>
    Strata Copilot
    Expand Network Coverage
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Expand Network Coverage
    Download PDF
    Device Security

    Expand Network Coverage

    Table of Contents

    Expand Network Coverage

    Use SNMP through an on-premises XSOAR engine to query switches about connected devices.
    Where Can I Use This?What Do I Need?
    • (Legacy) IoT Security (Standalone portal)
    • Enterprise Device Security subscription
    Enterprise IoT Security can work through an on-premises XSOAR engine to retrieve information from switches about the devices connected to them. To do this, XSOAR uses SNMP to capture data about device IP and MAC addresses when their network traffic reaches network switches but not the firewall.
    The XSOAR engine begins by establishing trust with an entry switch, which is usually at the core or aggregation layer. After this, the engine queries the switch for information about the devices connected to it; specifically, it learns device MAC addresses and IP addresses. The XSOAR engine also queries the entry switch for the IP addresses of neighboring CDP and LLDP switches on the network. Using the same credentials, it collects device information from them next and also gets a list of their neighboring switches as well. XSOAR continues collecting device information and learning about other switches until it has queried them all.
    After collecting information through SNMP, the engine sends it to the engine hub URL of your Enterprise IoT Security tenant, which then forwards the information to IoT Security. IoT Security analyzes the information and adds newly discovered details about existing devices in its inventory and also adds newly discovered devices to its inventory. When IoT Security learns of a new device through SNMP, it displays SNMP in the Source column for it on the DevicesDevices page.
    To retrieve this information, the XSOAR engine does an SNMP walk for the following object identifiers (OIDs):
    OIDsComment
    1.3.6.1.2.1.1.5This OID gets the switch name.
    1.3.6.1.2.1.4.22.1.2This gets the ARP table on the switch, which contains device MAC address/IP address pairs.
    1.3.6.1.2.1.17.4.3.1.2, 1.3.6.1.2.1.17.1.4.1.2, 1.3.6.1.2.1.31.1.1.1.1These three OIDs combine together to get device MAC address/physical port on the switch pairs. (Only Cisco Catalyst switches return this information.)
    1.3.6.1.4.1.9.9.23.1.2.1.1.4, 1.0.8802.1.1.2.1.4.2.1These OIDs provide the IP addresses of neighboring switches learned through Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP).
    Users must have owner privileges to activate SNMP Discovery; add XSOAR engines to Enterprise IoT Security and delete them from it; and add, modify, and delete SNMP instances.
    1. Activate the SNMP Discovery feature.
      To enable the SNMP Discovery feature, log in as a user with owner privileges, select SettingsSystem Tuning, and then click Activate.
      Activation typically takes 20-30 minutes to complete. If it takes longer, there might be an error with the activation process. If you see a notification that says “Deployment Error”, open a support ticket with Palo Alto Networks customer services to get help resolving the issue.
    2. Create an XSOAR engine on the Engines tab.
      1. After the activation process completes, select SettingsSystem TuningEngines and then click the Add icon ( + ).
      2. In the Create SNMP Network Discovery Engine panel that appears, enter a unique name for the engine and then click Create.
        The name can be up to 32 alphanumeric characters long including spaces. It cannot contain special characters. It takes about one minute for Enterprise IoT Security to create an engine.
    3. Download the XSOAR engine installation software from the Engines tab.
      1. On the Engines page, click Installer for the engine that you just created.
      2. Download and save the shell script that’s provided. You will use this to install the XSOAR engine software on a Linux machine in your internal network.
    4. Set up the XSOAR engine on a Linux host.
      When placing the XSOAR engine on your network, make sure it can form SNMP connections to your switches on UDP port 161 and that it can reach the engine hub URL (shown on the Engines tab) on TCP port 443.
      Use the shell installer script and follow the XSOAR installation guide to prepare a Linux host, install the XSOAR engine software on it, and configure the engine to connect to your engine hub URL.
      For help troubleshooting Cortex XSOAR engines, including installations, upgrades, connectivity, and permissions, see Troubleshoot Cortex XSOAR Engines and Troubleshoot Integrations Running on Engines.
    5. Create an SNMP instance that uses the engine to discover data about the network and the devices on it.
      1. On the Instances page, click the Add icon ( + ) to open the Create SNMP instance panel.
      2. Enter the following settings and leave the other settings at their default values:
        Schedule Settings
        • Network Discovery Schedule: This schedules the XSOAR engine to find networking devices—L2 and L3 switches—that support SNMP.
        • Network Data Refreshment Schedule: This schedules the XSOAR engine to periodically retrieve data about devices connected to the switches that the network discovery job discovered and then update the Enterprise IoT Security inventory.
          The first time you use the SNMP Discovery feature, run the network discovery job before running network data refreshment. After that, consider scheduling network discovery to run every day and network data refreshment to run more frequently, such as every two hours. You can adjust their schedules later if necessary.
        Discovery Scope Settings
        • Name: Enter a unique name of the instance. It can contain spaces but not special characters.
        • Entry Switch IP: Enter the IP address of the entry switch with which to begin the SNMP discovery process.
        • Engine: Choose the XSOAR engine you want to use from the drop-down list.
        SNMP Settings
        • SNMP Version: Choose the SNMP version that your switches support, either 2c (SNMPv2c) or 3 (SNMPv3). If you choose 2c, enter a Community String. If you choose 3, configure the Username, Security Level, Authentication Protocol and Password, and (depending on the security level) Privacy Protocol and Password settings.
        • Community String (for SNMPv2c): Enter the SNMP community string configured on the switches to permit read-only access.
        • Username (for SNMPv3): Enter a username for an SNMP user account with read-only access. This is the account that the XSOAR engine uses when accessing an SNMP server running on a switch. The security level and authentication password defined below are also associated with this user account.
        • Security Level (for SNMPv3): Choose the security level for accessing an SNMP server on a switch.
          authPriv: Choose this to require both user authentication and encryption.
          authNoPriv: Choose this to require user authentication based on either MD5 or SHA hashes and not encrypt communications between the XSOAR engine and the switches.
          noAuthNoPriv: Choose this to not exchange passwords for user authentication and not encrypt communications between the SNMP agent on the XSOAR engine and an SNMP server on a switch.
        • Authentication Protocol (for SNMPv3): Choose the algorithm for authenticating communications between XSOAR and the switches: SHA for SHA-1 (Secure Hash Algorithm 1) or MD5 (Message Digest Algorithm 5).
        • Authentication Password (for SNMPv3): Enter the password used during the authentication process.
        • Privacy Protocol (for SNMPv3): Choose the algorithm for encrypting communications between XSOAR and the switches: AES (Advanced Encryption Standard) or DES (Data Encryption Standard).
        • Privacy Password (for SNMPv3): Enter the password used during the encryption process.
      3. To enable the SNMP instance, click Enable. (A new SNMP instance is enabled by default.) To disable it, clear the Enabled check box.
        In addition to enabling and disabling an instance in the Create SNMP Instance or Edit SNMP Instance panel, you can also enable and disable instances from the Status column on the Instances page.
      4. Save the instance.
    6. Test the configuration.
      After you save the instance, it appears in the list on the Instance page. To test the configuration, click the three vertical dots in the Actions column and then click Test Connection. This tests that the XSOAR engine can connect to the entry switch using the configured credentials.
      If the test is successful, a notification appears at the top of the Instances page stating that the connection was successful. If not, a notification appears at the top of the Instance page stating that the XSOAR engine could not connect to the switch. If this happens, check that the settings were entered correctly and then test the configuration again.
    7. (Optional) Create more XSOAR engines and SNMP instances if needed.
      You can add multiple SNMP integration instances, each one with settings for the same or a different XSOAR engine to communicate with a different entry switch. To add another instance, click Add instance.
      You can add up to 20 XSOAR engines and up to 200 SNMP instances.
      If you want to delete an XSOAR engine, you must first delete any instances that use it or edit these instances to use a different engine.

    © 2026 Palo Alto Networks, Inc. All rights reserved.