Restrict Network Access
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
Restrict Network Access
Restrict IoT devices of concern from accessing the network.
Although policy recommendations enforce trusted
behaviors for IoT devices, they only take effect when device behavior
changes. However, if
IoT Security
detects elevated risk on a device,
perhaps caused by business-critical devices running obsolete operating
systems, and you want to take preventive action before an exploit
is launched, you need to take a different approach from behavior-based
policy rules.IoT Security
provides another option that lets
you restrict network access to a specific IoT device or group of
IoT devices that have the same issue, such as those susceptible
to or suspected of compromise.To accomplish this, first create
a Security policy rule in which Source Device is any device whose
category is “Restricted” and the action in the rule is Deny. Position
this rule above all other device-based rules in the rules list.
Otherwise, there’s a chance that a rule based on the profile attribute,
or on some other attribute, will occlude it. Similarly, make sure
the “Restricted” rule is above
any
rule that might occlude
it, even those not using Device-ID.Then, in the
IoT Security
portal, enable the network traffic restriction feature but don’t
use it to restrict access yet. Notice that firewalls won’t apply
the new rule because none of the IP address-to-device mappings have
a category attribute that matches “Restricted”.When
you restrict network access for one or more devices,
IoT Security
immediately changes the category attribute for them from their real
device categories to “Restricted” and sends firewalls new IP address-to-device
mappings for them. When traffic reaches a firewall from a device
with the “Restricted” category attribute, it applies the security
rule you created, denying it access to the network.Although
the accompanying illustrations show how a firewall enforces a “category=Restricted”
rule instead of another device-based Security policy rule, it’s
not necessary for the other rule to be device based. You can also
restrict network access for an IoT device even when a firewall permits
its access based on source IP address, service, application, or
any other factor or combination of factors.
Later,
after the security issue is resolved, you derestrict devices, which
returns the IP address-to-device mapping for them to their previous
categories. As a result, their category attributes no longer match
the “Restricted” rule and the devices will be permitted to access
the network as determined by other rules.
Notes:
- To support Device-ID and IP address-to-device mappings, firewalls must be running PAN-OS 10.0 or later. To support the traffic restriction feature, firewalls must have device dictionary file 16-253 or later. Both the PAN-OS software version and device dictionary version appear in the General Information section on the PAN-OS web interface Dashboard.
- Traffic restriction is only applicable for devices with a high identity confidence score of 90 or above.A confidence score indicates the level of confidenceIoT Securityhas in its identification of a device.IoT Securityhas three confidence levels based on calculated confidence scores: high (90-100%), medium (70-89%), and low (0-69%).
- This feature restricts network access but doesn’t completely quarantine a device. Depending on network design, a restricted device can still access those parts of the network it can reach without traversing a firewall.
- Only anIoT Securityuser with owner privileges can enable and disable the feature.
- Configure a Security policy rule that denies traffic from any device whose Device-ID attribute for Category is “Restricted”.These instructions explain how to configure a security policy rule in the PAN-OS web UI. You can also configure it through Panorama.Log in to the web UI on your firewall, click, and then clickPoliciesSecurityAddto create a new Security policy rule. On the General tab, enter a name for the rule such asRestrict IoT network access.On the Source tab, clickAddin the Source Device section and then clickDevice. In the Device Object dialog box that appears, enter a name, chooseRestrictedfor Category, and then clickOK.Select the device object you just created as the source device and selectAnyfor the source zone and address.On the Destination tab, selectAnyfor the destination zone, address, and device.On the Actions tab, chooseDenyas the action. If the firewall forwards logs toCortex Data Lake, Panorama, or some other external log server, choose a log forwarding profile. Even for a rule that denies traffic, logs provide visibility into what the restricted device was attempting to connect with and are useful during remediation. ClickOKto save the Security policy rule configuration.Move the rule above other policy rules.
- Enable traffic restriction in theIoT Securityportal.Log in to theIoT Securityportal with owner privileges, click, and then togglePolicy SetsSettingsRestrict device traffic via firewall policy.The following user roles haveIoT Securityowner privileges: account administrator, app administrator, instance administrator, and owner.A pop-up panel appears. Read how traffic restriction works and then clickNext.SelectI have created the policyand then clickNext.Read where to restrict traffic in theIoT Securityportal and then clickEnable.
- Restrict IoT devices.As stated in step 3/3 of the Enable Traffic Restriction panel, there are three places in theIoT Securityportal where you can restrict network traffic: vulnerability instances on a Vulnerability Details page, a Security Alert Details page, and a Device Details page. Each place, or point of restriction, is described below.Although only an owner can enable and disable the ability to restrict network traffic, either an owner or an administrator can use the feature to impose a restriction on a device or release one from restriction. For more information about user roles, see Create IoT Security Users.Vulnerability Instance as the Point of RestrictionTo restrict one or more IoT devices on the Vulnerability Details page, clickand then click a vulnerability name.RisksVulnerabilitiesIf the Confidence Level column is hidden, click the Columns icon ( ) and select it. Select one or more vulnerability instances with a high confidence score of 90 or above and then click.MoreRestrict TrafficReview the list of vulnerable or potentially vulnerable devices whose traffic will be restricted, optionally add a note for future reference, and then clickConfirm.The entry for this device in the Restricted Traffic column changes fromNotoYes, indicating that its traffic is being restricted. If you don’t see the Restricted Traffic column, click the Columns icon ( ) and selectRestricted Traffic. A new entry appears in the Vulnerability Responses column. Hover your cursor over the entry to see a history of actions taken.The Device Details page for the traffic-restricted device adds aRestricted Devicelabel next to the device name. If you hover your cursor over the label, a pop-up appears with the time and point of restriction and a link to a vulnerability, security alert, or device details page. In this case, it would be a link to a Vulnerability Details page. The pop-up also includes any notes you made.Security Alert as the Point of RestrictionTo restrict an IoT device with a specific security alert, clickand then click an alert name. On the Alert Details page, clickAlertsSecurity Alerts.ActionRestrict TrafficIf the confidence score of the impacted device is below 90, the following message appears. The confidence score appears in the Impacted Device section on the Alert Details page.If the confidence score is 90 or above, the Restrict Traffic dialog box appears.Review the device whose traffic will be restricted, optionally add a note for future reference, and then clickConfirm.A new label appears at the top of the Alert Details page statingTraffic Restricted Yesand a new entry appears in the Alert Events column.The Device Details page for the traffic-restricted device adds aRestricted Devicelabel next to the device name. When you hover your cursor over the label, a pop-up appears with the time you started restricting traffic; a link to the point of restriction, which in this case would be to a Security Alert Details page; and any notes you made.IoT Device Details as the Point of RestrictionTo restrict a single IoT device on the Device Details page, clickDevicesand then the name of one of the devices in the inventory table. In the Identity section at the top of the Device Details page, click theActionicon (three vertical dots).Restrict TrafficCheck that the device whose traffic will be restricted is correct, optionally add a note for future reference, and then clickConfirm.TheIoT Securityportal adds aRestricted Devicelabel next to the device name on the Device Details page. When you hover your cursor over the label, a pop-up appears with the time you started restricting traffic; a link to the point of restriction, which in this case would be to the same Device Details page you’re already on; and any notes you made.On the Devices page, the entry for this device in the Restricted Traffic column changes fromNotoYes, indicating that its traffic is being restricted. If you don’t see the Restricted Traffic column, click the Columns icon ( ) and selectRestricted Trafficin the Traffic section.
- View all restricted devices.On the Policy Sets page, click the number of restricted devices displayed in the Overview panel.The Devices page opens with a filter applied to show only restricted devices in the inventory table.
- After investigating and remediating a traffic-restricted device, derestrict traffic for it.To derestrict traffic for a device, repeat the same process as you did to restrict traffic but clickDerestrict Traffic.You can derestrict multiple vulnerability instances in bulk. Select one or more instances on the Vulnerability Details page and then click.MoreDerestrict TrafficFor other traffic-restricted devices, view the inventory on the Devices page with the Restricted Traffic filter applied. Then click device names one by one to open the Device Details page for each one and click theActionicon (three vertical dots).Derestrict TrafficTo disable the feature completely, clickPolicy Sets, toggle offRestrict device traffic via firewall policy, and thenConfirmthe action. When you do,IoT Securitycancels all existing device traffic restrictions. It also changes the entries in the Vulnerability Response column (Risks > Vulnerabilities > vulnerability_name) and Last Action column (Alerts > Security Alerts) for these devices toDevice was derestricted.