IoT Security
Device-to-Site Mapping
Table of Contents
Device-to-Site Mapping
IoT Security maps devices to sites based on IP addresses
or firewall locations.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
From March 2022, IoT Security provides existing tenants
two ways to link devices to sites:
- IP address-based site assignments – IoT Security assigns devices to a site based on device IP address. This method was introduced in March 2022. It is available for existing IoT Security tenants to switch to and is the only option that new tenants (as of March 2022) can use.
- Firewall-based site assignments – IoT Security assigns devices to a site based on the location of the firewall that sends it logs. Until March 2022, this was the only method that IoT Security offered.
For the first approach, you must define one or more Classless Inter-Domain Routing (CIDR)
blocks or subnets for each site at
.
For the second approach, you must assign a site to each firewall at
.
Site assignment based on firewalls works well for smaller, single-site
deployments. However, an issue can arise when there are multiple
sites and devices at two sites communicate with each other. When
this occurs, the firewalls at both sites observe a session involving
the same two devices and report them in logs to IoT Security, which
cannot tell where each device is actually located. This issue doesn’t
occur when IoT Security assigns devices to sites based on IP address,
which is the preferred method.
IP Address-based Site Assignment
This method for mapping devices to sites uses IP addresses
and is the only site-mapping method available to new IoT Security
tenants starting in March 2022.
If you haven’t done so already, enter or upload a CSV file of the IP address blocks of your sites
in CIDR notation on . (Examples of CIDR notation: 10.55.0.0/16 and 10.197.0.0/16.) Then
click and enter the network address in CIDR notation and a description, or
click and upload multiple subnets using the provided template.
You don’t need to use all the subnets that belong to a
site for site mapping. Instead, pick the largest subnet (IP address
block) for site assignment. For example, one site might have numerous
subnets such as 10.55.10.0/24, 10.55.28.0/24, and 10.55.121.0/24,
all of which are within a single IP block of 10.55.0.0/16. In this
case, use 10.55.0.0/16 for site mapping. IoT Security automatically
assigns smaller subnets within the site-mapping IP block to the same
site and assigns devices within each subnet to the same site as
that of their subnet.
After adding or uploading subnets, assign them to sites on
. Either click the Create Site (
+ ) icon to the upper right of the Sites table or click
the three vertical dots icon at the far right of the row for a previously created
site and then click Edit Site.
Choose the subnets you added or uploaded on
.
If you miss a subnet, IoT Security won’t be able to link devices
in the subnet to a site. When this happens, it assigns devices in
this subnet to the Default site to which all the private IP ranges
(10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) are assigned for
the purpose of catching any unassigned subnets.
Firewall-based Site Assignment
For IoT Security tenants that onboarded before March 2022, IoT Security
uses firewall-based site assignments. After you finish onboarding a firewall, it
appears on the page assigned to the Default Site. To reassign it to another site,
click the three vertical dots icon in its row on the far right and then click
Change Site.
Choose one of the sites in the Site Name list and then click Change.
IoT Security maps the devices whose traffic metadata appears
in the logs from this firewall to this site.
For information about creating sites, see Sites and Site Groups.
If you don’t assign a firewall to a site, IoT Security won’t be able to link devices
whose traffic appears in logs from this firewall to a site. When this happens, it
assigns these devices to the Default Site.
Change Site Assignments from Firewalls to IP Addresses
Only a user with owner privileges can
change from firewall-based site assignments to site assignments
based on IP addresses.
For IoT Security tenants that map devices to sites based on firewalls,
IoT Security provides an option to switch to the IP address-based
approach. This is a one-time change. After switching to IP address-based
site assignments, you can’t switch back to the firewall-based approach.
Select and click the gear icon (
![]()
) in the upper right of the Sites panel.
Switch from Firewall-based assignment to IP
CIDR-based assignment and then Save.
As the note in the dialog box says, it can take up to two days
for IoT Security to transition all devices to new sites and that
during this time the site assignments for some devices might be
incorrect.
Read the confirmation message that appears, recalling that this
switch cannot be undone later, and when you’re ready, click Yes to continue.
After you finish setting up the IP CIDR blocks for site mapping and the new IP address-based site
assignment method has had a couple days to establish device-to-site assignments, you
can check to verify the configuration and make any adjustments if
necessary.
Of particular interest is the Site Mapping column. When a subnet is linked to a site and its
entry in the Site Mapping column is Yes, this indicates that
the subnet has been manually mapped to the site. When a subnet is linked to a site
but its entry in the Site Mapping column is No, it means that
the subnet is a part of a larger IP address block that is mapped to the site and
this subnet inherited its site mapping.
After switching device-to-site mapping from firewalls to
IP addresses, IoT Security removes filters for All connected sites and All
disconnected sites. These filters are based on the status
of firewall activity at a site, and after the switch, IoT Security
no longer links firewalls to sites.