New Features - Device Security - March 2026

When you configure the Device Security integration with Cisco ISE, you can choose to import Cisco ISE custom attributes and Security Group Tag (SGT) information to enhance the integration between Group Tag (SGT) information to enhance the integration between ISE authorization profiles and Device Security device details. You can use the Cisco ISE custom attributes when defining Advanced Device-ID criteria, so that you can create Advanced Device-ID in sync with Cisco ISE authorization profiles.

When device attributes change, tracking what changed and when can be difficult, limiting your ability to understand your network environment and investigate security incidents. From the Device Details page, Device Security now provides a more in-depth history of changes to device attributes, such as IP address changes or device activity.

When you View History from the subtitle on a Device Details page, you can see the Device Change History table, which shows the date and changes of various device attributes. You can also View History for the IP address on the Device Details page, which displays the current IP address and the past IP addresses for the device.

With greater visibility into how device attributes have changed, you can more effectively investigate anomalies and track device behavior over time for compliance and forensic purposes.

( March 2026 ) Polling the Infoblox integration for device details across your entire network can be slow when you only need data from specific subnets. When configuring the Infoblox integration instance on Cortex XSOAR, you can now limit the polling to a specific subnet scope.

You can specify up to 10 subnet scopes, and then Cortex XSOAR will only poll Infoblox for device details from those subnet scopes. This improves the speed of each integration job while getting information specific to the subnets you're interested in. This is particularly useful in large environments where polling the full network is neither practical nor efficient.

( December 2025 ) Device Security can now learn about static IP addresses and DHCP leases when integrating with Infoblox IPAM.

Integrate Device Security with Infoblox IPAM to retrieve IP blocks and subnets (called containers and networks by Infoblox ) plus related data about sites, VLANs, and descriptions. For more information, see Integrate Device Security with Infoblox IPAM.

Device Security supports integrating with Microsoft Sentinel for SIEM logging, allowing you to send information about devices, alerts, and vulnerabilities directly to your SIEM.

When you integrate Device Security with SIEM logging, you can connect Device Security with Microsoft Sentinel to send information. This integration consolidates Device Security data with the rest of your security telemetry, enabling your security operations team to investigate incidents using a single platform.

By integrating with Microsoft Sentinel for SIEM logging, you can see your Device Security devices and their logs in your Microsoft Sentinel interface.

Device Security supports integrating with Nozomi Networks Vantage and CMC/Guardian, making it easier to migrate from Nozomi to Device Security ; consolidate asset data across OT and IT networks when Nozomi is deployed within OT while Device Security is deployed within IT; and create Advanced Device-ID policies using Nozomi data.

When you integrate with Nozomi Networks, you can connect to Nozomi Guardian (on-premises) or Nozomi Vantage (cloud) to ingest detailed OT and IoT asset data, as well as automatically fetch vulnerabilities.

By integrating Nozomi Networks with Device Security, you can streamline the migration from Nozomi to Device Security, enrich your asset inventory with detailed OT data, and build more accurate Advanced Device-ID policies.

Devices with static IP addresses can cause Device-ID verdicts to expire when they go offline, disrupting policy enforcement even though the device will return to the same IP address. Palo Alto Networks® Device Security now lets you lock down devices with static IP addresses by confirming the static IP address for the device.

When you confirm a static IP address for a device, any corresponding Device-ID verdict in the firewall won't expire until a new IP address is detected through network traffic, even after the device becomes offline. This ensures that Device-ID policies continue to work for devices with confirmed static IP addresses, while avoiding stale verdicts for devices without confirmed static IP addresses.

By locking static IP addresses, you maintain uninterrupted Device-ID policy enforcement for fixed-address devices, without risking stale data for devices that receive dynamic addresses.

( March 2026 ) Device Security Network Visualizations now support creating and managing process zones directly from the network map. With process zones, you can logically and visually group OT/IoT devices based on device behaviors within a network.

You can select individual devices and neighbor nodes from the topology, assign them to an existing process zone or create a new one, preview the grouping before committing, and edit zone membership after creation. By defining process zones visually in context, you can manage devices based on the risk and criticality of the operational processes within your environment.

( January 2024 ) Create network visualization maps to view networks and device behaviors within those networks from different perspectives. Use maps to expose trends, observe relationships, and glean fresh insight into segmentation hygiene, blast radius in the event of compromise, and current network behaviors. The previously released Device Visualization feature has been redesigned to improve map creation and navigation.

Device Security creates network visualization maps based on the traffic and communication patterns that it learns from monitoring and analyzing network activity. Use the network visualizations to assess broad trends across your entire network, or to focus on different groups of devices or different facets of your network. You can group devices by various attributes to use for visualizations, and you can add a second layer by choosing a different attribute to focus on within the first attribute grouping. Device groupings include Purdue level to support network visualizations of Industrial OT IoT devices.

When viewing network visualizations, you can filter for certain characteristics to highlight them in the visualization map. By hovering over and interacting with the visualization, you can view information about specific nodes or groups, from a pop-up panel to a drill-down view. You can use the Map Builder to edit the device groupings and scope, and you can save map views that are useful to refer to often.

When you integrate multiple network management and IP Address Management (IPAM) tools, conflicting site assignments for the same subnet can occur, making it difficult to maintain accurate device-to-site mappings across your environment. Device Security now lets you define a global subnet-site mapping priority order to resolve these conflicts.

You can select your preferred third-party system, or traffic or manual site definition, as the priority source for site assignments. When multiple sources provide conflicting subnet-to-site data, Device Security uses your defined priority order to determine the authoritative source. This feature also supports the flexibility to configure exceptions for individual subnets, allowing you to override the global priority for specific network segments.

By establishing a clear priority for site assignments, you avoid volatile or inaccurate device-to-site mappings that can complicate asset tracking. Consistent site assignments provide reliable context for security monitoring, compliance reporting, and policy enforcement across your organization.