Deploy IoT Security Using Best Practices

Gain insight into your IoT inventory.
Give new unidentified devices default network access so they can establish their normal behavior and IoT Security can identify them. Then the firewall will apply policy rules to traffic to and from those new devices based on a device ID attribute—device category, profile, vendor, model, OS family, or OS version.
Enable logging and log forwarding on the firewall and provision IoT Security.
Enable all available logging on the firewall, including Enhanced Application Logs (EALs), on the firewall. EALs are necessary to capture the data in packet payloads, which the IoT Security solution uses to identify devices.
Enable log forwarding so that the firewall sends collected data to Cortex Data Lake and so the IoT Security solution can access that data.
Provision an IoT Security cloud tenant to start analyzing data. For information about onboarding IoT Security, see the IoT Security Administrator Guide.
Allow approximately one week for IoT Security to gather and analyze enough traffic to establish a stable device inventory and baseline. Although IoT Security will identify most devices within hours of receiving logs from the firewall, it is normal for device identification to change during the first few days as more data is collected. Additionally, IoT Security will identify devices with more traffic faster than those that generate less traffic.
If the confidence level for an IoT device isn’t high confidence, there could be several causes and several actions you can take.
The device is inactive and there isn't enough data about its network behavior to identify it with a high level of confidence. If this is the case, you can help the device to generate more network traffic.
If changes to the deployment or security posture of a device affected its network behavior or the collection of its behavior, restart the baseline process to give it a fresh start.
If the IoT device is behind a NAT device along with other devices, their traffic will appear to come from the same source and present a mix of behaviors. In this case, consider deploying a firewall to collect network data from behind the NAT device.
If you deploy a firewall as a sensor in tap mode, check if incoming data from the SPAN port on the switch includes both TX and RX data. If not, it’s possible that asymmetric routing is not delivering traffic to the same SPAN port. Reconfigure the switch to correct this.
If you know the identity of the IoT device, manually enter the information in Device Details in the IoT Security portal.
If you don't recognize the device, you've eliminated the other possible causes above, and IoT Security still hasn't confidently identified the device, then there might not be enough samples of network behavior for this particular device profile. In this case, the only option is to allow additional time for IoT Security to collect data and learn about the device and similar devices in that same profile.
Device confidence scores are on the Devices page in the IoT Security portal.
Identify and protect your most critical IoT devices.
Determine which IoT devices are mission-critical; that is, those devices that are required to sustain business continuity. For example, for healthcare companies, this could be medical equipment used to diagnose and treat patients; or for industrial environments, this could be factory-line devices such as programmable logic controllers on the factory floor.
Make sure the confidence level is high. This is important because IoT Security will not push IP address-to-device mappings to firewalls until they reach a high confidence level. See the suggested actions to take when a device does not achieve high confidence described in Step 1.
Check that the IP address-to-device mappings in the firewall are accurate by picking a few IoT devices at random and comparing their device category, profile, vendor, model, OS family, and OS version (OS name + version) in the IoT Security portal and firewall.
Use device profiles identified by IP address-to-device mappings as the source or destination in your Security policy rules and place them in suitable positions near the top of your rulebase so they will match. This enables you to simplify your security policy configuration by using IoT device types instead of IP address groups.
Extend protection to all IoT devices.
Conduct continuous assessments of your device inventory to find devices on your network that IoT Security has not yet discovered. Investigate why these devices are missing. You might need more firewalls to capture traffic in certain sections of your network. Check whether DHCP traffic is observed from those devices and, if not, find any gaps in coverage and fill them.
Implement a zero-trust policy.
Use IoT Security to implement a zero-trust policy as described in Best Practices Implementing Zero Trust with Palo Alto Networks. The following are the five steps for this implementation strategy:
Identify your critical protect surfaces; that is, the data, applications, assets, and services (DAAS) that you want to protect. IoT Security assists with this step by detecting and classifying all IT and IoT devices on your network.
Map your critical transaction flows. IoT Security helps with this by tracking network behaviors of all your devices.
Architect your zero-trust network. Logically organize the IoT devices into a manageable number of groups. Within each group, the devices share the same set of policy rules. The configuration construct on the firewall is a device object containing all the devices that are sharing a specific attribute–category, profile, vendor, model, or OS group. The granularity of this filter is up to each administrator but applying a Security policy rule at the device profile level should satisfy most cases.
Create zero-trust policy rules. IoT Security helps with this by making policy recommendations based on the observed device behaviors and activities. When implementing your Security policy rules, start with your most valuable and critical DAAS protect surfaces. Then move on to the next set of protect surfaces on the priority list and keep going through the list until you reach your security goals.
Keep your network security current. IoT Security helps with this by dynamically maintaining a device inventory of your monitored devices and their network behaviors.
Enable notifications of security alerts via email, SMS, or both.
This enables IoT Security to notify you immediately so that you can respond faster.
Configure the weekly generation of risk reports to discover new risks and to check on the status of those under investigation.