: Policy Rule Recommendations
Focus
Focus

Policy Rule Recommendations

Table of Contents

Policy Rule Recommendations

IoT Security
uses machine learning to recommend policy rule sets and ACL rule sets based on the observed network behaviors of IoT devices.
IoT Security
uses machine learning to automatically generate Security policy rule recommendations based on the normal, acceptable network behaviors of IoT devices in the same device profile. It then provides these recommendations for next-generation firewalls to control IoT device traffic.
IoT Security
derives its recommendations from the network behaviors it observes in traffic generated by IoT devices in the same profile across multiple
IoT Security
tenants. It classifies the applications in the observed behaviors into three groups:
  • Common applications not locally observed
    – Applications commonly used by devices in the device profile in multiple
    IoT Security
    tenant environments but not observed in yours
  • Common applications locally observed
    – Applications commonly used by devices in the device profile in multiple
    IoT Security
    tenant environments including yours
  • Unique applications
    – Applications that are not typically used by devices in this device profile and were observed in use by devices in your environment only
From PAN-OS 11.1, there's a different process for recommending Security policy rules to next-generation firewalls from that described here. The following workflow remains applicable to firewalls running PAN-OS versions prior to PAN-OS 11.1.
IoT Security
then formulates a set of policy rule recommendations. These rules allow devices in this device profile to continue network behaviors that are common among multiple tenant environments and those that are unique to yours. The premise is that these behaviors are necessary for devices belonging to this device profile to function. You can accept all these recommendations or disable or modify individual rules to meet the security requirements of your network. When you’re satisfied with a policy set, save and activate it. Once activated, it becomes available for firewalls to import—either through Panorama or directly—and then add to their rule set.
When a Panorama or firewall administrator imports a set of Security policy rules from
IoT Security
, the import operation automatically creates device objects from source and destination profiles in the recommended rules and uses those objects in the Security policy rules it constructs. For the firewall to identify which IoT devices to apply its policy rules to, it uses IP address-to-device mappings that
IoT Security
provides through Device-ID. The firewall learns the device profile of an IoT device from the mapping and applies rules with matching device objects as the source.
The
IoT Security
app makes policy rule recommendations only for IoT devices that it has identified with a high degree of confidence (a confidence score of 90-100%). It does not consider the network behaviors of low- and medium-confidence IoT devices (0-69% and 70-89% scores). In addition,
IoT Security
does not provide policy rule recommendations, alert and vulnerability detection, and network behavior analysis for IT devices, which are devices that aren’t built for a specific task, such as personal computers, smart phones, and tablets for example. For IT devices, the IoT Security app provides device identification only.
After allowing sufficient time for
IoT Security
to collect the full behaviors of IoT devices in a profile, you’re ready to create policy rule recommendations for it.
To begin, log in to the
IoT Security
portal, navigate to
Assets
Profiles
, and then click a profile name.
IoT Security
displays three profile details pages:
  • Overview
    – View a summary about the high-confidence IoT devices in this profile and their related risk factors for the past day, week, or month. See Device Profile Overview.
  • Behaviors
    – View the behaviors of high-confidence IoT devices belonging to this profile in your local network environment and in other
    IoT Security
    tenants’ environments. Also create Security policy rule sets based on these observed behaviors for next-generation firewalls. See Device Profile Behaviors.
  • Policy
    – View previously created Security policy rule sets for next-generation firewalls and ACL rule sets for integration with Cisco ISE. IoT Security generates both types of rule sets from the observed network behaviors of high-confidence IoT devices in this profile in your local network environment and in other
    IoT Security
    tenants’ environments. See Device Profile Policy.

Recommended For You