Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1231
Views
0
Helpful
6
Replies

Cisco ASA with Firepower v6.1.0 - Network Discovery Question

roesch4alc
Level 1
Level 1

‎01-06-2017 10:35 AM - edited ‎03-12-2019 01:44 AM

Hi all,

I´m getting more and more familiar with Firepower... Now I have a running setup with 2x ASA 5525x. A main point, that I actually don´t understand is about the network discovery. My firewall is setup in routed mode. It is the gateway for hosts in different networks in different vlans. There is a transfer network to a L3 Coreswitch between this secured networks and the rest of the network destinations.

Now I am wondering, that Firepower doesn´t recognize, who actually the router in this transfer network is. It should be obivious, because there is a mac address, that belongs to many hundred ip addresses. The System is up and running for about 2 weeks now. 

My questions:

1.) is there an amount of time, I have to wait, until the the system changes the information about an host? ( e.g. host-->router)

2.) Can I define the network devices manually?

3.) Why do I see so less mac addresses in Hosts-Network Map? There are only 20, there should be much more, we have about 500 active clients behind that firewall. Just a guess, are this mac addresses, where no ip address is known for?

4.) Do I have to create Security Zone or aren´t they necessary for proper Host/Router Detection?

5.) What should I see in the Host Profile behind Device (Hops)?

I searched quite a lot of time, but I couldn´t find anything about this questions. I also attached a picture with discovery statistics.

Regards

Sebastian

Labels:
Preview file
6 KB
Preview file
4 KB
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-09-2017 04:47 AM

Have you defined the HOME_NET and EXTERNAL_NET objects and referenced them in a Discovery Policy?

0 Helpful

roesch4alc
Level 1
Level 1
In response to Marvin Rhoads

‎01-09-2017 06:38 AM

Actually not. This variables are set to default "any". Do they have an impact to the discovery behaviour, that I am wondering about?

How can I reference this variables to a discovery Policy? I can only select certain networks, but no variables...

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to roesch4alc

‎01-09-2017 07:12 AM

Under Object, Object Management, Network make network objects for your desired networks to be discovered.

Then under Object Management, Variable Set edit the default set. Make HOME_NET equal to the networks you defined. Make EXTERNAL_NET equal to !HOME_NET (not HOME_NET).

Under your Network Discovery policy, add the networks you defined earlier into the discovery policy. Make sure you tell the policy to discover hostm users and applications.

0 Helpful

roesch4alc
Level 1
Level 1
In response to Marvin Rhoads

‎01-09-2017 07:11 AM

Please find attached my Network Discovery Rule.

Preview file
8 KB
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to roesch4alc

‎01-09-2017 08:15 AM

If you are planning to use it in production, change the Discovery Rule to specific internal networks. If this is not configured, the Firepower will add all public ip addresses under host information and fill up your maximum host count, eventually causing traffic failures. You can also use specific zones to lock it down further.

More about your questions: Do you see discovery events showing up for the hosts you need to be discovered? Also what are your FMC and Sensor versions. There was a bug with 6.1 FMC that was not discovering hosts when Sensor was below 6.1 version.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb66432/?referring_site=bugquickviewredir

0 Helpful

roesch4alc
Level 1
Level 1
In response to Rahul Govindan

‎01-09-2017 08:49 AM

I already changed the local networks according to Marvin. So discovery policy is restricted to local networks. In my case, this machine is placed in an inside network (no direct internet connection), it is to separate a production network from the rest of the network. But Intrusion events could possibly happen from both sites. Because of that I don´t really know what the best way would be to define $HOME_NET and $EXTERNAL_NET.

I know, that some IPS Rules are written with this variables in it. And so they will only trigger in one direction...

More about your questions: Do you see discovery events showing up for the hosts you need to be discovered? Also what are your FMC and Sensor versions. There was a bug with 6.1 FMC that was not discovering hosts when Sensor was below 6.1 version.

I see hosts being discovered, yes. But there is still the problem, that the next hop router , is not being discovered as what it is, a router. In FMC I can see different IP, with the same mac address (mac address from the router). But FMC doesn´t recognize the type network devices, I think. I use Version 6.1.0 on FMC and SFR Modules.

I attached a simple picture of my setup. For example I don´t see Router 1.1.1.1 being discovered as a router.

Preview file
46 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card