: SNMP Network Discovery for IoT Security
Focus
Focus

SNMP Network Discovery for IoT Security

Table of Contents

SNMP Network Discovery for IoT Security

Extend IoT Security coverage deeper into the network by using SNMP to collect device data from network switches.
To identify devices on the network, IoT Security requires network traffic metadata for analysis. Palo Alto Networks firewalls extract and log this metadata when they apply Security policy rules that have logging enabled. The firewalls send the logs to the logging service. The logging service then streams the metadata to IoT Security, which uses AI and machine learning to automatically discover and identify network-connected devices, dynamically construct an asset inventory, detect device vulnerabilities, and determine a baseline of acceptable network behaviors that IoT Security recommends next-generation firewalls allow in Device-ID policy rules.
However, depending on where the firewalls are placed, they might not have visibility into all network traffic, resulting in device discovery gaps and lower efficacy in identifying devices, monitoring behaviors, and enforcing Device-ID rules. When firewalls don’t receive traffic from all devices, they can still gather IP address-to-MAC address bindings and additional network data by using SNMP to query switches and other forwarding devices throughout the network.
When using SNMP to query network switches, firewalls first develop a network topography by requesting the Link Layer Discovery Protocol (LLDP) neighbors and Cisco Discovery Protocol (CDP) neighbors of one switch (the entry point switch) and then repeating the request with neighboring switches and child switches one by one throughout the network. After obtaining a list of switches throughout the network, or within a limited area of the network, the firewalls next query each one for its ARP table as well as other information. The ARP table contains the IP address-to-MAC address binding information for the devices connected through the switch to the network. Other device details for which firewalls query include the physical interfaces or ports on the switch to which devices connect, their VLANs and subnets, and DHCP and DNS server IP addresses. After the firewalls receive this information, they create logs and send them through the logging service to IoT Security for analysis. By using SNMP to collect more data from switches and forwarding devices in parts of the network that firewalls don’t have visibility into, you enable IoT Security to form a greater view of the devices on the network and expand its services to even more devices.