: Device > Policy Recommendation > IoT
Focus
Focus

Device > Policy Recommendation > IoT

Table of Contents

Device > Policy Recommendation > IoT

Configure and view the Policy Recommendation settings on your firewall.
View information about policy rule recommendations from IoT Security. IoT Security uses metadata that the firewall collects from traffic on your network to determine what behavior to allow for devices and then generates recommendations for Security policy rules to apply.
Button/FieldDescription
Policy Import DetailsView detailed information about the policy rule recommendation, such as device group Location, rule name, the user who imported the policy, whether the policy rule recommendation Is Updated, when the policy rule recommendation was imported, and when the policy rule recommendation was last updated.
Imported toFor next-generation firewalls, this shows the virtual system into which a policy rule recommendation was imported. For Panorama, this shows the device groups into which a policy rule recommendation was imported.
Policy Rule NameThe name of a policy rule, which by default is a concatenation of the IoT Security policy set name and the application name.
Suggested Device GroupThe device group that IoT Security suggested for a policy rule after learning about zones and device groups in the logs it received from next-generation firewalls.
Source Device ProfileThe device profile from which the policy rule recommendation allows traffic.
Source ZonesThe source zones from which the policy rule recommendation allows traffic. Source zones can be added manually in IoT Security.
Source UserThe source user for the policy rule recommendation. This is unused and always empty.
Source DeviceThe source device for the policy rule recommendation. This is unused and always empty.
Source AddressThe source address for the policy rule recommendation. This is unused and always empty.
Destination Device ProfileThe destination device profiles to which the policy rule recommendation allows traffic.
Destination Device IPThe IP address of devices to which the policy rule recommendation allows traffic.
Destination FQDNThe fully qualified domain names (FQDN) to which the policy rule recommendation allows traffic.
Destination ZonesThe destination zones to which the policy rule recommendation allows traffic. Destination zones can be added manually in IoT Security.
Destination Security ProfilesThe security profiles that the policy rule recommendation allows.
Destination ServicesThe services (for example, ssl) that the policy rule recommendation allows.
Destination URL CategoryThe URL filtering categories to which the policy rule recommendation allows traffic.
Destination ApplicationsThe applications that the policy rule recommendation allows.
Destination TagsThe tags that identify the policy rule for the policy rule recommendation.
Do not change the tags of the policy rule; if you change the tags, the firewall cannot rebuild the policy mappings.
DescriptionThe description from IoT Security for the policy set to which a rule belongs.
Internal DeviceIdentifies whether the destination is in a zone that is internal to your network (Yes) or in an external internet-facing zone (No).
ActionIdentifies the action for this policy rule recommendation, which is always allow.
New updates AvailableYes identifies that there is an update to a policy rule recommendation that’s available for a corresponding rule in the rulebase. (Panorama) Importing policy rules from Panorama overwrites current rule recommendations and their corresponding, previously imported rules in the rulebase. After you do this, the New Update Available field no longer indicates there is a pending update and will change from Yes to No. If you have more than one device group, the value remains Yes until you import policy rules to all of them. (PAN-OS UI) Note details of any policy rule recommendations with Yes in the New Updates Available column, and then edit and save the corresponding imported policy rule on the Policies page to match the updated policy rule recommendation. Then Sync Policy Rules to refresh the mapping between the edited rules and the rule recommendations. The value in the New Updates Available column then changes from Yes to No.
View only this firewallIoT Security automatically pushes rules in all activated policy sets to Panorama and all next-generation firewalls. As a result, a firewall might have some rules that don’t apply to it. To display only those rules that apply to the local firewall, View only this firewall.
Import Policy Rule(s)After IoT Security pushes policy rule recommendations to Panorama or firewalls and they are in the policy recommendations database, you can select one or more (up to ten) that you want to import into the policy rulebase and then click Import Policy Rule. In the Import Policy Rule dialog box that appears, either choose the name of a policy rule in the rulebase to import the selected policy rules after or leave it empty to import the selected rules to the top. If a policy rule recommendation is imported into the rulebase and then it’s later modified in IoT Security, you can use Panorama to re-import it. Because the PAN-OS UI doesn’t allow you to re-import rules, you can either use Panorama or edit the rule in the PAN-OS rulebase to match the modified recommendation and then Sync Policy Rules.
Remove Policy MappingIf you no longer need one or more policy rule recommendations, you can select up to ten recommendations at a time and then Remove Policy Mapping for them.
You can then manually delete the corresponding rules from the rulebase.
Sync Policy RulesIf the mappings become out of sync (for example, if you restore a previous configuration) you can Sync Policy Rules to restore the mapping between policy rules in the rulebase and policy rule recommendations.