Import an automatically generated policy set for IoT device behaviors into the Panorama management system.
Where Can I Use This?
What Do I Need?
IoT Security (Managed by IoT Security)
IoT Security subscription for an advanced IoT Security product (Enterprise Plus, Industrial OT, or Medical)
Currently, policy rule recommendations are not supported in multi-vsys firewalls.
They must be manually created.
Log in to your Panorama management server and navigate to PanoramaPolicy RecommendationIoT.
When you do, Panorama fetches the latest active recommendations from
the IoT Security cloud. If you already have the Policy Recommendations page
open when you activate a policy set in IoT Security—or modify or deactivate
an existing active policy set—then you must refresh the page to see the
changes. Neither Panorama nor the firewalls cache any policy
recommendations.
Click Import and import the policy
rule recommendations to either the pre-rulebase or post-rulebase
and then select the rule to place the imported rule after.
Pre-rules are rules written in Panorama that are
added before the rules defined locally on a firewall. Post-rules
are rules written in Panorama that are added after rules defined
on a firewall.
If you don’t select a rule, Panorama
places the imported policy recommendations at the top of your rulebase.
So
that any other Security policy rules for the same devices as those
in the recommended rules do not occlude them, position the recommended
rules before the others in the rulebase.
Click OK.
The import operation automatically creates the supporting
objects a policy rule requires—device objects, service objects,
address objects—and then it creates the policy rule itself.
You
can either apply a log forwarding profile to each policy rule manually
or—before importing the rule recommendations—create a log forwarding
profile and name it “default” to have it applied automatically.
See the section about log forwarding profiles in
Prepare Your Firewall for IoT Security and also
Configure Policies for Log Forwarding.
Commit the configuration change.
For more information about importing a policy set
into Panorama (and directly into firewalls), see Configure Device-ID.