Device > Policy Recommendation > IoT
Table of Contents
11.0 (EoL)
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT > DHCP Server
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
End-of-Life (EoL)
Device > Policy Recommendation > IoT
Configure and view the Policy Recommendation settings
on your firewall.
View information about policy rule recommendations from IoT Security. IoT Security
uses metadata that the firewall collects from traffic on your network to
determine what behavior to allow for devices and then generates
recommendations for Security policy rules to apply.
Button/Field | Description |
---|---|
Policy Import Details | View detailed information about the policy rule recommendation, such as device group Location, rule name, the user who imported the policy, whether the policy rule recommendation Is Updated, when the policy rule recommendation was imported, and when the policy rule recommendation was last updated. |
Imported to | For next-generation firewalls, this shows the virtual system into which a policy rule recommendation was imported. For Panorama, this shows the device groups into which a policy rule recommendation was imported. |
Policy Rule Name | The name of a policy rule, which by default is a concatenation of the IoT Security policy set name and the application name. |
Suggested Device Group | The device group that IoT Security suggested for a policy rule after learning about zones and device groups in the logs it received from next-generation firewalls. |
Source Device Profile | The device profile from which the policy rule recommendation allows traffic. |
Source Zones | The source zones from which the policy rule recommendation allows traffic. Source zones can be added manually in IoT Security. |
Source User | The source user for the policy rule recommendation. This is unused and always empty. |
Source Device | The source device for the policy rule recommendation. This is unused and always empty. |
Source Address | The source address for the policy rule recommendation. This is unused and always empty. |
Destination Device Profile | The destination device profiles to which the policy rule recommendation allows traffic. |
Destination Device IP | The IP address of devices to which the policy rule recommendation allows traffic. |
Destination FQDN | The fully qualified domain names (FQDN) to which the policy rule recommendation allows traffic. |
Destination Zones | The destination zones to which the policy rule recommendation allows traffic. Destination zones can be added manually in IoT Security. |
Destination Security Profiles | The security profiles that the policy rule recommendation allows. |
Destination Services | The services (for example, ssl) that the policy rule recommendation allows. |
Destination URL Category | The URL filtering categories to which the policy rule recommendation allows traffic. |
Destination Applications | The applications that the policy rule recommendation allows. |
Destination Tags | The tags that identify the policy rule for
the policy rule recommendation. Do not change the tags of the
policy rule; if you change the tags, the firewall cannot rebuild
the policy mappings. |
Description | The description from IoT Security for the policy set to which a rule belongs. |
Internal Device | Identifies whether the destination is in a zone that is internal to your network (Yes) or in an external internet-facing zone (No). |
Action | Identifies the action for this policy rule recommendation, which is always allow. |
New updates Available | Yes identifies that there is an update to a policy rule recommendation that’s available for a corresponding rule in the rulebase. (Panorama) Importing policy rules from Panorama overwrites current rule recommendations and their corresponding, previously imported rules in the rulebase. After you do this, the New Update Available field no longer indicates there is a pending update and will change from Yes to No. If you have more than one device group, the value remains Yes until you import policy rules to all of them. (PAN-OS UI) Note details of any policy rule recommendations with Yes in the New Updates Available column, and then edit and save the corresponding imported policy rule on the Policies page to match the updated policy rule recommendation. Then Sync Policy Rules to refresh the mapping between the edited rules and the rule recommendations. The value in the New Updates Available column then changes from Yes to No. |
View only this firewall | IoT Security automatically pushes rules in all activated policy sets to Panorama and all next-generation firewalls. As a result, a firewall might have some rules that don’t apply to it. To display only those rules that apply to the local firewall, View only this firewall. |
Import Policy Rule(s) | After IoT Security pushes policy rule recommendations to Panorama or firewalls and they are in the policy recommendations database, you can select one or more (up to ten) that you want to import into the policy rulebase and then click Import Policy Rule. In the Import Policy Rule dialog box that appears, either choose the name of a policy rule in the rulebase to import the selected policy rules after or leave it empty to import the selected rules to the top. If a policy rule recommendation is imported into the rulebase and then it’s later modified in IoT Security, you can use Panorama to re-import it. Because the PAN-OS UI doesn’t allow you to re-import rules, you can either use Panorama or edit the rule in the PAN-OS rulebase to match the modified recommendation and then Sync Policy Rules. |
Remove Policy Mapping | If you no longer need one or more policy rule recommendations,
you can select up to ten recommendations at a time and then Remove
Policy Mapping for them. You can then manually
delete the corresponding rules from the rulebase. |
Sync Policy Rules | If the mappings become out of sync (for example, if you restore a previous configuration) you can Sync Policy Rules to restore the mapping between policy rules in the rulebase and policy rule recommendations. |