Monitor Your Device Security Deployment Using Best Practices

Table of Contents

These are daily, weekly, and monthly Device Security maintenance best practices.

Where Can I Use This?	What Do I Need?
NGFW (Managed by PAN-OS or Panorama) Device Security (Managed by Strata Cloud Manager) (Legacy) IoT Security (Standalone portal)	One of the following subscriptions: Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical) Device Security X subscription

When maintaining your Device Security deployment, it’s helpful to view the maintenance in terms of daily, weekly, and monthly tasks.

Daily

Check security alerts that you learn about through email notifications or by scanning the Security Alerts page in Device Security and respond as appropriate for their severity and urgency.
Review system alerts in Device Security and the Firewalls page to check that firewalls are connected to Device Security. If a firewall is disconnected, Device Security stops analyzing log data and no new device detections and identifications occur. Serious events that increase risk to your devices and your network could be missed.
Scan the Devices page for newly discovered devices and confirm that their network access is authorized. Unauthorized devices pose a threat if they did not undergo an onboarding process that provisions them to do all the following: connect to appropriate network segments, use only approved applications, and (if the devices support it) run required endpoint protection.

On the Firewalls page in Device Security, watch for unusually large shifts in log volume from firewalls. An unexpected spike or dip might indicate anomalous network activity or a change to the configuration or connection of a firewall.
Track the network activity of high-value devices on the Devices page in Device Security. If a normally active device is unexpectedly inactive, check the last time it was active (you can also do this on the Devices page). Investigate further if the length of inactivity raises concern.
Review the weekly Risk report to check for any new risks and track the status of work remediating existing risks.
Check that the firewall regularly receives IP address-to-device mappings from Device Security to ensure no devices are missing from policy enforcement. Use the following two CLI commands to check the connection status between the edge servers and firewall and which mappings the firewall received:
show iot icd statistics verdict – Shows statistics about the IP address-to-device mappings, or verdicts, that the ICD (Identity Client Daemon) running on the edge server in front of the Device Security cloud sent to the IoTd (IoT daemon) running on the firewall.
show iot ip-device-mapping all – Shows which IP address-to-device mappings (verdicts) the firewall received.

When there’s a network expansion, look for new network segments. If necessary, deploy more firewalls to provide additional coverage and make sure traffic from devices in these segments reaches the firewall and is reported to Cortex™ Data Lake.
Review user audit logs in Device Security for unusual activities, such as unexpected configuration changes.
Use Policy Optimizer (PoliciesSecurityPolicy Optimizer) in the firewall web interface to check if recommended policies added to the firewall are being used and make adjustments to policy rules as needed.