When deploying IoT Security, first gain insight into
your IoT device inventory and then protect them, prioritizing critical
Consider the following best practices when
deploying IoT Security and then when using it.
Gain insight into your IoT inventory.
Give new unidentified devices default network access
so they can establish their normal behavior and IoT Security can
identify them. Then the firewall will apply policy rules to traffic
to and from those new devices based on a device ID attribute—device
category, profile, vendor, model, OS family, or OS version.
Enable logging and log forwarding on the firewall and provision
available logging on the firewall, including Enhanced Application
Logs (EALs), on the firewall. EALs are necessary to capture the
data in packet payloads, which the IoT Security solution uses to
Enable log forwarding so that the firewall sends collected
data to Cortex Data Lake and so the IoT Security solution can access
Allow approximately one week for IoT Security to gather and
analyze enough traffic to establish a stable device inventory and
baseline. Although IoT Security will identify most devices within
hours of receiving logs from the firewall, it is normal for device
identification to change during the first few days as more data
is collected. Additionally, IoT Security will identify devices with
more traffic faster than those that generate less traffic.
If the confidence level for an IoT device
isn’t high confidence, there could be several causes and several
actions you can take.
device is inactive and there isn't enough data about its network
behavior to identify it with a high level of confidence. If this is
the case, you can help the device to generate more network traffic.
If changes to the deployment or security posture of a device
affected its network behavior or the collection of its behavior,
restart the baseline process to give it a fresh start.
If the IoT device is behind a NAT device along with other
devices, their traffic will appear to come from the same source
and present a mix of behaviors. In this case, consider deploying
a firewall to collect network data from behind the NAT device.
If you deploy a firewall as a sensor in tap mode, check if
incoming data from the SPAN port on the switch includes both TX
and RX data. If not, it’s possible that asymmetric routing is not
delivering traffic to the same SPAN port. Reconfigure the switch
to correct this.
If you know the identity of the IoT device, manually enter
the information in Device Details in the IoT Security portal.
If you don't recognize the device, you've eliminated the
other possible causes above, and IoT Security still hasn't confidently
identified the device, then there might not be enough samples of
network behavior for this particular device profile. In this case,
the only option is to allow additional time for IoT Security to
collect data and learn about the device and similar devices in that
Device confidence scores are on the Devices page in
the IoT Security portal.
Identify and protect your most critical
Determine which IoT devices are mission-critical;
that is, those devices that are required to sustain business continuity.
For example, for healthcare companies, this could be medical equipment
used to diagnose and treat patients; or for industrial environments,
this could be factory-line devices such as programmable logic controllers
on the factory floor.
Make sure the confidence level is high. This is important
because IoT Security will not push IP address-to-device mappings
to firewalls until they reach a high confidence level. See the suggested
actions to take when a device does not achieve high confidence described
in Step 1.
Check that the IP address-to-device mappings in the firewall
are accurate by picking a few IoT devices at random and comparing
their device category, profile, vendor, model, OS family, and OS
version (OS name + version) in the IoT Security portal and firewall.
Use device profiles identified by IP address-to-device mappings
as the source or destination in your Security policy rules and place
them in suitable positions near the top of your rulebase so they
will match. This enables you to simplify your security policy configuration
by using IoT device types instead of IP address groups.
Extend protection to all IoT devices.
Conduct continuous assessments of your device inventory
to find devices on your network that IoT Security has not yet discovered.
Investigate why these devices are missing. You might need more firewalls
to capture traffic in certain sections of your network. Check whether
DHCP traffic is observed from those devices and, if not, find any
gaps in coverage and fill them.
Identify your critical protect surfaces; that is,
the data, applications, assets, and services (DAAS) that you want
to protect. IoT Security assists with this step by detecting and
classifying all IT and IoT devices on your network.
Map your critical transaction flows. IoT Security helps with
this by tracking network behaviors of all your devices.
Architect your zero-trust network. Logically organize the
IoT devices into a manageable number of groups. Within each group,
the devices share the same set of policy rules. The configuration
construct on the firewall is a device object containing all the
devices that are sharing a specific attribute–category, profile,
vendor, model, or OS group. The granularity of this filter is up
to each administrator but applying a Security policy rule at the
device profile level should satisfy most cases.
Create zero-trust policy rules. IoT Security helps with this
by making policy recommendations based on the observed device behaviors
and activities. When implementing your Security policy rules, start
with your most valuable and critical DAAS protect surfaces. Then
move on to the next set of protect surfaces on the priority list
and keep going through the list until you reach your security goals.
Keep your network security current. IoT Security helps with
this by dynamically maintaining a device inventory of your monitored
devices and their network behaviors.
Enable notifications of security alerts via email, SMS,
This enables IoT Security to notify you immediately so
that you can respond faster.
Configure the weekly generation of risk reports to discover
new risks and to check on the status of those under investigation.