Create a Policy Set in IoT Security

Recommend an automatically generated policy set for permitted IoT device network behaviors to your firewall.
IoT Security provides the automatic generation of policy rule recommendations to control IoT device traffic. The recommendations are based on device profiles. When a firewall or Panorama administrator imports a policy set—that is, a set of recommended policy rules—from IoT Security, the import operation automatically creates device objects from the source and destination profiles in the recommended policy rules and uses those objects in the security policy rules it constructs. For the firewall to identify which IoT devices to apply its policy rules to, it uses IP address-to-device mappings. The firewall learns the device profile of an IoT device from the mapping and applies rules with matching device objects as a source or destination.
The IoT Security app makes policy rule recommendations for IoT devices only. It does not provide policy rule recommendations, alert and vulnerability detection, and network behavior analysis for IT devices, which are devices that aren’t built for a specific task: personal computers, smart phones, and tablets for example. For IT devices, the IoT Security app provides device identification only.
After allowing sufficient time for IoT Security to collect the full behaviors of IoT devices in a profile, you’re ready to create policy rule recommendations for it.
Before you start, consider enabling the automatic formation of application groups. This feature groups applications together when they share the same destination or set of destinations and, if configured, the same services, tags, and security profiles. Enabling this feature helps reduce the number of Security policy rules that IoT Security generates. For example, if this option isn’t enabled (its default state) and there’s one destination for ten different applications, IoT Security creates ten rules. However, if you enable this option, IoT Security forms an application group with those ten applications and creates just one rule.
IoT Security always groups destinations together to reduce the number of recommended policy rules. Unlike the application group option, it doesn’t require you to enable it.
To enable this feature, navigate to
Policy Sets
, click
, and toggle on
Automatically generate application groups for use in firewall policy rules
When you enable this feature, IoT Security automatically applies application grouping to previously created policy sets wherever possible.
  1. Log in to the IoT Security portal, navigate to the Profiles page, and then click a profile name.
    You can also create a policy set by hovering your cursor over an IoT device profile name on the Profiles page and clicking
    Create Policy Set
    in the pop-up that appears or by clicking a profile name on the Policy Sets page and then clicking
  2. On the profile details page,
    View Behaviors
    The data on the profile details page is for one month and is drawn only from IoT devices with a high confidence score.
    The IoT Security portal displays a summary of its network behaviors organized into internal and external destinations.
  3. To create a policy set based on these behaviors, click
  4. Name the policy, optionally enter a description, and then click
  5. Select the applications and internal destinations for which you want a policy rule to allow. (If there aren’t any, skip this page.)
    If there are no device profiles for internal destinations, IoT Security uses their IP addresses.
    When there are multiple destinations for an application, you have the option of selecting them individually or clicking
    Allow Application
    , which creates a policy rule that allows the application regardless of its destination. This is a convenient option when there is a large number of destinations.
    When you select which network behaviors to allow, IoT Security displays a service port list for the allowed applications. These are the service ports that the selected applications have been using on the network during the past month. If an application hasn't been observed in over a month, its service ports will no longer show up in the portal. Service port lists appear above the application-centric policy tables on the Select Internal Destinations page. As shown in the screen capture above, the Custom-Polycom application is using TCP/8088 and DHCP is using UDP/67 as their service ports.
    IoT Security learns the service ports for applications by observing network traffic. Allow it enough time to collect the session data it needs, keeping in mind that IoT Security needs more time for applications that are used less frequently.
    You can apply tags, services, and security profiles to individual applications so that they become part of the policy rules when the Panorama or firewall administrator imports them. This saves the administrator from having to edit the imported rules to apply them later. Select the applications you want to apply these to and then click
    at the top of the application section to see your choices.
    Click one of them, create or select previously-defined options, and then
    . You can apply one or more tags, services, and security profiles to the same application.
    The usage column shows the frequency of network usage patterns (device profile + application + URL) for the IoT devices in this profile. After the IoT Security machine-learning analytics engine examines network behaviors for a month, it then assigns each usage pattern a frequency rating of high, medium, or low. If you want to consider how often network usage patterns occur when deciding whether or not to add rules, this rating will help you decide.
    The number of policies grouped by application indicates how many policies will be imported into a firewall. However, instead of grouping policy rules by application, another display option is to group them by source profile behavior. You might prefer this display to see more applications at a glance without scrolling.
  6. To define a subset of the available IP addresses, click
    Any IP
  7. In the Selected IP Addresses dialog box, select
    Only allow selected IP addresses
  8. Select the IP addresses you want to allow the source profile to communicate with, and then
  9. To proceed to the Select External Destinations section, click
  10. Select the external URLs or IP addresses that you want a particular application to communicate with and then click
    When the destination is a URL that resolves to multiple IP addresses, you can view the addresses but you cannot select a subset of them.
    As it did on the Select Internal Destinations page, IoT Security also displays the service ports for applications in selected network behaviors on the Select External Destinations page. The screen capture above shows the NTP application using its standard ports: TCP/123 and UDP/123.
    If there are no external destinations you want to allow, skip this page.
  11. Review the policy set configuration and then click
  12. Activate the set of policy rules by clicking
    Activate Policy Set
    A device profile can have only one active policy set at a time.
    After a policy set is activated, it becomes available for Panorama management servers and individual firewalls to import.

Recommended For You