IoT Security
2.0.x and Earlier
Table of Contents
Expand All
|
Collapse All
IoT Security Docs
-
-
- Firewall Deployment Options for IoT Security
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use Network Discovery Polling to Discover Devices
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
-
Something went wrong please try again later
Something went wrong please try again later
2.0.x and Earlier
Configure SNMP crawling when using the Network Discovery plugin version 2.0.x and earlier.
To configure SNMP Network Discovery with the plugin, you need to
have a next-generation firewall with an associated IoT Security license.
Review the Network Discovery Plugin Release Notes
to find the PAN-OS versions supported for each plugin release version.
From the management interface of your NGFW, download the
Network Discovery plugin following the steps at
Install Panorama Plugins.
Plugin management isn’t supported in Strata Cloud Manager.
The following instructions are for the Network Discovery plugin
configuration using the PAN-OS web interface on an individual
next-generation firewall. To configure the plugin on Panorama, use
templates and template stacks
and template stack variables
for the IP addresses of the address groups, discovery scope, and ports and
interfaces as needed.
- Open the SNMP settings for the Network Discovery plugin.Select DeviceIoT SecurityNetwork Discovery. In the SNMP Network Discovery section, click Edit (gear icon).The SNMP Network Discovery Settings dialog box appears with the Schedule Settings tab active. Select Enable SNMP Network Discovery Settings to configure SNMP Network Discovery.
- Schedule how often the firewall runs an SNMP crawl job.In the Network Discovery Job section, schedule how often the firewall runs a job to learn all the switches and other network forwarding devices that run LLDP and CDP on the network or within a defined scope of the network. The default is once a day, which usually is often enough.In addition to when and how often you want to run the SNMP crawl job, you can specify a max duration for how long each job can take, up to 24 hours.
- Schedule how often the firewall queries for information about the network and connected devices.In the Network Data Refreshment Job section, schedule how often the firewall runs a job to query switches and other forwarding devices for information about the network and devices connected to them. Consider how often DHCP lease times renew and schedule the job to run at half the lease time, which is when DHCP clients start requesting lease renewals and could receive different IP addresses. In environments without DHCP, consider running the network data refreshment job once every hour, which is the default setting.In addition to when and how often you want to run the device discovery job, you can specify a max duration for how long each job can take, up to 24 hours.
- Click the Discovery Scope Settings tab and configure the scope of the SNMP crawl.Entry Point switch: Enter the IP address of the entry point switch with which to begin the SNMP discovery process.A good choice for the entry point switch is a core switch because it would commonly have the broadest access to various distribution-layer and access-layer switches throughout the network.Device IP Address Scope: Enter the prefix for the IP CIDR block to define the scope of the switches and endpoint devices to learn. Optionally, don’t set a scope by entering None and SNMP will collect network topology for the entire network.Maximum Number of Hops: Enter the number of switches away from the entry point switch that you want the SNMP network discovery job to reach. The default number of hops is 10.Site: Add the name of the site where the SNMP job queries switches for network data.Service Route: If your firewall uses a data interface rather than the management interface to do SNMP network discovery, set a service route specifying that interface and the network segment to query.Service routes configured on DeviceSetupServicesService Route Configuration are not applied. SNMP network discovery only uses service routes configured here.
- Click the SNMP Settings tab and configure the SNMP credentials for the job to use.Set the SNMP version and configure the required settings for the version and options you use.SNMP Version: Choose the SNMP version that your switches support, either V2 (SNMPv2c) or V3. If you choose V2, configure the Community String. If you choose V3, configure the Username, Security Level, Authentication Protocol and Password, and Privacy Protocol and Password settings.Community String (for SNMP V2): Enter the SNMP community string configured on the switches to permit read-only access.Username (for SNMP V3): Enter a username for an SNMP user account with read-only access. This is the account the firewall uses when accessing an SNMP server running on a switch.Security Level (for SNMP V3): Choose the security level for accessing an SNMP server on a switch.
- noAuthNoPriv: Choose this to not authenticate and encrypt communications between the SNMP agent on the firewall and an SNMP server on a switch.
- authNoPriv: Choose this to require authentication based on either MD5 or SHA hashes but not encrypt communications between the firewall and the switches.
- authPriv: Choose this to require both authentication and encryption.
Authentication Protocol (for SNMP V3): Choose the algorithm for authenticating communications between the firewall and the switches: MD5 (Message Digest Algorithm 5) or SHA for SHA-1 (Secure Hash Algorithm 1).Authentication Password (for SNMP V3): Enter the password used during the authentication process.Privacy Protocol (for SNMP V3): Choose the algorithm for encrypting communications between the firewall and the switches: DES (Data Encryption Standard) or AES (Advanced Encryption Standard).Privacy Password (for SNMP V3): Enter the password used during the encryption process.Retries: Enter the number of times the job should try an SNMP query. If the job has reached the maximum number of retries, then it skips that SNMP query. The number of retries does not include the initial query. The default number of retries is 2.Timeout (ms): Enter the time that the job should wait for a response to an SNMP query. The default timeout is 2000 ms. - Click OK to save your SNMP Network Discovery settings.After enabling this feature, the settings are sent to the plugin, which checks the source interface IP address that will send and receive SNMP traffic and schedules the following tasks:
- Send SNMP queries for Network Discovery using CDP and LLDP OIDs.
- Send SNMP queries for Network Data Refresh using various OIDs for VLANs, subnets, switch interface or port information, device IP-to-MAC address bindings, and other attributes on a per-device level.
After the SNMP jobs are run, the resulting SNMP data is stored in files and converted to Enhanced Application logs. The firewall then sends the logs to the logging service. The logging service then streams the data to IoT Security, which updates its database and displays the SNMP discovery network topology data in the IoT Security portal.