Device-to-Site Mapping
IoT Security maps devices to sites based on IP addresses
or firewall locations.
From March 2022, IoT Security provides existing tenants
two ways to link devices to sites:
- IP address-based site assignments – IoT Security assigns devices to a site based on device IP address. This method was introduced in March 2022. It is available for existing IoT Security tenants to switch to and is the only option that new tenants (as of March 2022) can use.
- Firewall-based site assignments – IoT Security assigns devices to a site based on the location of the firewall that sends it logs. Until March 2022, this was the only method that IoT Security offered.
For the first approach, you must define one or more Classless
Inter-Domain Routing (CIDR) blocks or subnets for each site at .
For the second approach, you must assign a site to each firewall
at .
Site assignment based on firewalls works well for smaller, single-site
deployments. However, an issue can arise when there are multiple
sites and devices at two sites communicate with each other. When
this occurs, the firewalls at both sites observe a session involving
the same two devices and report them in logs to IoT Security, which
cannot tell where each device is actually located. This issue doesn’t
occur when IoT Security assigns devices to sites based on IP address,
which is the preferred method.
IP Address-based Site Assignment
This method for mapping devices to sites uses IP addresses
and is the only site-mapping method available to new IoT Security
tenants starting in March 2022.
IoT Security does not support multiple sites with overlapping
IP addresses. The IP address spaces at each of your sites must be
unique to that site.
If you haven’t done so already, enter or upload a CSV file of
the IP address blocks of your sites in CIDR notation on .
(Examples of CIDR notation: 10.55.0.0/16 and 10.197.0.0/16.) Then
click and
enter the network address in CIDR notation and a description, or
click and
upload multiple subnets using the provided template.
You don’t need to use all the subnets that belong to a
site for site mapping. Instead, pick the largest subnet (IP address
block) for site assignment. For example, one site might have numerous
subnets such as 10.55.10.0/24, 10.55.28.0/24, and 10.55.121.0/24,
all of which are within a single IP block of 10.55.0.0/16. In this
case, use 10.55.0.0/16 for site mapping. IoT Security automatically
assigns smaller subnets within the site-mapping IP block to the same
site and assigns devices within each subnet to the same site as
that of their subnet.
After adding or uploading subnets, assign them to sites on . Either click the
Create
Site
( +
) icon to the upper
right of the Sites table or click the three vertical dots icon at
the far right of the row for a previously created site and then
click Edit Site
.
Choose the subnets you added or uploaded on .
If you miss a subnet, IoT Security won’t be able to link devices
in the subnet to a site. When this happens, it assigns devices in
this subnet to the Default site to which all the private IP ranges
(10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) are assigned for
the purpose of catching any unassigned subnets.
Firewall-based Site Assignment
For IoT Security tenants that onboarded before March
2022, IoT Security uses firewall-based site assignments. After you
finish onboarding a firewall, it appears on the page assigned to
the Default 0 site. To reassign it to another site, either select
the check box to the left of the firewall or click the three vertical
dots icon in its row on the far right and then click
Change
Site
. 
Choose one of the sites in the Site Name list and then click
Change
.
IoT Security maps the devices whose traffic metadata appears
in the logs from this firewall to this site.
For information about creating sites, see Sites and Site Groups.
If you don’t assign a firewall to a site, IoT Security won’t
be able to link devices whose traffic appears in logs from this
firewall to a site. When this happens, it assigns these devices
to the Default 0 site.
Change Site Assignments from Firewalls to IP Addresses
Only a user with owner privileges can
change from firewall-based site assignments to site assignments
based on IP addresses.
For IoT Security tenants that map devices to sites based on firewalls,
IoT Security provides an option to switch to the IP address-based
approach. This is a one-time change. After switching to IP address-based
site assignments, you can’t switch back to the firewall-based approach.
Select and
click the gear icon (
) in the upper
right of the Sites panel.
) in the upper
right of the Sites panel.
Switch from
Firewall-based assignment
to IP
CIDR-based assignment
and then Save
.
As the note in the dialog box says, it can take up to two days
for IoT Security to transition all devices to new sites and that
during this time the site assignments for some devices might be
incorrect.
Read the confirmation message that appears, recalling that this
switch cannot be undone later, and when you’re ready, click
Yes
to continue.
After you finish setting up the IP CIDR blocks for site mapping
and the new IP address-based site assignment method has had a couple
days to establish device-to-site assignments, you can check to
verify the configuration and make any adjustments if necessary.
Of particular interest is the Site Mapping column. When a subnet
is linked to a site and its entry in the Site Mapping column is
Yes
, this
indicates that the subnet has been manually mapped to the site.
When a subnet is linked to a site but its entry in the Site Mapping
column entry is No
, it means that the subnet
is a part of a larger IP address block that is mapped to the site
and this subnet inherited its site mapping.After switching device-to-site mapping from firewalls to
IP addresses, IoT Security removes filters for
All connected sites
and All
disconnected sites
. These filters are based on the status
of firewall activity at a site, and after the switch, IoT Security
no longer links firewalls to sites.