Cisco Cisco FirePOWER Appliance 7020
35-26
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Creating a Network Discovery Policy
A discovery rule causes discovery of monitored assets only in traffic to and from hosts in the specified
networks. For a discovery rule, discovery occurs for connections that have at least one IP address within
the networks specified, with events generated only for IP addresses within the networks to monitor. The
default discovery rule discovers applications only on the
networks. For a discovery rule, discovery occurs for connections that have at least one IP address within
the networks specified, with events generated only for IP addresses within the networks to monitor. The
default discovery rule discovers applications only on the
0.0.0.0/0
and
::/0
networks.
For rules with a specified NetFlow device and the
Log Network Connections
option enabled, connections
to and from IP addresses in the specified networks are also logged. Note that network discovery rules
provide the only way to log NetFlow network connections.
provide the only way to log NetFlow network connections.
You can also use network object or object groups to specify the networks to monitor. If you modify a
network object used in the network discovery policy, you must reapply the policy for those changes to
take effect for discovery.
network object used in the network discovery policy, you must reapply the policy for those changes to
take effect for discovery.
Understanding Zones in Network Discovery Policies
License:
FireSIGHT
For performance reasons, you should configure each discovery rule so that the zones in the rule include
the sensing interfaces on your managed devices that are physically connected to the networks-to-monitor
in the rule.
the sensing interfaces on your managed devices that are physically connected to the networks-to-monitor
in the rule.
Unfortunately, you may not always be kept informed of network configuration changes. A network
administrator may modify a network configuration through routing or host changes without informing
you, which may make it challenging to stay on top of proper network discovery policy configurations.
If you do not know how the sensing interfaces on your managed devices are physically connected to your
network, leave the zone configuration as the default, which is to apply the discovery rule to all zones in
your deployment. (If no zones are excluded, the discovery policy is applied to all zones.)
administrator may modify a network configuration through routing or host changes without informing
you, which may make it challenging to stay on top of proper network discovery policy configurations.
If you do not know how the sensing interfaces on your managed devices are physically connected to your
network, leave the zone configuration as the default, which is to apply the discovery rule to all zones in
your deployment. (If no zones are excluded, the discovery policy is applied to all zones.)
Understanding Port Exclusions
License:
FireSIGHT
Just as you can exclude hosts from monitoring (see
), you can exclude specific ports from monitoring.
For example, load balancers can report multiple applications on the same port in a short period of time.
You can configure your network discovery policy so that it excludes that port from monitoring, such as
excluding port 80 on a load balancer that handles a web farm.
You can configure your network discovery policy so that it excludes that port from monitoring, such as
excluding port 80 on a load balancer that handles a web farm.
As another scenario, your organization may use a custom client that uses a specific range of ports. If the
traffic from this client generates excessive and misleading events, you can exclude those ports from
monitoring. Similarly, you may decide that you do not want to monitor DNS traffic. In that case, you
could configure your policy so that it does not monitor port 53.
traffic from this client generates excessive and misleading events, you can exclude those ports from
monitoring. Similarly, you may decide that you do not want to monitor DNS traffic. In that case, you
could configure your policy so that it does not monitor port 53.
When adding ports to exclude, you can decide whether to use a reusable port object from the Available
Ports list, add ports directly to the source or destination exclusion lists, or create a new reusable port and
then move it into the exclusion lists.
Ports list, add ports directly to the source or destination exclusion lists, or create a new reusable port and
then move it into the exclusion lists.
Note that you cannot configure NetFlow-enabled devices to exclude ports from monitoring.
Adding a Discovery Rule
License:
FireSIGHT
You can configure discovery rules to tailor the discovery of host and application data to your needs. Note
that when you modify an object referenced in a rule, you must reapply the network discovery policy for
those changes to take effect.
that when you modify an object referenced in a rule, you must reapply the network discovery policy for
those changes to take effect.