topic Re: Network Discovery Rules in Network Security

Network Discovery Rules

dm2020 — Tue, 12 Mar 2019 14:10:08 GMT

Hi All,

I have setup a Network Discovery policy to discovery users, host and application for my internal network address range only. Do I now need to create a monitor rule in my ACP for Network Discovery to work correctly, such as permitting all IP traffic from my internal network and setting to monitor, or will it work ok for traffic that I have simply permitted in my rules? I understand that Network Discovery will not match traffic that has been blocked (which is my default rule). Is that correct?

Sorry if this is a simple question but I'm not sure what the correct approach is to ensure that FMC discovers all of my network assets correctly.

Thank you

Re: Network Discovery Rules

phil.hydea — Wed, 12 Dec 2018 09:59:52 GMT

Hi Ciscogeek2017

The Network Discovery function works based on traffic the managed device
has visibility; so no ACP rule is required.

For example, if you left the default 0.0.0.0/0 rule in, you will get host
intelligence for external objects that probably aren't configured
explicitly in an ACP rule.

You can limit what IP ranges are scanned using the exclusion config box.

Re: Network Discovery Rules

Sheraz.Salim — Wed, 12 Dec 2018 18:30:01 GMT

as Phil said, instead of 0.0.0.0 will build and consume all your host limit (by default the limit is 50,000 host)

once you put your interested network to discover than you can build up your security policy ACP, NAP, Intrustion prevision etc.)

remember discovery is the first step/stage to build up your network security.

once your discovery policy in action (also remember discovery policy is a passive) you will see the host (windows,linux etc) with vulnerability (for example FMC learn about windows-7 server pack1) it will give you what vulnerability with server pack 1.

hope that help you.

Re: Network Discovery Rules

dm2020 — Fri, 14 Dec 2018 16:32:47 GMT

Hi,

Thank you for the response.

You mention that Network Discovery function works based on traffic the managed device
has visibility of, so what if the managed device is configured to block all traffic? Will it still have visibility or does traffic need to be permitted though the device using a ACP permit rule for this to work?

Re: Network Discovery Rules

Sheraz.Salim — Fri, 14 Dec 2018 17:30:00 GMT

why you want to block all the traffic? any reason?

if your ACP is setup as block than it will come to decision on default policy (if you have default policy also has block setup) in that case all communication will be drop and you have no connection to FTD/ASA and this also apply to other network internal network/DMZ network.

see the attachment of the pack flow in firepower.

Re: Network Discovery Rules

dm2020 — Fri, 14 Dec 2018 17:35:38 GMT

Sorry I meant block all as my default action. That packet flow makes sense and answers my question.

Thank you

Re: Network Discovery Rules

Sheraz.Salim — Fri, 14 Dec 2018 17:38:19 GMT

Thank glad i was help you.