- Overview – View a summary about the high-confidence IoT devices in this profile and their related risk factors for the past day, week, or month. See Device Profile Overview.
- Behaviors – View the behaviors of high-confidence IoT devices belonging to this profile in your local network environment and in other IoT Security tenants’ environments. Also create Security policy rule sets based on these observed behaviors for next-generation firewalls. See Device Profile Behaviors.
- Policy – View previously created Security policy rule sets for next-generation firewalls and ACL rule sets for integration with Cisco ISE. IoT Security generates both types of rule sets from the observed network behaviors of high-confidence IoT devices in this profile in your local network environment and in other IoT Security tenants’ environments. See Device Profile Policy.