Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
638
Views
4
Helpful
5
Replies

Explanation of Access Control:Network Discovery Only

Ditter
Level 4
Level 4

‎09-24-2023 03:50 AM

Hi to All,

i wonder if anyone can help me understand what is the Network Discovery Only option an the bottom of the ACP.

I understand that FTDs can do network discovery by going to another menu in the FMC that is POLICIES --> Network Discovery  where you can choose what networks you want to have Discovery on e.t.c.

But i do not understand the role of existence of the drop down list that is at the bottom of the ACP menu. 

There are also some other choices in the same drop down list , for example Access Control:Block all traffic or Access Control:Permit all traffic which also do not make any sense for me,  just because one can put the according ACLs in the ACP that just what this drop down list contails.

Any help understanding the usefulness of this drop down list is greatly appreciated.

Thanks,

Ditter.

Preview file
31 KB
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎09-24-2023 08:02 AM

This is all about flexibility. You are right that a "typical" firewall has a "deny any any" at the end. But there are some use cases where this is not the best option. Here is an example:

The actual network consists of many VLANs on the L3 switch. This is fast, but you don't have any security between these VLANs. Now you want to segment the network with the help of a fast FTD device. You move the VLANs to the firewall and have to chose the right default action for your ACP. Now two of the options could come to mind:

  1. You directly want to have more security and you use the option IPS.
  2. But perhaps you are afraid of false positives and first want to know what is going on in your network. You choose the option "Network Discovery only". This will likely not be the final configuration. Depending on your needs you will later move to IPS or to Block when you know your traffic and have implemented the needed rules for the traffic.

Ditter
Level 4
Level 4

‎09-25-2023 06:01 AM

Thanks for your reply ,

So if someone chooses Access Control:Block all traffic it will block everything regardless of any rules above or the rules you probably have set are still valid and it will be the default action in the end like deny any any?

0 Helpful

Karsten Iwen
VIP
VIP
In response to Ditter

‎09-25-2023 06:08 AM

The default rule is always processed after all configured explicit rules. If traffic matches any of them, The firewall will do what the action is. But if none of your rules match, then the action of the default rule is taken.

Ditter
Level 4
Level 4

‎09-25-2023 11:02 AM

Thanks Karsten, one last thing suppose that an administrator of the FTD hasn't created any discovery policy  , if a FTD admin has not configured any discovery policies under Policies --> Network Discovery , when there is the Access Control: Network Discovery Only under the ACP , it will do the job , but it will try to discover everything the FTD sees. Then the only way to get "personalized" discovery information for specific subnets, vlans e.t.c. is to create this specific Network Discovery policy.

Am i correct?   

Thanks,

Ditter

0 Helpful

Karsten Iwen
VIP
VIP
In response to Ditter

‎09-25-2023 12:51 PM

There is a default discovery policy that lets you get started, but you should configure it for your environment.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card