Learn how to ensure your policy rule recommendations
and device objects are current or how to restore policy rule recommendation
mappings.
Perform the following tasks as needed to ensure
your policy rule recommendations and device objects are current
or to restore policy rule recommendation mappings.
Update your policy rule recommendations as necessary.
As IoT devices gain new capabilities, IoT Security updates
its policy rule recommendations to advise what additional traffic
or protocols firewalls should allow. Check IoT Security daily for
changes and update your policy rule recommendations as soon as possible.
The update procedure differs depending on whether you’re using Panorama
to manage your firewalls.
When using firewalls with Panorama
management:
(
IoT Security
)
Edit
the
policy rules in an activated policy rules set and then click
Next
.
Select any new recommendations, click
Next
,
and then
Save
your changes.
(
Panorama
) Select
Policy
Recommendation
IoT
and
then
Import Policy Rules
.
Choose one or more device groups and then click
Yes
to
confirm that you want to overwrite current rule recommendations
and previously imported rules in the rulebase.
Commit
your changes.
When
using firewalls without Panorama management:
(
IoT
Security
)
Edit
the policy rules in an
activated policy rules set and then click
Next
.
Select any new recommendations, click
Next
,
and then
Save
your changes.
(
PAN-OS UI
) Select
Policy
Recommendation
IoT
,
note details of any policy rule recommendations with
Yes
in
the New Updates Available column, and then edit and save the corresponding
imported policy rule on the
Policies
page.
Select
Policy Recommendation
IoT
and then
Sync
Policy Rules
to refresh the mapping between the edited
rules and the rule recommendations.
When the corresponding
rules on the
Policies
page and
Policy Recommendation
IoT
page
match, the New Updates Available column changes from
Yes
to
No
.
Commit
your changes.
Review, update, and maintain the device objects in the
Device Dictionary.
You must create device objects for any devices that
do not have an IoT Security policy rule recommendation. For example,
you cannot secure traditional IT devices such as laptops and smartphones
using IoT Security policy rule recommendations, so you must create
device objects for these types of devices and use them in your Security policy
to secure these devices.
Select
Objects
Devices
.
Add
a device object.
Browse
the list or
Search
using
keywords.
The search results can include multiple types of device
object attributes (for example, both
Category
and
Profile
).
To add a custom device object, enter a
Name
and
optionally a
Description
for the device object.
Always use a unique name for each device object. Do
not change the tags in the description for device objects from policy
rule recommendations.
(
Panorama only
) Select the
Shared
option
to make this device object available to other device groups.
Select the attributes for the device object (
Category
,
OS
,
Profile
,
Osfamily
,
Model
,
and
Vendor
).
Click
OK
to confirm your changes.
Delete any policy rule recommendations that are no longer
needed.
If policy rule recommendations no longer apply, you can
remove the recommendations and the rules mapped to the recommendations.
In IoT Security, delete one or more policy
rule recommendations from a policy rule set.
Edit
the policy set, clear the policy
rules you want to remove, and then
Save
the
policy set.
Remove the mapping between rule recommendations and
the related rules in the rulebase.
(
Firewall
) Select
Device
Policy Recommendation
IoT
,
select up to ten policy rule recommendations to remove, and then
Remove
Policy Mapping
.
(
Panorama
) Select
Device
Policy Recommendation
IoT
, select up to ten policy
rule recommendations to remove,
Remove Policy Mapping
,
and then select the
Location
from which you
want to remove the mapping.
Click
Yes
to confirm the mapping
removal.
Select
Policies
Security
. For Panorama, select
Policies
Security
Pre-Rules/Post-Rules
.
Select the rules you want to remove from the rulebase
and then
Delete
them.
Commit
your changes.
Use CLI commands to
troubleshoot any issues between the firewall and IoT Security.