Cisco Cisco Firepower Management Center 4000
35-32
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Creating a Network Discovery Policy
Update Interval
The interval at which the system updates information (such as when any of a host’s IP addresses was last
seen, when an application was used, or the number of hits for an application). The default setting is 3600
seconds (1 hour).
seen, when an application was used, or the number of hits for an application). The default setting is 3600
seconds (1 hour).
Note that setting a lower interval for update timeouts provides more accurate information in the host
display, but generates more network events.
display, but generates more network events.
To update general settings:
Access:
Admin/Discovery Admin
Step 1
Click the edit icon (
) next to
General Settings
.
The General Settings pop-up window appears.
Step 2
Update the settings as needed.
Step 3
Click
Save
to save the general settings and return to the Advanced tab of the network discovery policy.
Note
You must apply the network discovery policy for your changes to take effect. For more
information, see
information, see
.
Configuring Identity Conflict Resolution
License:
FireSIGHT
The system matches fingerprints for operating systems and servers against patterns in traffic to
determine what operating system and which applications are running on a particular host. To provide the
most reliable operating system and server identity information, the system collates fingerprint
information from several sources.
determine what operating system and which applications are running on a particular host. To provide the
most reliable operating system and server identity information, the system collates fingerprint
information from several sources.
The system uses all passive data to derive operating system identities and assign a confidence value. For
more information on current identities and how the system selects the current identity, see
more information on current identities and how the system selects the current identity, see
.
By default, unless there is an identity conflict, identity data added by a scanner or third-party application
overrides identity data detected by the FireSIGHT System. You can use the Identity Sources settings to
rank scanner and third-party application fingerprint sources by priority. The system retains one identity
for each source, but only data from the highest priority third-party application or scanner source is used
as the current identity. Note, however, that user input data overrides scanner and third-party application
data regardless of priority.
overrides identity data detected by the FireSIGHT System. You can use the Identity Sources settings to
rank scanner and third-party application fingerprint sources by priority. The system retains one identity
for each source, but only data from the highest priority third-party application or scanner source is used
as the current identity. Note, however, that user input data overrides scanner and third-party application
data regardless of priority.
An identity conflict occurs when the system detects an identity that conflicts with an existing identity
that came from either the active scanner or third-party application sources listed in the Identity Sources
settings or from a FireSIGHT System user. By default, identity conflicts are not automatically resolved
and you must resolve them through the host profile or by rescanning the host or re-adding new identity
data to override the passive identity. However, you can set your system to always automatically resolve
the conflict by keeping the passive identity or to always resolve it by keeping the active identity.
that came from either the active scanner or third-party application sources listed in the Identity Sources
settings or from a FireSIGHT System user. By default, identity conflicts are not automatically resolved
and you must resolve them through the host profile or by rescanning the host or re-adding new identity
data to override the passive identity. However, you can set your system to always automatically resolve
the conflict by keeping the passive identity or to always resolve it by keeping the active identity.
Generate Identity Conflict Event
Enable this option to generate an event when an identity conflict occurs on a host in the network map.
Automatically Resolve Conflicts
You have the following options: