Extend IoT Security coverage deeper into the network by using SNMP to collect device
data from network switches.
To identify devices on the network, IoT Security requires network traffic
metadata for analysis. Palo Alto Networks firewalls extract and log this metadata
when they apply Security policy rules that have logging enabled. The firewalls send
the logs to the logging service. The logging service then streams the metadata to
IoT Security, which uses AI and machine learning to automatically discover and
identify network-connected devices, dynamically construct an asset inventory, detect
device vulnerabilities, and determine a baseline of acceptable network behaviors
that IoT Security recommends next-generation firewalls allow in Device-ID policy
rules.
However, depending on where the firewalls are placed, they might not have
visibility into all network traffic, resulting in device discovery gaps and lower
efficacy in identifying devices, monitoring behaviors, and enforcing Device-ID
rules. When firewalls don’t receive traffic from all devices, they can still gather
IP address-to-MAC address bindings and additional network data by using SNMP to
query switches and other forwarding devices throughout the network.
When using SNMP to query network switches, firewalls first develop a
network topography by requesting the Link Layer Discovery Protocol (LLDP) neighbors
and Cisco Discovery Protocol (CDP) neighbors of one switch (the entry point switch)
and then repeating the request with neighboring switches and child switches one by
one throughout the network. After obtaining a list of switches throughout the
network, or within a limited area of the network, the firewalls next query each one
for its ARP table as well as other information. The ARP table contains the IP
address-to-MAC address binding information for the devices connected through the
switch to the network. Other device details for which firewalls query include the
physical interfaces or ports on the switch to which devices connect, their VLANs and
subnets, and DHCP and DNS server IP addresses. After the firewalls receive this
information, they create logs and send them through the logging service to IoT
Security for analysis. By using SNMP to collect more data from switches and
forwarding devices in parts of the network that firewalls don’t have visibility
into, you enable IoT Security to form a greater view of the devices on the network
and expand its services to even more devices.