Use SNMP Network Discovery to Learn about Devices from Switches
Table of Contents
Expand all | Collapse all
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
- IoT Device Discovery
- IoT Security Devices Page
- IoT Security Device Details Page
- Create Multi-interface Devices
- IP Endpoints
- Discover Mobile Device Attributes
- Custom Attributes
- Tag Management
Use SNMP Network Discovery to Learn about Devices from Switches
Configure next-generation firewalls to send SNMP queries to switches and learn about the devices connected to them.
To identify devices, assess risk, and help next-generation firewalls enforce security policy rules based on Device-ID, IoT Security requires network traffic metadata for analysis. Next-generation firewalls extract and log this metadata when they apply security policy rules that have logging enabled. When the rules also have log forwarding enabled, the firewalls send the logs to the logging service, which then streams the metadata to IoT Security.
However, depending on where the firewalls are placed, they might not have visibility into all network traffic, resulting in device discovery gaps and lower efficacy in device identification, behavior monitoring, and Device-ID rule enforcement. To extend visibility further into the network, IoT Security supports several options:
- Mirror traffic on network switches and use Encapsulated Remote Switched Port Analyzer (ERSPAN) to send mirrored traffic through GRE tunnels to a firewall. The firewall inspects the traffic, logs it, and then forwards the logs to the logging service for IoT Security to access.
- Configure a DHCP server to send its server logs as syslog messages to a firewall. The firewall then forwards the messages as Enhanced Application Logs (EALs) with a subtype of dhcp-syslog through the logging service to IoT Security.
- Integrate IoT Security with third-party products that provide services such as asset management and network management. IoT Security connects to these systems through Cortex XSOAR and retrieves additional device data from them to enhance the metadata learned from next-generation firewalls and optionally from network switches and DHCP servers.
In environments using DHCP to assign devices with network settings, IP addresses are leased dynamically for limited periods of time. An essential part of monitoring network behaviors to identify devices, assess risk, and enforce Device-ID security policy rules is the ability to link the dynamically assigned IP address of each device to its unique, unchanging MAC address. Next-generation firewalls can do this when they receive traffic containing both IP and MAC addresses. When firewalls don’t receive traffic from all devices or when they do but it contains only IP addresses—possibly because the traffic crossed Layer 2 domains and the device MAC address was changed to that of the forwarding device—they can still gather IP address-to-MAC address bindings by using SNMP to query switches throughout the network.
When using SNMP to query network switches and other forwarding devices, firewalls first develop a network topography by requesting the Link Layer Discovery Protocol (LLDP) neighbors and Cisco Discovery Protocol (CDP) neighbors of one switch (the entry point switch) and then repeating the request with neighboring switches and child switches one by one throughout the network. After obtaining a list of switches and forwarding devices throughout the network, or within a limited area of the network, the firewall next queries each one for its ARP table as well as other information. The ARP table contains the IP address-to-MAC address binding information for the devices connected through the switch to the network. Other device details for which firewalls query include the physical interfaces or ports on the switch to which devices connect, their VLANs and subnets, and DHCP and DNS server IP addresses. After the firewall receives this information, it creates logs and sends them through the logging service to IoT Security.
The following are sample object identifiers (OIDs) that SNMP queries on UDP port 161 for information about LLDP neighbors and CDP neighbors, device IP address-to-MAC address bindings, and interface or port information:
- OID: 1.0.8802.1.1.2.1.4 lldpRemoteSystemsData (LLDP neighbors)
- OID: 184.108.40.206.220.127.116.11.23 ciscoCdpMIB (CDP neighbors)
- OID: 18.104.22.168.22.214.171.124.1.2 ipNetToMediaPhysAddress (IP-to-MAC address bindings from ARP)
- OID: 126.96.36.199.188.8.131.52.1.1 ipNetToMediaIfIndex (Interface or port information)
IoT Security provides SNMP Network Discovery as part of the IoT Security Third-party Integrations Add-on license, which must be purchased. From PAN-OS 11.1, SNMP network discovery is available to next-generation firewalls as a free plugin and does not require the add-on license. While the version using the add-on license supports multiple sets of jobs for different networks and network segments per IoT Security tenant, the version with the free plugin supports just one set for one network or network segment per firewall.
The SNMP network discovery process cannot traverse switches that don’t support CDP or LLDP.
- Log in to the web interface of your firewall or Panorama and install the SNMP network discovery plugin.This plugin allows a firewall to send SNMP queries to switches and routers on the network and then process the responses it receives.Next-generation firewallSelect, search forDevicePluginsnetwork_discovery, clickDownloadin the Actions column, and thenInstallthe plugin on the firewall.Panorama
- Select, search forPanoramaPluginsnetwork_discovery, clickDownloadin the Actions column, and thenInstallthe plugin on Panorama.
- Select, clickPanoramaDevice DeploymentPluginsInstallin the Actions column, select the firewalls on which to install the plugin, and then clickOK.
- Configure SNMP network discovery parameters.The following instructions are for the SNMP network discovery configuration using the PAN-OS web interface on an individual next-generation firewall. To configure SNMP network discovery on Panorama, use templates and template stacks, and template stack variables for the IP addresses of the entry switch, discovery scope, and interfaces as needed.
- Selectand then clickDeviceIoT SecurityNetwork DiscoveryEdit(gear icon).The SNMP Network Discovery Settings dialog box appears with the Schedule Settings tab active.
- In the Network Discovery Job section, schedule how often the firewall runs a job to learn all the switches and other network forwarding devices that run LLDP and CDP on the network or within a defined scope of the network. The default is once a day, which usually is often enough.
- In the Network Data Refreshment Job section, schedule how often the firewall runs a job to query switches and other forwarding devices for information about the network and devices connected to them. Consider how often DHCP lease times renew and schedule the job to run at half the lease time, which is when DHCP clients start requesting lease renewals and could receive different IP addresses. In environments without DHCP, consider running the network data refreshment job once every hour, which is the default setting.
- Click theDiscovery Scope Settingstab, and enter the following:Entry Point switch: Enter the IP address of the entry point switch with which to begin the SNMP discovery process.A good choice for the entry point switch is a core switch because it would commonly have the broadest access to various distribution-layer and access-layer switches throughout the network.Device IP Address Scope: Enter the prefix for the IP CIDR block to define the scope of the switches and endpoint devices to learn. Optionally, don’t set a scope by enteringNoneand SNMP will collect network topology for the entire network.Service Route: If your firewall uses a data interface rather than the management interface to do SNMP network discovery, set a service route specifying that interface and the network segment to query.Service routes configured onare not applied. SNMP network discovery only uses service routes configured here.DeviceSetupServicesService Route Configuration
- Click theSNMP Settingstab and set the SNMP version and configure the required settings for the version and options you use.SNMP Version: Choose the SNMP version that your switches support, eitherV2(SNMPv2c) orV3. If you chooseV2, configure theCommunity String. If you chooseV3, configure theUsername,Security Level,Authentication ProtocolandPassword, andPrivacy ProtocolandPasswordsettings.Community String(for SNMP V2): Enter the SNMP community string configured on the switches to permit read-only access.Username(for SNMP V3): Enter a username for an SNMP user account with read-only access. This is the account the firewall uses when accessing an SNMP server running on a switch.Security Level(for SNMP V3): Choose the security level for accessing an SNMP server on a switch.
Authentication Protocol(for SNMP V3): Choose the algorithm for authenticating communications between the firewall and the switches:MD5(Message Digest Algorithm 5) orSHAfor SHA-1 (Secure Hash Algorithm 1).Authentication Password(for SNMP V3): Enter the password used during the authentication process.Privacy Protocol(for SNMP V3): Choose the algorithm for encrypting communications between the firewall and the switches:DES(Data Encryption Standard) orAES(Advanced Encryption Standard).Privacy Password(for SNMP V3): Enter the password used during the encryption process.
- noAuthNoPriv: Choose this to not authenticate and encrypt communications between the SNMP agent on the firewall and an SNMP server on a switch.
- authNoPriv: Choose this to require authentication based on either MD5 or SHA hashes but not encrypt communications between the firewall and the switches.
- authPriv: Choose this to require both authentication and encryption.
- SelectEnable SNMP Network Discovery Settingsand then clickOK.After enabling this feature, the settings are sent to the plugin, which checks the source interface IP address that will send and receive SNMP traffic and schedules the following tasks:
After the SNMP jobs are run, the resulting SNMP data is stored in files and converted to Enhanced Application logs. The firewall then sends the logs to the logging service. The logging service then streams the data to IoT Security, which updates its database and displays the SNMP discovery network topology data in the IoT Security portal.
- Send SNMP queries for Network Discovery using CDP and LLDP OIDs.
- Send SNMP queries for Network Data Refresh using various OIDs for VLANs, subnets, switch interface or port information, device IP-to-MAC address bindings, and other attributes on a per-device level.