Manage Device-ID
Focus
Focus

Manage Device-ID

Table of Contents

Manage Device-ID

Learn how to ensure your policy rule recommendations and device objects are current or how to restore policy rule recommendation mappings.
Perform the following tasks as needed to ensure your policy rule recommendations and device objects are current or to restore policy rule recommendation mappings.
  1. Update your policy rule recommendation whenever the New Updates Available column displays Yes for that recommendation.
    As devices gain new capabilities, IoT Security updates the policy rule recommendations to advise what additional traffic or protocols the firewall or Panorama should allow. Check IoT Security daily for updates and update your policy rule recommendations as soon as possible.
    1. On the IoT Security app, Edit the policy rules then click Next.
    2. Select the new recommendation then click Next.
    3. Save your changes.
    4. On the firewall or Panorama, click Import Policy Rules then click Yes to confirm that you want to overwrite the current rule.
      This action overwrites the recommendation for the rule, not the rule itself.
    5. (Panorama only) Repeat the previous step for all device groups.
    6. Commit your changes.
  2. Review, update, and maintain the device objects in the Device Dictionary.
    You must create device objects for any devices that do not have an IoT Security policy rule recommendation. For example, you cannot secure devices such as laptops and smartphones using IoT Security policy rule recommendations, so you must create device objects for these types of devices and use them in your Security policy to secure these devices.
    1. Select ObjectsDevices.
    2. Add a device object.
    3. Browse the list or Search using keywords.
      The search results can include multiple types of device object attributes (for example, both Category and Profile).
    4. To add a custom device object, enter a Name and optionally a Description for the device object.
      Always use a unique name for each device object. Do not change the tags in the description for device objects from policy rule recommendations.
    5. (Panorama only) Select the Shared option to make this device object available to other device groups.
    6. Select the attributes for the device object (Category, OS, Profile, Osfamily, Model, and Vendor).
    7. Click OK to confirm your changes.
  3. In some cases (for example, if you restore a previous configuration), the policy rule recommendation-to-policy rule mappings may become out of sync. You must also sync the mappings on each firewall after you push the policy rules from Panorama to the firewalls that Panorama manages. To sync the mappings:
    • On the firewall, select DevicePolicy RecommendationIoTSync Policy Rules
    • For Panorama, select PanoramaPolicy RecommendationIoTSync Policy Rules.
    The firewall or Panorama scans all of the rules in the rulebase to check for tags that identify a rule as an IoT Security policy rule recommendation, obtains the source device object information, and repopulates the local policy rule recommendation database.
  4. Delete any policy rule recommendations that are no longer needed.
    If a policy rule recommendation no longer applies, you can remove the policy rule recommendation. You must also remove the rule for the policy rule recommendation to enforce the updated Security policy.
    1. On the IoT Security app, select Delete.
    2. Click Mark as Removed to select this recommendation for removal.
    3. Remove the mapping.
      • On the firewall, select DevicePolicy RecommendationIoTRemove Policy Mapping.
      • For Panorama, select DevicePolicy RecommendationIoTRemove Policy Mapping then select the Location from which you want to remove the mapping.
    4. Click Yes to confirm the mapping removal.
    5. Select PoliciesSecurity. For Panorama, select PoliciesSecurityPre-Rules/Post-Rules.
    6. Select the rule for the policy rule recommendation you want to remove then select Delete.
    7. Commit your changes.
  5. Use CLI commands to troubleshoot any issues between the firewall and IoT Security.