Device Security
New Features in March 2026
Table of Contents
Expand All
|
Collapse All
Device Security Docs
New Features in March 2026
Review the new features introduced in Device Security in March 2026.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of the following subscriptions:
|
The following new features and enhancements were introduced for Device Security in
March 2026.
|
New Features
| |
|---|---|
|
Vulnerability signatures
|
The Device Security Research team added detections for 673
vulnerabilities this month. Of the 673 vulnerabilities, 28 of them
had a critical CVSS score. You can see a complete list of the CVEs
for which detections have been added at
Vulnerability Signatures in 2026.
|
|
Dictionary file update
|
There were four dictionary file updates in March 2026. The
following summarizes what was added in each update:
|
Device Security Subnet-Site Mapping Source Priority
When you integrate multiple network management and IP Address Management
(IPAM) tools, conflicting site assignments for the same subnet can occur,
making it difficult to maintain accurate device-to-site mappings across
your environment. Device Security now lets you
define a global subnet-site mapping
priority order to resolve these conflicts.
You can select your preferred third-party system, or traffic or
manual site definition, as the priority source for site assignments.
When multiple sources provide conflicting subnet-to-site data,
Device Security uses your defined priority order to determine the
authoritative source. This feature also supports the flexibility to
configure exceptions for individual subnets, allowing you to override
the global priority for specific network segments.
By establishing a clear priority for site assignments, you avoid
volatile or inaccurate device-to-site mappings that can complicate
asset tracking. Consistent site assignments provide reliable context
for security monitoring, compliance reporting, and policy enforcement
across your organization.
Device Security Locking for Static IP Addresses
Devices with static IP addresses
can cause Device-ID verdicts to expire
when they go offline, disrupting policy enforcement even though the
device will return to the same IP address. Palo Alto Networks®
Device Security now lets you lock down devices with static IP
addresses by confirming the static IP address for the device.
When you confirm a static IP address for a device, any corresponding
Device-ID verdict in the firewall won't expire until a new IP address
is detected through network traffic, even after the device becomes
offline. This ensures that Device-ID policies continue to work for
devices with confirmed static IP addresses, while avoiding stale
verdicts for devices without confirmed static IP addresses.
By locking static IP addresses, you maintain uninterrupted Device-ID
policy enforcement for fixed-address devices, without risking stale data
for devices that receive dynamic addresses.
Device Security Enhanced Device Details Change History
When device attributes change, tracking what changed and when can
be difficult, limiting your ability to understand your network
environment and investigate security incidents.
From the Device Details page, Device Security now provides a
more in-depth history of changes to device attributes, such as
IP address changes or device activity.
When you View History from the subtitle on
a Device Details page, you can see the Device Change History table,
which shows the date and changes of various device attributes. You can
also View History for the IP address on the
Device Details page, which displays the current IP address and the
past IP addresses for the device.
With greater visibility into how device attributes have changed, you can
more effectively investigate anomalies and track device behavior over time
for compliance and forensic purposes.
Device Security Network Visualization Enhancements for Process Zones
Device Security Network Visualization now supports creating and
managing process zones directly from the network map. With
process zones, you can logically and visually group OT/IoT devices based
on device behaviors within a network.
You can select individual devices and neighbor nodes from the topology,
assign them to an existing process zone or create a new one, preview
the grouping before committing, and edit zone membership after creation.
By defining process zones visually in context, you can manage devices
based on the risk and criticality of the operational processes
within your environment.
Device Security Integration with Nozomi Networks
Device Security supports integrating with Nozomi Networks Vantage and
CMC/Guardian, making it easier to migrate from Nozomi to Device Security;
consolidate asset data across OT and IT networks when Nozomi is deployed
within OT while Device Security is deployed within IT; and create
Advanced Device-ID policies using Nozomi data.
When you integrate with Nozomi Networks, you can connect to Nozomi
Guardian (on-premises) or Nozomi Vantage (cloud) to ingest detailed
OT and IoT asset data, as well as automatically fetch vulnerabilities.
By integrating Nozomi Networks with Device Security, you can streamline
the migration from Nozomi to Device Security, enrich your
asset inventory with detailed OT data, and build more accurate
Advanced Device-ID policies.
Device Security Integration with Microsoft Sentinel
Device Security supports integrating with Microsoft Sentinel
for SIEM logging, allowing you to send information
about devices, alerts, and vulnerabilities directly to your SIEM.
When you integrate Device Security with SIEM logging,
you can connect Device Security with Microsoft Sentinel to send
information. This integration consolidates Device Security data
with the rest of your security telemetry, enabling your security
operations team to investigate incidents using a single platform.
By integrating with Microsoft Sentinel for SIEM logging, you can
see your Device Security devices and their logs in your
Microsoft Sentinel interface.
Device Security Cisco ISE Enhancement for Custom Attributes
Device Security now ingests Cisco ISE custom attributes and Security
Group Tag (SGT) information to enhance the integration between ISE
authorization profiles and Device Security device details. You can use
the Cisco ISE custom attributes when defining Advanced Device-ID
criteria, so that you can create Advanced Device-ID in sync with
Cisco ISE authorization profiles.
Subnet Filtering Enhancement for Device Security Integration with Infoblox
Polling the Infoblox integration
for device details across your entire
network can be slow when you only need data from specific subnets.
When configuring the Infoblox integration instance on
Cortex XSOAR, you can now limit the polling to a specific
subnet scope.
You can specify up to 10 subnet scopes, and then Cortex XSOAR
will only poll Infoblox for device details from those subnet scopes.
This improves the speed of each integration job while getting
information specific to the subnets you're interested in. This is
particularly useful in large environments where polling the full
network is neither practical nor efficient.
By scoping Infoblox polling jobs to specific subnets, you can reduce
runtime, decrease unnecessary data collection, and focus
asset visibility on the network segments most relevant to your
security operations.