Control Allowed Traffic for Onboarding Devices
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use Network Discovery Polling to Discover Devices
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Network Segments Configuration
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
Control Allowed Traffic for Onboarding Devices
Add one or more Device-ID policy rules to control allowed traffic for devices during
the onboarding period.
When new devices join the network, they must be allowed to function
normally so that IoT Security can identify them by analyzing their normal network
behavior. However, firewalls are typically configured with Zero Trust security
policy rules that allow only the network activities that devices need based on their
function. As a result, the rules might inadvertently block traffic for a new device
that, if allowed, would have allowed IoT Security to determine its identity.
To overcome this, you can configure one or more onboarding policy rules
that use Device-ID to apply the rules only to devices that have been recently
detected on the network but have not yet been confidently identified. For the
firewall to enforce the rule, a device must be categorized as an Onboarding Device.
IoT Security places low-confidence devices in this category during a customizable
period of time that starts when IoT Security first detects them on the network.
Devices continue to be categorized as “Onboarding Device” until IoT Security
confidently identifies them with a confidence score above 90 or until the time
period ends. The policy rule does not apply to other, previously identified devices
and must be configured to allow new devices enough network access for IoT Security
to identify them. Once IoT Security identifies them, it switches them over to an
appropriate category for what they are. The firewall can then apply appropriate
policy rules based on their identities. If IoT Security cannot confidently identify
one or more devices and the time period expires, it still switches them to a
category it considers appropriate, but because their confidence scores are below 90,
IoT Security doesn’t generate any security rule recommendations.
- Configure a security policy rule that allows certain types of traffic from any device whose Device-ID attribute for Category is “Onboarding Device”.
- Log in to the PAN-OS or Panorama web portal and configure a security policy rule that allows the basic types of traffic that devices in certain VLANs or in different IP address subnets would be expected to generate. For example, a rule for a VLAN that contains printers should allow only typical printer-specific traffic, whereas a rule for a VLAN that contains medical scanning equipment should only allow typical types of traffic for scanners.
- Add a Device-ID component to the rule and specify Onboarding Device as the category that a device must match for the firewall to apply the rule. (In short, Add a security policy rule on PoliciesSecurity. Select the Source tab, click Add in the Source Device section, and then click Device. In the Device Object dialog box that appears, choose Onboarding Device in the Category list.)
- Create additional security policy rules that specify Onboarding Device as the category in the Device-ID section of the rule configuration.
Enable the new device onboarding feature based on Device-ID in IoT Security.- Log in to the IoT Security portal as a user with owner privileges.
- Select Policy SetsSettings and toggle on Control newly onboarded low-confidence devices through firewall policy rules.
- Optionally change the period of time during which IoT Security categorizes a device as an Onboarding Device if it has an identity confidence score below 90. The default onboarding period is 7 days. There are no maximum and minimum limits. You can also switch from a limited period of time to an unlimited length of time.After you enable this feature and set a length of time for the onboarding period, IoT Security displays a daily system alert if there are any devices for which the onboarding period will soon be expiring. The alert appears a few days before the expiration and includes a link to the AssetsDevices page with a filter applied to show just these devices.
- To see which devices are in the Onboarding Device category, select AssetsDevices and, if necessary, show the Onboarding Device column in the Devices table.If necessary, also show the First Seen column and then sort by this to organize the display of devices based on the order in which IoT Security first discovered them on the network.