How to Use Enterprise IoT Security
Table of Contents
Expand all | Collapse all
How to Use Enterprise IoT Security
Use Enterprise IoT Security to discover and manage the
devices on your network.
After onboarding Enterprise IoT Security and setting
up the firewall to gather network traffic and forward traffic logs
to the logging service, allow one or two days for the firewall to
gather enough network traffic for Enterprise IoT Security to analyze
the traffic metadata and confidently identify devices.
Discover Devices and IP Endpoints
When Enterprise IoT Security receives sufficient network traffic metadata, it uses AI and machine
learning to identify the devices generating the traffic. It displays these on the page. However, there are times when it doesn’t receive enough
information to identify devices uniquely. When Enterprise IoT Security is aware of
an IP address that is the source and destination of traffic but it doesn’t know its
MAC address and the network behavior isn’t stable enough to deduce that it’s a
statically assigned IP address, Enterprise IoT Security categorizes it as an IP
endpoint and displays it on the page.
Assets
Devices
Assets
IP Endpoints
To check the coverage that Enterprise IoT Security is providing and increase it if necessary,
view discovered devices and IP endpoints on the and pages. If IP endpoints constitute most of the devices on your
network, that’s an indication that Enterprise IoT Security is not receiving enough
quality information to identify the majority of devices definitively. In this case,
you might want to make some adjustments. You might relocate the firewall to a
different part of the network or add Enterprise IoT Security to more next-generation
firewalls to gather more network traffic metadata. (For deployment recommendations,
see the IoT Security Deployment Design Guide.)
Assets
Devices
Assets
IP Endpoints
Other ways to expand coverage without moving or adding firewalls
are to integrate firewalls with network switches and DHCP servers
and leverage their data. Network switches can mirror the traffic
on them to a firewall, which then forwards traffic metadata in logs
to the logging service for IoT Security to access. Similarly, you
can also configure DHCP servers to send DHCP server logs to the
firewall to forward through the logging service to IoT Security.
Add User-defined Static IP Devices
Devices with static IP address assignments—as opposed
to those assigned dynamically through DHCP—can sometimes be difficult
to link to a unique MAC address. If a static IP device is in the
same Layer 2 broadcast domain as a firewall, the firewall receives
its ARP traffic and learns the IP-to-MAC address mapping that way.
However, if a static IP device is in a different broadcast domain,
the firewall will never see its MAC address. In many cases, Enterprise
IoT Security can apply AI and machine learning to network activity
and deduce that a device at a particular IP address is not changing
and must have a statically assigned IP address. In other cases,
Enterprise IoT Security might not observe enough traffic to determine
that a device has a static IP address. When this happens, Enterprise
categorizes it as an IP endpoint.
If you know which devices have static IP addresses or which parts of the network address space is
reserved for static IP addresses, you can add or import a file with this information
into Enterprise IoT Security on and on .
Assets
User-defined Static IP Devices
Add
Networks
Networks and Sites
Networks
Add
Check Data Quality
You can also learn about network coverage on the page. This page shows the number of IP endpoints and low-confidence
devices on the network and the percent of devices that fall into these two
categories in relation to the overall number of devices on the network. You can
infer the quality of device data that IoT Security is receiving from these numbers,
which are taken from all devices over the last 30 days.
Administration
Data Quality
IP endpoints are devices without a unique identifier, making
them untrackable over time. Low-confidence devices are devices that
Enterprise IoT Security can identify with a confidence level below
70. When identifying network-connected devices and assigning device
profiles to them, Enterprise IoT Security considers a host of factors
and creates a confidence score for each identification. The score
is a number between 0-100, with 100 being the most confident. There
are three confidence levels based on calculated confidence scores:
high (90-100), medium (70-89), and low (0-69). The confidence level
is important because IoT Security only sends a firewall an IP address-to-device
mapping if the confidence score for a device identity is high (90-100),
and if it has sent or received traffic within the past hour. If
there are more IP endpoints and low-confidence devices than you
would like on your network, consider the recommendations offered
on the Data Quality page and follow those you think will reduce
these numbers.
If there are missing device attributes and you happen to know what they are, you can edit devices
manually. Although it would be impractical to edit everything manually, you might
want to edit important or business-critical devices if necessary. On the page, select the check box of one or more devices and then click
Assets
Devices
Edit
. Set or change the device type, category, profile,
vendor, model, OS family, and OS version for the selected devices, enter or change
the description, and then Save
and
Confirm
your edits. After you make your edits, Enterprise
IoT Security automatically resets the confidence level to high and the confidence
score to 100. The device confidence level and score are similarly reset as high and
100 if you select the check box of one or more devices and Confirm Device
Identity
.It’s good practice to check Data Quality Diagnostics weekly for
the first few months after deployment to make sure IoT Security
is getting the data it needs to identify devices and, if not, make
adjustments as needed. After you’re satisfied, return periodically
for spot checks and as follow-up whenever there are changes to the
network.
View and Organize Information
Assets
Profiles
Networks
Networks and Sites
Networks
Networks
Networks and Sites
Sites
Logs & Reports
Reports
- Summary Report. This provides a summary of the device inventory. This can be scheduled to run weekly or monthly.
- New Device Report. This reports all the new devices detected on your network since the last report. Enterprise IoT Security can generate reports on a daily, weekly, or monthly basis.
- Filtered Inventory Report. This prepares a device inventory report using a previously defined filter of your choice from the Devices page. This can be scheduled to run daily, weekly, or monthly.
You can create, view, edit, and download reports on the Reports page. Also, although reports are
scheduled to run on a recurring basis, you can generate a report on demand by
clicking the Action icon ( .
...
) >
Edit
Generate Now
Administration
Firewalls
Administration
System Events
Logs & Reports
Audit Log
Create Security Policy Rules in PAN-OS
Although Enterprise IoT Security does not automatically
generate Security policy rule recommendations, you can manually
create rules based on Device-ID in next-generation firewalls or
in Panorama. To do this, you’d first view the activity for a given
group of devices, such as those in a device profile, in a category,
or from a vendor. Then with this information, you’d choose appropriate Device-ID
objects, which firewalls and Panorama learn through device dictionary updates,
to use as the source or destination or both in the Security policy
rules you create.
When specifying the source in a Security policy rule (),
click in
the Source Device section, and then choose a Device-ID attribute
in the Category, Vendor, OS Version, Profile, Model, or OS Family list.
This defines when to apply the rule based on the chosen device attribute.
All the attributes in these lists come from the Device Dictionary
file that the firewall loads from the update server.
Policies
Add
Source
Add
New Device
Specifying a Device-ID attribute as the destination in a Security
policy rule is similar except the device object is chosen as the
destination.
Create a Trial IoT Security Tenant
If you have a production license for Enterprise IoT Security, and want to see what
Enterprise IoT Security Plus, Industrial IoT Security, or Medical IoT Security is
like, you can create a one-time trial tenant and assign up to five of your firewalls
to it. The trial is valid for 30 days. During that time, both the production and
trial tenants consume log data that firewalls assigned to the trial tenant send to
the logging service. When the trial period ends and the trial tenant is
automatically deleted, the production IoT Security tenant alone continues consuming
the log data from the firewalls.
- To initiate a trial, log in to a production Enterprise IoT Security portal with a user account that has Owner privileges.
- Selectand then clickAdministrationAboutLicenseRequestnext to IoT Security in the Trial section.
- Choose up to five firewalls that you want to use for the trial and thenSave.A message appears explaining that a trial tenant is being created, the chosen firewalls will be associated with it, and that the entire process typically takes about ten minutes.When the process is complete, another message appears stating that the trial tenant has been created and the chosen firewalls have been associated with it. This message also includes the URL for accessing the IoT Security portal for the trial tenant.The trial tenant creation and firewall assignments are also recorded in.AdministrationAudit Logs
- On thepage, the button next to IoT Security in the Trial section changes from Request to Enter. To access the trial tenant portal, clickAdministrationAboutLicenseEnter.A login prompt appears for the trial tenant in a new browser window.
- Log in with the same credentials you used to log in to the production Enterprise IoT Security tenant.The Enterprise IoT Security Plus portal opens to the Resource Center and is ready for use as a trial tenant. During the 30-day trial, both the IoT Security tenant and the Enterprise IoT Security trial tenant will consume logs from the firewalls assigned to the trial tenant. You can log in to both tenants and compare the functionality of each.
- The IoT Security portal has different : Enterprise Plus, Industrial, and Medical. If you want to see a different vertical theme, select, clickAdministrationAboutLicenseSwitchnext to Enterprise Plus in the Trial section.
- Select one of the other vertical themes and thenConfirmyour choice.You can switch between vertical themes as often and as many times as you like.
- To exit the trial tenant and return to the production tenant, navigate toand then clickAdministrationAboutLicenseEnternext to Enterprise IoT Security in the Production section.The trial tenant browser window remains open while the production tenant opens in a new browser window.
After the trial ends, the trial tenant is automatically deleted while the production
tenant continues consuming log data from the firewalls.
If you have a trial license for Enterprise IoT Security and want to try out the
IoT Security product, log in to the Enterprise IoT Security portal with a user
account that has Owner privileges, select , and then click
Administration
About
License
Manage Trial
. Select
Enterprise Plus
and then
Confirm
your decision. After changing to Enterprise
Plus, you can switch to the Industrial or Medical IoT Security theme if you
like. To do that, return to the License page, click
Switch
, select one of the vertical themes, and then
Confirm
. To go back to the Enterprise IoT Security
product, return to the License page, click Manage Trial
,
select Enterprise
, and
Confirm
.Learn More
Here are resources where you can find more information
about using Enterprise IoT Security: