Device Profile Policy
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use Network Discovery Polling to Discover Devices
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Network Segments Configuration
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
Device Profile Policy
View policy rule sets and ACL rule sets generated from
IoT Security recommendations.
From PAN-OS 11.1, there's a different process for recommending
Security policy rules to next-generation firewalls from that described here. The
following workflow remains applicable to firewalls running PAN-OS versions prior to
PAN-OS 11.1.
To access the Policy page of a device profile, select Profiles
> profile_name > Policy.
This page lists all the policy sets that were created for the
device profile, when they were last updated, whether they were activated,
and if so, when. When there are no policy sets for a device profile,
the Policy page is empty.
If you create a policy set for a device profile and save it without
activating it, it’s added to the Policy page. In this case, there’s
a dash in the Last Set as Active column.
After you activate a policy set, it’s marked with an Active label
and IoT Security adds a timestamp in the Last Set as Active column.
If you later deactivate the policy set, the Active label is removed.
However, the timestamp in the Last Set as Active column remains
indicating that it once was active and when.
New behaviors are behaviors discovered on the network after the active policy set was activated
or last updated. Unexpected behaviors are behaviors that were explicitly not permitted
when the policy set was activated or last updated but have since appeared on the
network, which means the enforcement implemented in a next-generation firewall is
missing them. If IoT Security detects new or unexpected behaviors on the network
after some time has passed since the policy set was first activated, it lists them on
the AssetsProfiles > profile_name > Policy page and presents
you with an opportunity to modify the active policy set to account for these
behaviors.
When integrating IoT Security with Cisco ISE, you can send ISE
automatically generated ACL rule sets for IoT devices. For information
about providing ISE with access control lists for IoT devices, see Apply Access Control Lists through
Cisco ISE.