When next-generation firewalls subscribe to IoT Security services, they send the IoT Security instance that’s in the same tenant service group (TSG) Traffic logs for analysis. IoT Security uses AI and machine learning to automatically discover and identify network-connected devices and then construct a data-rich, dynamically updating inventory. From PAN-OS 11.1, administrators can see this inventory directly in the PAN-OS web interface without having to open the IoT Security portal, which is the only place this information appears when IoT Security is integrated with firewalls running earlier PAN-OS releases. For further Device-ID visibility, the PAN-OS 11.1 web interface also shows a summary of the 10 most common device categories, profiles, and operating systems on the network learned from IoT Security.

In addition to identifying devices, IoT Security analyzes network behaviors to determine a baseline of normal, acceptable behaviors. It then generates policy rule recommendations that would allow devices to continue their normal network behaviors while denying behaviors that deviate from the norm. PAN-OS administrators can view these recommendations in the PAN-OS 11.1 web interface, select the ones they want their firewalls to apply, and import them into the Security policy rulebase. When using a PAN-OS release prior to PAN-OS 11.1, it was necessary to create policy rule sets in the IoT Security portal and activate them before they appeared in the PAN-OS interface. To simplify the workflow, these steps have been eliminated in PAN-OS 11.1.

From PAN-OS 11.1, you can see and manage the device inventory and top 10 common device categories, profiles, and operating systems in the PAN-OS interface. You also no longer need to create and activate policy rule sets in IoT Security. As a result, IoT device visibility is more convenient and policy rule creation is simplified.

To identify devices on the network, Device Security requires network traffic metadata for analysis. Palo Alto Networks firewalls extract and log this metadata when they apply Security policy rules that have logging enabled. The firewalls send the logs to the logging service. The logging service then streams the metadata to Device Security, which uses AI and machine learning to automatically discover and identify network-connected devices, dynamically construct an asset inventory, detect device vulnerabilities, and determine a baseline of acceptable network behaviors that Device Security recommends next-generation firewalls allow in Device-ID policy rules.

However, depending on where the firewalls are placed, they might not have visibility into all network traffic, resulting in device discovery gaps and lower efficacy in identifying devices, monitoring behaviors, and enforcing Device-ID rules. When firewalls don’t receive traffic from all devices, they can still gather IP address-to-MAC address bindings and additional network data by using SNMP to query switches and other forwarding devices throughout the network.

When using SNMP to query network switches, firewalls first develop a network topography by requesting the Link Layer Discovery Protocol (LLDP) neighbors and Cisco Discovery Protocol (CDP) neighbors of one switch (the entry point switch) and then repeating the request with neighboring switches and child switches one by one throughout the network. After obtaining a list of switches throughout the network, or within a limited area of the network, the firewalls next query each one for its ARP table as well as other information. The ARP table contains the IP address-to-MAC address binding information for the devices connected through the switch to the network. Other device details for which firewalls query include the physical interfaces or ports on the switch to which devices connect, their VLANs and subnets, and DHCP and DNS server IP addresses. After the firewalls receive this information, they create logs and send them through the logging service to Device Security for analysis. By using SNMP to collect more data from switches and forwarding devices in parts of the network that firewalls don’t have visibility into, you enable Device Security to form a greater view of the devices on the network and expand its services to even more devices.