Monitor Your IoT Security Deployment Using Best Practices
These are daily, weekly, and monthly IoT Security maintenance
When maintaining your IoT Security deployment,
it’s helpful to view the maintenance in terms of daily, weekly,
and monthly tasks.
Check security alerts that you learn
about through email or SMS notifications or by scanning the Security
Alerts page in the IoT Security portal (
) and respond
as appropriate for their severity and urgency.
Review system alerts in the IoT Security portal (
and the Firewalls page (
Sites and Firewalls
to check that firewalls are connected to IoT Security. If a firewall
is disconnected, IoT Security stops analyzing log data and no new
device detections and identifications occur. Serious events that
increase risk to your devices and your network could be missed.
Scan the Devices page for newly discovered devices and confirm
that their network access is authorized. Unauthorized devices pose
a threat if they did not undergo an onboarding process that provisions
them to do all the following: connect to appropriate network segments,
use only approved applications, and (if the devices support it)
run required endpoint protection.
On the Firewalls page in the IoT Security
portal, watch for unusually large shifts in log volume from firewalls.
An unexpected spike or dip might indicate anomalous network activity
or a change to the configuration or connection of a firewall.
Track the network activity of high-value devices on the Devices
page in the IoT Security portal. If a normally active device is
unexpectedly inactive, check the last time it was active (you can
also do this on the Devices page). Investigate further if the length
of inactivity raises concern.
Review the weekly Risk report to check for any new risks
and track the status of work remediating existing risks.
Check that the firewall regularly receives IP address-to-device
mappings from IoT Security to ensure no devices are missing from
policy enforcement. Use the following two CLI commands to check
the connection status between the edge servers and firewall and
which mappings the firewall received:
show iot icd statistics verdict
Shows statistics about the IP address-to-device mappings, or verdicts,
that the ICD (Identity Client Daemon) running on the edge server
in front of the IoT Security cloud sent to the IoTd (IoT daemon)
running on the firewall.
show iot ip-device-mapping all
Shows which IP address-to-device mappings (verdicts) the firewall received.
When there’s a network expansion,
look for new network segments. If necessary, deploy more firewalls
to provide additional coverage and make sure traffic from devices
in these segments reaches the firewall and is reported to Cortex™
Review user audit logs in the IoT Security portal (
for unusual activities, such as unexpected configuration changes.
Use Policy Optimizer (
in the firewall web interface to check if recommended policies added
to the firewall are being used and make adjustments to policy rules