Cisco Cisco Firepower Management Center 4000
35-23
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Creating a Network Discovery Policy
The network discovery policy on the Defense Center controls how the system collects data on your
organization’s network assets and which network segments and ports are monitored.
organization’s network assets and which network segments and ports are monitored.
Discovery rules within the policy specify what networks and ports the FireSIGHT System monitors to
generate discovery data based on network data in traffic, and what zones the policy is applied to. Within
a rule, you can configure whether hosts, applications, and users are discovered. You can create rules to
exclude networks and zones from discovery. When you create a rule for discovery from a NetFlow
device, you can choose to just log connections.
generate discovery data based on network data in traffic, and what zones the policy is applied to. Within
a rule, you can configure whether hosts, applications, and users are discovered. You can create rules to
exclude networks and zones from discovery. When you create a rule for discovery from a NetFlow
device, you can choose to just log connections.
The network discovery policy has a a single default rule in place, configured to discover applications in
any IPv4 traffic on the 0.0.0.0/0 network. Note that you must have applied an access control policy to
the targeted device before you can apply a network discovery policy. The rule does not exclude any
networks, zones, or ports, host and user discovery is not configured, and a NetFlow device is not
configured. Note that the policy is applied to any managed devices by default when they are registered
to the Defense Center. To begin collecting host or data, you must add or modify discovery rules and
reapply the policy to a device.
any IPv4 traffic on the 0.0.0.0/0 network. Note that you must have applied an access control policy to
the targeted device before you can apply a network discovery policy. The rule does not exclude any
networks, zones, or ports, host and user discovery is not configured, and a NetFlow device is not
configured. Note that the policy is applied to any managed devices by default when they are registered
to the Defense Center. To begin collecting host or data, you must add or modify discovery rules and
reapply the policy to a device.
Remember that the access control policy (see
) defines the
traffic that you permit, and therefore the traffic you can monitor with network discovery. Note that this
means if you block certain traffic using access control, the system cannot examine that traffic for host,
user, or application activity. For example, if you block access to social networking applications in the
access control policy, the system will not provide you with any discovery data on those applications.
means if you block certain traffic using access control, the system cannot examine that traffic for host,
user, or application activity. For example, if you block access to social networking applications in the
access control policy, the system will not provide you with any discovery data on those applications.
If you want to adjust the scope of network discovery, you can create additional discovery rules and
modify or remove the default rule. You can configure discovery of data from NetFlow devices and can
restrict the protocols for traffic where user data is discovered on your network.
modify or remove the default rule. You can configure discovery of data from NetFlow devices and can
restrict the protocols for traffic where user data is discovered on your network.
If you want to use the FireSIGHT System to perform intrusion detection and prevention but do not need
to take advantage of discovery data, you can optimize performance by disabling new discovery. First,
make sure that your applied access control policies do not contain rules with user, application, or URL
conditions. Then, remove all rules from your network discovery policy and apply it to your managed
devices. For more information on configuring access control rules, see
to take advantage of discovery data, you can optimize performance by disabling new discovery. First,
make sure that your applied access control policies do not contain rules with user, application, or URL
conditions. Then, remove all rules from your network discovery policy and apply it to your managed
devices. For more information on configuring access control rules, see
.
If you enable user discovery in your discovery rules, you can detect users through user login activity in
traffic over a set of application protocols. You can disable discovery in particular protocols across all
rules if needed. Disabling some protocols can help avoid reaching the user limit associated with your
FireSIGHT license, reserving available user count for users from the other protocols.
traffic over a set of application protocols. You can disable discovery in particular protocols across all
rules if needed. Disabling some protocols can help avoid reaching the user limit associated with your
FireSIGHT license, reserving available user count for users from the other protocols.
Advanced network discovery settings allow you to manage what data is logged, how discovery data is
stored, what indications of compromise (IOC) rules are active, what vulnerability mappings are used for
impact assessment, and what happens when sources offer conflicting discovery data. You can also add
NetFlow devices and sources for host input.
stored, what indications of compromise (IOC) rules are active, what vulnerability mappings are used for
impact assessment, and what happens when sources offer conflicting discovery data. You can also add
NetFlow devices and sources for host input.
For more information, see:
•
•
•
•
Working with Discovery Rules
License:
FireSIGHT