Device Security
Policy Rule Recommendations
Table of Contents
Policy Rule Recommendations
Device Security uses machine learning to recommend policy rule sets and ACL rule sets
based on the observed network behaviors of IoT devices.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of the following subscriptions:
|
Device Security uses machine learning to automatically
generate Security policy rule recommendations based on the normal,
acceptable network behaviors of IoT devices in the same device profile.
It then provides these recommendations for next-generation firewalls
to control IoT device traffic.
Device Security derives its recommendations from the network behaviors
it observes in traffic generated by IoT devices in the same profile
across multiple Device Security tenants. It classifies the applications
in the observed behaviors into three groups:
- Common applications not locally observed – Applications commonly used by devices in the device profile in multiple Device Security tenant environments but not observed in yours
- Common applications locally observed – Applications commonly used by devices in the device profile in multiple Device Security tenant environments including yours
- Unique applications – Applications that are not typically used by devices in this device profile and were observed in use by devices in your environment only
Currently, policy rule recommendations are not supported in multi-vsys firewalls.
They must be manually created.
From PAN-OS 11.1, there's a different process
for recommending Security policy rules to next-generation firewalls from that described
here. The following workflow remains applicable to firewalls running PAN-OS versions
prior to PAN-OS 11.1.
Device Security then formulates a set of policy rule recommendations.
These rules allow devices in this device profile to continue network
behaviors that are common among multiple tenant environments and
those that are unique to yours. The premise is that these behaviors
are necessary for devices belonging to this device profile to function.
You can accept all these recommendations or disable or modify individual
rules to meet the security requirements of your network. When you’re
satisfied with a policy set, save and activate it. Once activated,
it becomes available for firewalls to import—either through Panorama
or directly—and then add to their rule set.
When a Panorama or firewall administrator imports a set of Security
policy rules from Device Security, the import operation automatically
creates device objects from source and destination profiles in the
recommended rules and uses those objects in the Security policy
rules it constructs. For the firewall to identify which IoT devices
to apply its policy rules to, it uses IP address-to-device mappings
that Device Security provides through Device-ID. The firewall learns
the device profile of an IoT device from the mapping and applies
rules with matching device objects as the source.
The Device Security app makes policy rule recommendations only for IoT devices that it has
identified with a high degree of confidence (a confidence score of 90-100%). It does
not consider the network behaviors of low- and medium-confidence IoT devices (0-69%
and 70-89% scores). In addition, Device Security does not provide policy rule
recommendations, alert and vulnerability detection, and network behavior analysis
for IT devices, which are devices that aren’t built for a specific task, such as
personal computers, smart phones, and tablets for example. For IT devices, the IoT
Security app provides device identification only.
After allowing sufficient time for Device Security to collect the
full behaviors of IoT devices in a profile, you’re ready to create
policy rule recommendations for it.
To begin, log in to the Device Security portal, navigate to , and then click a profile name.
Device Security displays three profile details pages:
- Overview – View a summary about the high-confidence IoT devices in this profile and their related risk factors for the past day, week, or month. See Device Profile Overview.
- Behaviors – View the behaviors of high-confidence IoT devices belonging to this profile in your local network environment and in other Device Security tenants’ environments. Also create Security policy rule sets based on these observed behaviors for next-generation firewalls. See Device Profile Behaviors.
- Device Security Policy – View previously created Security policy rule sets for next-generation firewalls and ACL rule sets for integration with Cisco ISE. IoT Security generates both types of rule sets from the observed network behaviors of high-confidence IoT devices in this profile in your local network environment and in other Device Security tenants’ environments. See Device Profile Policy.
- Strata Cloud Manager Policies (SCM) – View the Security policy rule recommendations for next-generation firewalls, organized by device profile. Coose a profile, select the rule recommendations you want to use, and then the next-generation firewalls or Prisma Access deployment types where you want to enforce them.
- Strata Cloud Manager Policies (PAN-OS and Panorama) – View previously created Security policy rule sets for next-generation firewalls and ACL rule sets for integration with Cisco ISE. Device Security generates both types of rule sets from the observed network behaviors of high-confidence IoT devices in this profile in your local network environment and in other Device Security tenants’ environments. See Device Profile Policy.