Cisco Cisco Firepower Management Center 4000
35-15
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
To enable SSL application identification, you must create access control rules that monitor responder
traffic. Those rules must have either an application condition for the SSL application or URL conditions
using the URL from the SSL certificate. For network discovery, the responder IP address does not have
to be in the networks to monitor in the network discovery policy; the access control policy configuration
determines whether the traffic is identified. You can filter by the
traffic. Those rules must have either an application condition for the SSL application or URL conditions
using the URL from the SSL certificate. For network discovery, the responder IP address does not have
to be in the networks to monitor in the network discovery policy; the access control policy configuration
determines whether the traffic is identified. You can filter by the
SSL protocol
tag, in the application
detectors list or when adding application conditions in access control rules, to identify detectors for SSL
applications.
applications.
Special Considerations: Referred Web Applications
Web servers sometimes refer traffic to other websites, which are often advertisement servers. To help
you better understand the context for referred traffic occurring on your network, the system lists the web
application that referred the traffic in the Web Application field in events for the referred session. The
VDB contains a list of known referred sites. When the system detects traffic from one of those sites, the
referring site is stored with the event for that traffic. For example, if an advertisement accessed via
Facebook is actually hosted on Advertising.com, the detected Advertising.com traffic is associated with
the Facebook web application.
you better understand the context for referred traffic occurring on your network, the system lists the web
application that referred the traffic in the Web Application field in events for the referred session. The
VDB contains a list of known referred sites. When the system detects traffic from one of those sites, the
referring site is stored with the event for that traffic. For example, if an advertisement accessed via
Facebook is actually hosted on Advertising.com, the detected Advertising.com traffic is associated with
the Facebook web application.
In events, if a referring application exists, it is listed as the web application for the traffic, while the URL
is that for the referred site. In the example above, the web application for the connection event for that
traffic would be Facebook, but the URL would be Advertising.com. If no referring web application is
detected, if the host refers to itself, or if there is a chain of referrals, a referred application may appear
as the web application in the event. In the dashboard, connection and byte counts for web applications
include sessions where the web application is associated with traffic referred by that application.
is that for the referred site. In the example above, the web application for the connection event for that
traffic would be Facebook, but the URL would be Advertising.com. If no referring web application is
detected, if the host refers to itself, or if there is a chain of referrals, a referred application may appear
as the web application in the event. In the dashboard, connection and byte counts for web applications
include sessions where the web application is associated with traffic referred by that application.
Note that if you create a rule to act specifically on referred traffic, you should add a condition for the
referred application, rather than the referring application. To block Advertising.com traffic referred from
Facebook, for example, add an application condition to your access control rule for the Advertising.com
application.
referred application, rather than the referring application. To block Advertising.com traffic referred from
Facebook, for example, add an application condition to your access control rule for the Advertising.com
application.
Importing Third-Party Discovery Data
License:
FireSIGHT
You can use Nmap active scans to add information about operating systems, applications, and
vulnerabilities, supplementing the data gathered by the system. For more information on Nmap scanning
and scan results, see
vulnerabilities, supplementing the data gathered by the system. For more information on Nmap scanning
and scan results, see
.
You can also use the host input feature to supplement the information that the system gathers from
monitoring network traffic, either by configuring a third-party application to interact with the
FireSIGHT System via an API, or by manually adding data. You can create product, vulnerability, and
fix mappings to map third-party data to Cisco definitions, enabling impact correlation for operating
systems and servers. For more information on the host input feature and mapping third-party data, see
the FireSIGHT System Host Input API Guide and
monitoring network traffic, either by configuring a third-party application to interact with the
FireSIGHT System via an API, or by manually adding data. You can create product, vulnerability, and
fix mappings to map third-party data to Cisco definitions, enabling impact correlation for operating
systems and servers. For more information on the host input feature and mapping third-party data, see
the FireSIGHT System Host Input API Guide and
The system reconciles the collected data about operating system and server identities and determines
each identity based on fingerprint source priority values, identity conflict resolution settings, and time
of collection.
each identity based on fingerprint source priority values, identity conflict resolution settings, and time
of collection.
You can also configure your network map to use data from NetFlow-enabled devices to enhance your
network map and event tables. For more information, see
network map and event tables. For more information, see
.