IoT Security maps devices to sites based on IP addresses or firewall locations.
From March 2022, IoT Security provides existing tenants two ways to link devices to sites:
- IP address-based site assignments – IoT Security assigns devices to a site based on device IP address. This method was introduced in March 2022. It is available for existing IoT Security tenants to switch to and is the only option that new tenants (as of March 2022) can use.
- Firewall-based site assignments – IoT Security assigns devices to a site based on the location of the firewall that sends it logs. Until March 2022, this was the only method that IoT Security offered.
For the first approach, you must define one or more Classless Inter-Domain Routing (CIDR) blocks or subnets for each site at
. For the second approach, you must assign a site to each firewall at
. Site assignment based on firewalls works well for smaller, single-site deployments. However, an issue can arise when there are multiple sites and devices at two sites communicate with each other. When this occurs, the firewalls at both sites observe a session involving the same two devices and report them in logs to IoT Security, which cannot tell where each device is actually located. This issue doesn’t occur when IoT Security assigns devices to sites based on IP address, which is the preferred method.
Sites and Firewalls
IP Address-based Site Assignment
This method for mapping devices to sites uses IP addresses and is the only site-mapping method available to new IoT Security tenants starting in March 2022.
IoT Security does not support multiple sites with overlapping IP addresses. The IP address spaces at each of your sites must be unique to that site.
If you haven’t done so already, enter or upload a CSV file of the IP address blocks of your sites in CIDR notation on
. (Examples of CIDR notation: 10.55.0.0/16 and 10.197.0.0/16.) Then click
and enter the network address in CIDR notation and a description, or click
Add a subnet
and upload multiple subnets using the provided template.
You don’t need to use all the subnets that belong to a site for site mapping. Instead, pick the largest subnet (IP address block) for site assignment. For example, one site might have numerous subnets such as 10.55.10.0/24, 10.55.28.0/24, and 10.55.121.0/24, all of which are within a single IP block of 10.55.0.0/16. In this case, use 10.55.0.0/16 for site mapping. IoT Security automatically assigns smaller subnets within the site-mapping IP block to the same site and assigns devices within each subnet to the same site as that of their subnet.
After adding or uploading subnets, assign them to sites on
. Either click the
Sites and Firewalls
+) icon to the upper right of the Sites table or click the three vertical dots icon at the far right of the row for a previously created site and then click
Choose the subnets you added or uploaded on
If you miss a subnet, IoT Security won’t be able to link devices in the subnet to a site. When this happens, it assigns devices in this subnet to the Default site to which all the private IP ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) are assigned for the purpose of catching any unassigned subnets.
Firewall-based Site Assignment
For IoT Security tenants that onboarded before March 2022, IoT Security uses firewall-based site assignments. After you finish onboarding a firewall, it appears on the
page assigned to the Default 0 site. To reassign it to another site, either select the check box to the left of the firewall or click the three vertical dots icon in its row on the far right and then click
Sites and Firewalls
Choose one of the sites in the Site Name list and then click
IoT Security maps the devices whose traffic metadata appears in the logs from this firewall to this site.
If you don’t assign a firewall to a site, IoT Security won’t be able to link devices whose traffic appears in logs from this firewall to a site. When this happens, it assigns these devices to the Default 0 site.
Change Site Assignments from Firewalls to IP Addresses
For IoT Security tenants that map devices to sites based on firewalls, IoT Security provides an option to switch to the IP address-based approach. This is a one-time change. After switching to IP address-based site assignments, you can’t switch back to the firewall-based approach.
and click the gear icon ( ) in the upper right of the Sites panel.
Sites and Firewalls
IP CIDR-based assignmentand then
As the note in the dialog box says, it can take up to two days for IoT Security to transition all devices to new sites and that during this time the site assignments for some devices might be incorrect.
Read the confirmation message that appears, recalling that this switch cannot be undone later, and when you’re ready, click
After you finish setting up the IP CIDR blocks for site mapping and the new IP address-based site assignment method has had a couple days to establish device-to-site assignments, you can check
to verify the configuration and make any adjustments if necessary.
Of particular interest is the Site Mapping column. When a subnet is linked to a site and its entry in the Site Mapping column is
Yes, this indicates that the subnet has been manually mapped to the site. When a subnet is linked to a site but its entry in the Site Mapping column entry is
No, it means that the subnet is a part of a larger IP address block that is mapped to the site and this subnet inherited its site mapping.
After switching device-to-site mapping from firewalls to IP addresses, IoT Security removes filters for
All connected sitesand
All disconnected sites. These filters are based on the status of firewall activity at a site, and after the switch, IoT Security no longer links firewalls to sites.
Recommended For You
Recommended videos not found.