: Device-to-Site Mapping
Focus
Focus

Device-to-Site Mapping

Table of Contents

Device-to-Site Mapping

IoT Security maps devices to sites based on IP addresses or firewall locations.
From March 2022, IoT Security provides existing tenants two ways to link devices to sites:
  • IP address-based site assignments – IoT Security assigns devices to a site based on device IP address. This method was introduced in March 2022. It is available for existing IoT Security tenants to switch to and is the only option that new tenants (as of March 2022) can use.
  • Firewall-based site assignments – IoT Security assigns devices to a site based on the location of the firewall that sends it logs. Until March 2022, this was the only method that IoT Security offered.
For the first approach, you must define one or more Classless Inter-Domain Routing (CIDR) blocks or subnets for each site at NetworksNetworks and SitesNetworks. For the second approach, you must assign a site to each firewall at AdministrationFirewalls. Site assignment based on firewalls works well for smaller, single-site deployments. However, an issue can arise when there are multiple sites and devices at two sites communicate with each other. When this occurs, the firewalls at both sites observe a session involving the same two devices and report them in logs to IoT Security, which cannot tell where each device is actually located. This issue doesn’t occur when IoT Security assigns devices to sites based on IP address, which is the preferred method.

IP Address-based Site Assignment

This method for mapping devices to sites uses IP addresses and is the only site-mapping method available to new IoT Security tenants starting in March 2022.
If you haven’t done so already, enter or upload a CSV file of the IP address blocks of your sites in CIDR notation on NetworksNetworks and SitesNetworks. (Examples of CIDR notation: 10.55.0.0/16 and 10.197.0.0/16.) Then click AddAdd a Subnet and enter the network address in CIDR notation and a description, or click AddUpload Subnets and upload multiple subnets using the provided template.
You don’t need to use all the subnets that belong to a site for site mapping. Instead, pick the largest subnet (IP address block) for site assignment. For example, one site might have numerous subnets such as 10.55.10.0/24, 10.55.28.0/24, and 10.55.121.0/24, all of which are within a single IP block of 10.55.0.0/16. In this case, use 10.55.0.0/16 for site mapping. IoT Security automatically assigns smaller subnets within the site-mapping IP block to the same site and assigns devices within each subnet to the same site as that of their subnet.
After adding or uploading subnets, assign them to sites on NetworksNetworks and SitesSites. Either click the Create Site ( + ) icon to the upper right of the Sites table or click the three vertical dots icon at the far right of the row for a previously created site and then click Edit Site.
Choose the subnets you added or uploaded on NetworksNetworks and SitesNetworks.
If you miss a subnet, IoT Security won’t be able to link devices in the subnet to a site. When this happens, it assigns devices in this subnet to the Default site to which all the private IP ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) are assigned for the purpose of catching any unassigned subnets.

Firewall-based Site Assignment

For IoT Security tenants that onboarded before March 2022, IoT Security uses firewall-based site assignments. After you finish onboarding a firewall, it appears on the NetworksNetworks and SitesNetworks page assigned to the Default Site. To reassign it to another site, click the three vertical dots icon in its row on the far right and then click Change Site.
Choose one of the sites in the Site Name list and then click Change.
IoT Security maps the devices whose traffic metadata appears in the logs from this firewall to this site.
For information about creating sites, see Sites and Site Groups.
If you don’t assign a firewall to a site, IoT Security won’t be able to link devices whose traffic appears in logs from this firewall to a site. When this happens, it assigns these devices to the Default Site.

Change Site Assignments from Firewalls to IP Addresses

Only a user with owner privileges can change from firewall-based site assignments to site assignments based on IP addresses.
For IoT Security tenants that map devices to sites based on firewalls, IoT Security provides an option to switch to the IP address-based approach. This is a one-time change. After switching to IP address-based site assignments, you can’t switch back to the firewall-based approach.
Select NetworksNetworks and SitesSites and click the gear icon (
) in the upper right of the Sites panel.
Switch from Firewall-based assignment to IP CIDR-based assignment and then Save.
As the note in the dialog box says, it can take up to two days for IoT Security to transition all devices to new sites and that during this time the site assignments for some devices might be incorrect.
Read the confirmation message that appears, recalling that this switch cannot be undone later, and when you’re ready, click Yes to continue.
After you finish setting up the IP CIDR blocks for site mapping and the new IP address-based site assignment method has had a couple days to establish device-to-site assignments, you can check NetworksNetworks and SitesNetworks to verify the configuration and make any adjustments if necessary.
Of particular interest is the Site Mapping column. When a subnet is linked to a site and its entry in the Site Mapping column is Yes, this indicates that the subnet has been manually mapped to the site. When a subnet is linked to a site but its entry in the Site Mapping column is No, it means that the subnet is a part of a larger IP address block that is mapped to the site and this subnet inherited its site mapping.
After switching device-to-site mapping from firewalls to IP addresses, IoT Security removes filters for All connected sites and All disconnected sites. These filters are based on the status of firewall activity at a site, and after the switch, IoT Security no longer links firewalls to sites.