Cisco Cisco Firepower Management Center 4000
35-25
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Creating a Network Discovery Policy
Before you can select a NetFlow device in a network discovery rule, you must configure a connection to
the NetFlow device in the network discovery advanced settings. For more information, see
the NetFlow device in the network discovery advanced settings. For more information, see
.
Understanding Actions and Discovered Assets
License:
FireSIGHT
When you configure a discovery rule, you must select an action for the rule. The action determines what
assets are discovered or excluded when the system processes the rule. However, note that the affect of a
rule action depends on whether you are using the rule to discover data from a managed device or from a
NetFlow-enabled device.
assets are discovered or excluded when the system processes the rule. However, note that the affect of a
rule action depends on whether you are using the rule to discover data from a managed device or from a
NetFlow-enabled device.
Note that if you create a network discovery policy without any rules that discover hosts or users, applying
the policy disables new discovery for the appliance. To optimize performance when using managed
devices only for intrusion prevention, remove all discovery rules from your policy and apply it to the
active devices.
the policy disables new discovery for the appliance. To optimize performance when using managed
devices only for intrusion prevention, remove all discovery rules from your policy and apply it to the
active devices.
The following table describes what assets are discovered by rules with the specified action settings in
those two scenarios.
those two scenarios.
Understanding Monitored Networks
License:
FireSIGHT
Table 35-4
Discovery Rule Actions
Action
Managed Device
NetFlow
Exclude
Excludes the specified network from monitoring. If the source or destination
host for a connection is excluded from discovery, the connection is recorded
but discovery events are not created for excluded hosts.
host for a connection is excluded from discovery, the connection is recorded
but discovery events are not created for excluded hosts.
Discover: Hosts
Adds hosts to the network map based
on discovery events. (Optional,
unless user discovery is enabled, then
required.)
on discovery events. (Optional,
unless user discovery is enabled, then
required.)
Adds hosts to the network map based
on NetFlow records. (Required)
on NetFlow records. (Required)
Discover: Applications
Adds applications to the network
map based on application detectors.
Note that you cannot discover hosts
or users in a rule without also
discovering applications. (Required)
map based on application detectors.
Note that you cannot discover hosts
or users in a rule without also
discovering applications. (Required)
Adds application protocols to the
network map based on NetFlow
records and the port-application
protocol correlation in
network map based on NetFlow
records and the port-application
protocol correlation in
/etc/sf/services
. (Optional)
Discover: Users
Adds users to the users table and logs
user activity based on activity
detected in traffic matching the user
protocols configured in the network
discovery policy. (Optional)
user activity based on activity
detected in traffic matching the user
protocols configured in the network
discovery policy. (Optional)
n/a
Log NetFlow
Connections
Connections
n/a
Logs NetFlow connections only.
Does not discover hosts or
applications.
Does not discover hosts or
applications.