How to Use Enterprise IoT Security
Table of Contents
Expand all | Collapse all
How to Use Enterprise IoT Security
Use Enterprise IoT Security to discover and manage the
devices on your network.
After onboarding Enterprise IoT Security and setting
up the firewall to gather network traffic and forward traffic logs
to the logging service, allow one or two days for the firewall to
gather enough network traffic for Enterprise IoT Security to analyze
the traffic metadata and confidently identify devices.
Discover Devices and IP Endpoints
When Enterprise IoT Security receives sufficient network traffic metadata, it uses AI and machine
learning to identify the devices generating the traffic. It displays these on the AssetsDevices page. However, there are times when it doesn’t receive enough
information to identify devices uniquely. When Enterprise IoT Security is aware of
an IP address that is the source and destination of traffic but it doesn’t know its
MAC address and the network behavior isn’t stable enough to deduce that it’s a
statically assigned IP address, Enterprise IoT Security categorizes it as an IP
endpoint and displays it on the AssetsIP Endpoints page.
To check the coverage that Enterprise IoT Security is providing and increase it if necessary,
view discovered devices and IP endpoints on the AssetsDevices and AssetsIP Endpoints pages. If IP endpoints constitute most of the devices on your
network, that’s an indication that Enterprise IoT Security is not receiving enough
quality information to identify the majority of devices definitively. In this case,
you might want to make some adjustments. You might relocate the firewall to a
different part of the network or add Enterprise IoT Security to more next-generation
firewalls to gather more network traffic metadata. (For deployment recommendations,
see the IoT Security Deployment Design Guide.)
Other ways to expand coverage without moving or adding firewalls
are to integrate firewalls with network switches and DHCP servers
and leverage their data. Network switches can mirror the traffic
on them to a firewall, which then forwards traffic metadata in logs
to the logging service for IoT Security to access. Similarly, you
can also configure DHCP servers to send DHCP server logs to the
firewall to forward through the logging service to IoT Security.
Add User-defined Static IP Devices
Devices with static IP address assignments—as opposed
to those assigned dynamically through DHCP—can sometimes be difficult
to link to a unique MAC address. If a static IP device is in the
same Layer 2 broadcast domain as a firewall, the firewall receives
its ARP traffic and learns the IP-to-MAC address mapping that way.
However, if a static IP device is in a different broadcast domain,
the firewall will never see its MAC address. In many cases, Enterprise
IoT Security can apply AI and machine learning to network activity
and deduce that a device at a particular IP address is not changing
and must have a statically assigned IP address. In other cases,
Enterprise IoT Security might not observe enough traffic to determine
that a device has a static IP address. When this happens, Enterprise
categorizes it as an IP endpoint.
If you know which devices have static IP addresses or which parts of the network address space is
reserved for static IP addresses, you can add or import a file with this information
into Enterprise IoT Security on AssetsUser-defined Static IP DevicesAdd and on NetworksNetworks and SitesNetworksAdd.
Check Data Quality
You can also learn about network coverage on the AdministrationData Quality page. This page shows the number of IP endpoints and low-confidence
devices on the network and the percent of devices that fall into these two
categories in relation to the overall number of devices on the network. You can
infer the quality of device data that IoT Security is receiving from these numbers,
which are taken from all devices over the last 30 days.
IP endpoints are devices without a unique identifier, making
them untrackable over time. Low-confidence devices are devices that
Enterprise IoT Security can identify with a confidence level below
70. When identifying network-connected devices and assigning device
profiles to them, Enterprise IoT Security considers a host of factors
and creates a confidence score for each identification. The score
is a number between 0-100, with 100 being the most confident. There
are three confidence levels based on calculated confidence scores:
high (90-100), medium (70-89), and low (0-69). The confidence level
is important because IoT Security only sends a firewall an IP address-to-device
mapping if the confidence score for a device identity is high (90-100),
and if it has sent or received traffic within the past hour. If
there are more IP endpoints and low-confidence devices than you
would like on your network, consider the recommendations offered
on the Data Quality page and follow those you think will reduce
these numbers.
If there are missing device attributes and you happen to know what they are, you can edit devices
manually. Although it would be impractical to edit everything manually, you might
want to edit important or business-critical devices if necessary. On the AssetsDevices page, select the check box of one or more devices and then click
Edit. Set or change the device type, category, profile,
vendor, model, OS family, and OS version for the selected devices, enter or change
the description, and then Save and
Confirm your edits. After you make your edits, Enterprise
IoT Security automatically resets the confidence level to high and the confidence
score to 100. The device confidence level and score are similarly reset as high and
100 if you select the check box of one or more devices and Confirm Device
Identity.
It’s good practice to check Data Quality Diagnostics weekly for
the first few months after deployment to make sure IoT Security
is getting the data it needs to identify devices and, if not, make
adjustments as needed. After you’re satisfied, return periodically
for spot checks and as follow-up whenever there are changes to the
network.
View and Organize Information
AssetsProfiles: As Enterprise IoT Security determines the identity of a device, it
first determines its category (examples: Audio Streaming, Energy Management,
Point-of-Sale System). It then constructs a device profile consisting of its vendor,
make, and model (such as Profusion Media Player, Mood Media, and Mood Profusion iO).
Finally, it identifies a device as a specific instance with behaviors and properties
unique to itself. On the Profiles page, you can see which device profiles apply to
most devices to help you prioritize the Device-ID policy rules that you create.
NetworksNetworks and SitesNetworks: As Enterprise IoT Security gathers network information, it organizes
it hierarchically and displays the subnets and blocks on the Networks page. Blocks
are logical partitions of IP address space that serve as an organizational tool for
managing addresses. Large “parent” blocks can contain smaller “child” blocks and
subnets, where devices are found. Use this information to check network coverage and
see where IoT Security is and is not discovering devices and IP endpoints.
NetworksNetworks and SitesSites – Similar to the Networks page, you can see the number of devices per
site and the subnets there, but this also helps you organize your inventory.
Enterprise IoT Security supports a hierarchical structure of sites and site groups.
Once you create the site hierarchy, you can use sites and site groups when
controlling administrative access, setting device inventory filters, and defining
the scope of summary reports and filtered inventory reports.
Logs & ReportsReports — Enterprise IoT Security supports the following scheduled
reports:
- Summary Report. This provides a summary of the device inventory. This can be scheduled to run weekly or monthly.
- New Device Report. This reports all the new devices detected on your network since the last report. Enterprise IoT Security can generate reports on a daily, weekly, or monthly basis.
- Filtered Inventory Report. This prepares a device inventory report using a previously defined filter of your choice from the Devices page. This can be scheduled to run daily, weekly, or monthly.
You can create, view, edit, and download reports on the Reports page. Also, although reports are
scheduled to run on a recurring basis, you can generate a report on demand by
clicking the Action icon ( ... ) >
EditGenerate Now.
AdministrationFirewalls – View the status of logs that firewalls send and statistics about
the type and amount of data that IoT Security is receiving in the logs. This
information is helpful with monitoring and debugging data collection and
firewall-to-IoT Security connections.
AdministrationSystem Events – Use system alerts to investigate any events of concern; for
example, if Enterprise IoT Security stops receiving certain log types.
Logs & ReportsAudit Log – Use the audit log to check user logins and logouts, and feature
modifications.
Create Security Policy Rules in PAN-OS
Although Enterprise IoT Security does not automatically
generate Security policy rule recommendations, you can manually
create rules based on Device-ID in next-generation firewalls or
in Panorama. To do this, you’d first view the activity for a given
group of devices, such as those in a device profile, in a category,
or from a vendor. Then with this information, you’d choose appropriate Device-ID
objects, which firewalls and Panorama learn through device dictionary updates,
to use as the source or destination or both in the Security policy
rules you create.
When specifying the source in a Security policy rule (PoliciesAddSource),
click AddNew Device in
the Source Device section, and then choose a Device-ID attribute
in the Category, Vendor, OS Version, Profile, Model, or OS Family list.
This defines when to apply the rule based on the chosen device attribute.
All the attributes in these lists come from the Device Dictionary
file that the firewall loads from the update server.
Specifying a Device-ID attribute as the destination in a Security
policy rule is similar except the device object is chosen as the
destination.
Create a Trial IoT Security Tenant
If you have a production license for Enterprise IoT Security, and want to see what
Enterprise IoT Security Plus, Industrial IoT Security, or Medical IoT Security is
like, you can create a one-time trial tenant and assign up to five of your firewalls
to it. The trial is valid for 30 days. During that time, both the production and
trial tenants consume log data that firewalls assigned to the trial tenant send to
the logging service. When the trial period ends and the trial tenant is
automatically deleted, the production IoT Security tenant alone continues consuming
the log data from the firewalls.
-
To initiate a trial, log in to a production Enterprise IoT Security portal with a user account that has Owner privileges.
-
Select AdministrationAboutLicense and then click Request next to IoT Security in the Trial section.
-
Choose up to five firewalls that you want to use for the trial and then Save.A message appears explaining that a trial tenant is being created, the chosen firewalls will be associated with it, and that the entire process typically takes about ten minutes.When the process is complete, another message appears stating that the trial tenant has been created and the chosen firewalls have been associated with it. This message also includes the URL for accessing the IoT Security portal for the trial tenant.The trial tenant creation and firewall assignments are also recorded in AdministrationAudit Logs.
-
On the AdministrationAboutLicense page, the button next to IoT Security in the Trial section changes from Request to Enter. To access the trial tenant portal, click Enter.A login prompt appears for the trial tenant in a new browser window.
-
Log in with the same credentials you used to log in to the production Enterprise IoT Security tenant.The Enterprise IoT Security Plus portal opens to the Resource Center and is ready for use as a trial tenant. During the 30-day trial, both the IoT Security tenant and the Enterprise IoT Security trial tenant will consume logs from the firewalls assigned to the trial tenant. You can log in to both tenants and compare the functionality of each.
-
The IoT Security portal has different vertical themes: Enterprise Plus, Industrial, and Medical. If you want to see a different vertical theme, select AdministrationAboutLicense, click Switch next to Enterprise Plus in the Trial section.
-
Select one of the other vertical themes and then Confirm your choice.You can switch between vertical themes as often and as many times as you like.
-
To exit the trial tenant and return to the production tenant, navigate to AdministrationAboutLicense and then click Enter next to Enterprise IoT Security in the Production section.The trial tenant browser window remains open while the production tenant opens in a new browser window.
After the trial ends, the trial tenant is automatically deleted while the production
tenant continues consuming log data from the firewalls.
If you have a trial license for Enterprise IoT Security and want to try out the
IoT Security product, log in to the Enterprise IoT Security portal with a user
account that has Owner privileges, select AdministrationAboutLicense, and then click Manage Trial. Select
Enterprise Plus and then
Confirm your decision. After changing to Enterprise
Plus, you can switch to the Industrial or Medical IoT Security theme if you
like. To do that, return to the License page, click
Switch, select one of the vertical themes, and then
Confirm. To go back to the Enterprise IoT Security
product, return to the License page, click Manage Trial,
select Enterprise, and
Confirm.
Learn More
Here are resources where you can find more information
about using Enterprise IoT Security: