Depending on where you place the firewalls in your network, they may not see enough network traffic for Device Security to comprehensively identify devices in your environment. To identify devices on the network, Device Security requires network traffic metadata for analysis. Palo Alto Networks firewalls extract and log this metadata when they apply Security policy rules that have logging enabled. The firewalls send the logs to the logging service. The logging service then streams the metadata to Device Security, which uses AI and machine learning to automatically discover and identify network-connected devices, dynamically construct an asset inventory, detect device vulnerabilities, and determine a baseline of acceptable network behaviors that Device Security recommends next-generation firewalls allow in Device-ID policy rules.

When firewalls don't have visibility into all network traffic, this results in device discovery gaps and lower efficacy in identifying devices, monitoring behaviors, and enforcing Device-ID rules. When firewalls don’t receive traffic from all devices, they can still gather IP address-to-MAC address bindings and additional network data by using SNMP to query switches and other forwarding devices throughout the network.

When using SNMP to query network switches, firewalls first develop a network topography by requesting the Link Layer Discovery Protocol (LLDP) neighbors and Cisco Discovery Protocol (CDP) neighbors of one switch (the entry point switch) and then repeating the request with neighboring switches and child switches one by one throughout the network. After obtaining a list of switches throughout the network, or within a limited area of the network, the firewalls next query each one for its ARP table as well as other information. The ARP table contains the IP address-to-MAC address binding information for the devices connected through the switch to the network. Other device details for which firewalls query include the physical interfaces or ports on the switch to which devices connect, their VLANs and subnets, and DHCP and DNS server IP addresses. After the firewalls receive this information, they create logs and send them through the logging service to Device Security for analysis. By using SNMP to collect more data from switches and forwarding devices in parts of the network that firewalls don’t have visibility into, you enable Device Security to form a greater view of the devices on the network and expand its services to even more devices.