When Device Security receives sufficient network traffic metadata, it uses AI and machine learning to identify the devices generating the traffic. However, there are times when it doesn’t receive enough to identify devices uniquely. For example, Device Security might be aware that there is traffic to and from a specific IP address but, because the device is in a different Layer 3 domain from the firewall logging the network traffic metadata, it never learns its MAC address. The device might be behind a router, a NAT device, or a wireless tethering device, so the firewall only gets its IP address. If DHCP is providing network settings to network devices, it’s possible that different devices use the same IP address at different times. As a result, the network behavior associated with the IP address will keep changing as different types of device take turns using it. When Device Security is aware of an IP address that is the source and destination of traffic but it doesn’t know its MAC address and the network behavior isn’t stable enough to deduce that it’s a statically assigned IP address, Device Security categorizes it as an IP endpoint.

Another way that Device Security can learn about IP endpoints is through third-party integrations. Device Security can receive device data by integrating with a network management or asset management solution and by using SNMP to query network switches about the devices connected to them.

If Device Security observes stable traffic patterns associated with an IP endpoint and there are no changes to any of its major device attributes for seven days, it moves it to the Devices page. There are eight major device attributes that Device Security watches for changes: device profile, category, vendor, model, OS, hostname, serial number, and site ID. A change to any of these attributes indicates that the device using the IP address has changed, so if they all remain unchanged for seven days, it’s reasonable to assume that the device identity is stable.

After adding the IP endpoint to the Devices page, Device Security continues tracking its attributes on a daily basis. If there’s a change to any of its device attributes later, Device Security immediately moves it to the Identified IP Endpoints table where it continues tracking these attributes.

You can see a total of all IP endpoints discovered on the network or learned from integrated third-party products and a total and a list of all identified IP endpoints on the IP Endpoints page. In Device Security in Strata Cloud Manager, navigate to the IP Endpoints page by going to AssetsIP Endpoints. In the Device Security portal, navigate to the IP Endpoints page by going to AssetsDevicesIP Endpoints.

At the top of the page are data filters for sites, device types, and time periods (1 Day, 1 Week, and 1 Month). The sites filter controls the data displayed for IP endpoints and identified IP endpoints per site, per site group, or for all sites. The filter for device types controls the display of data by types such as Industrial, Medical, Office, Traditional IT, All IoT, and All Devices. The time filter displays data that Device Security discovered or learned within the past day, week, or month.

You might wonder why the device type filter affects the total number of IP endpoints. After all, Device Security is not yet able to identify what type of device an IP endpoint is. However, for some of them, it already has an approximate idea—enough to distinguish an IT device from an IoT device, for instance. That’s why you might see a different total number of IP endpoints when the filter is, say, All Devices and when it’s All IoT.

To see the history of an identified IP endpoint, click its IP address. For example, the history below shows that Device Security initially identified this IP endpoint as a Windows PC and then revised that to a Windows tablet. Device Security maintains a history of up to 10 changes over the past 30 days.

If the behavior of an identified IP endpoint eventually settles to a consistently stable pattern again and there are no further changes to its major device attributes for seven consecutive days, Device Security moves it back to the Devices page. You can also see the historical record of the last ten changes on its Device Details page.

The relationship between the internal database of IP endpoints, the Devices table, and Identified IP Endpoints table is shown below.