Cisco Cisco Firepower Management Center 4000
35-24
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Creating a Network Discovery Policy
Discovery rules allow you to tailor the information discovered for your network map to include only the
specific data you want. Rules in your network discovery policy are evaluated sequentially. Note that
while you can create rules with overlapping monitoring criteria, doing so may affect your system
performance.
specific data you want. Rules in your network discovery policy are evaluated sequentially. Note that
while you can create rules with overlapping monitoring criteria, doing so may affect your system
performance.
When you exclude a host or a network from monitoring, the host or network does not appear in the
network map and no events are reported for it. Cisco recommends that you exclude load balancers (or
specific ports on load balancers) and NAT devices from monitoring. These devices may create excessive
and misleading events, filling the database and overloading the Defense Center. For example, a
monitored NAT device might exhibit multiple updates of its operating system in a short period of time.
If you know the IP addresses of your load balancers and NAT devices, you can exclude them from
monitoring.
network map and no events are reported for it. Cisco recommends that you exclude load balancers (or
specific ports on load balancers) and NAT devices from monitoring. These devices may create excessive
and misleading events, filling the database and overloading the Defense Center. For example, a
monitored NAT device might exhibit multiple updates of its operating system in a short period of time.
If you know the IP addresses of your load balancers and NAT devices, you can exclude them from
monitoring.
Tip
The system can identify many load balancers and NAT devices by examining your network traffic. To
determine which hosts on your network are load balancers and NAT devices, apply your network
discovery policy, wait for the system to populate the network map, then perform a search of hosts
constraining on host type. For more information, see
determine which hosts on your network are load balancers and NAT devices, apply your network
discovery policy, wait for the system to populate the network map, then perform a search of hosts
constraining on host type. For more information, see
.
In addition, if you need to create a custom server fingerprint, you should temporarily exclude from
monitoring the IP address that you are using to communicate with the host you are fingerprinting.
Otherwise, the network map and discovery event views will be cluttered with inaccurate information
about the host represented by that IP address. After you create the fingerprint, you can configure your
policy to monitor that IP address again. For more information, see
monitoring the IP address that you are using to communicate with the host you are fingerprinting.
Otherwise, the network map and discovery event views will be cluttered with inaccurate information
about the host represented by that IP address. After you create the fingerprint, you can configure your
policy to monitor that IP address again. For more information, see
Cisco also recommends that you not monitor the same network segment with NetFlow-enabled devices
and Cisco managed devices. Although ideally you should configure your network discovery policy with
non-overlapping rules, the system does drop duplicate connection logs generated by managed devices.
Note that you cannot drop duplicate connection logs for connections detected by both a managed device
and a NetFlow-enabled device.
and Cisco managed devices. Although ideally you should configure your network discovery policy with
non-overlapping rules, the system does drop duplicate connection logs generated by managed devices.
Note that you cannot drop duplicate connection logs for connections detected by both a managed device
and a NetFlow-enabled device.
For more information, see the following sections:
•
•
•
•
•
•
•
•
Understanding Device Selection
License:
FireSIGHT
If you select a NetFlow device in a discovery rule, the rule is limited to discovery of NetFlow data for
the specified networks. Select the NetFlow device before you configure other aspects of rule behavior,
as the available rule actions change when you select a NetFlow device. In addition, you cannot configure
port exclusions for NetFlow traffic.
the specified networks. Select the NetFlow device before you configure other aspects of rule behavior,
as the available rule actions change when you select a NetFlow device. In addition, you cannot configure
port exclusions for NetFlow traffic.