Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2286
Views
0
Helpful
3
Replies

Network Discovery in FMC

Srinivasan Nagarajan
Level 1
Level 1

‎03-16-2020 08:24 AM

Hi Experts,

We've ASA with Sourcefire module installed and I've queries on Network Discovery. Please excuse my lack of skills on Sourcefire as i'm new to this.

 

On going through the videos, noticed Network Discovery is the initial step is learning the network by the FMC and I've couple of questions:-

 

1. Under the Policies-> Access control policy-> Default Network discovery is applied to "0 devices"

 My query is then how the FMC is learning about the hosts, users and application when it's NOT applied to any managed devices...?

 

2. We've no Realm configured to integrate FMC with the LDAP or with the directory agent to monitor the login/logout activity but under the User activity section, noticed Users names are shown.

Not sure how FMC learns about the user names if no AD integration configured...?

 

Note, we've left the default 0.0.0.0/0 with Users and hosts selected on Network Discovery

Preview file
27 KB
0 Helpful
3 Replies 3

Sheraz.Salim
VIP
VIP

‎03-16-2020 11:17 AM

 

1. Under the Policies-> Access control policy-> Default Network discovery is applied to "0 devices"

 My query is then how the FMC is learning about the hosts, users and application when it's NOT applied to any managed devices...?

 

Network Discovery is kind of nmap but in passive-mode. Think of a body guard at door. who build a profile based who is coming in and going out. he is not stop you. just you going in and out he build a profile about you. now Zero (0) means FMC is doing passive scan you each single connection. the max limit in verion 6.3 is 50,000 host. you need to fine tune it you need to create your network and teach FMC to only build a passive profile on your network host. no outside hosts (in case internet). you dont want to waste your resource on something which is not useful at all.

 

 

2. We've no Realm configured to integrate FMC with the LDAP or with the directory agent to monitor the login/logout activity but under the User activity section, noticed Users names are shown.

Not sure how FMC learns about the user names if no AD integration configured...?

 

this is useful if you using ISE (pxgrid) for user mapping or Souce fire agent. in order to use these two products you need ISE or soruce fire agent to give you a ip address mapping to username.

 

please do not forget to rate.
0 Helpful

Srinivasan Nagarajan
Level 1
Level 1
In response to Sheraz.Salim

‎03-16-2020 11:48 PM

Thanks for the reply. I'm referring about the Default Network discovery is applied to "0 devices" not about 0.0.0.0/0. 

This Network discovery (passive mode) isn't applied to any managed devices. since this is passive whether it's learning about all the hosts its passing through thought...?

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Srinivasan Nagarajan

‎03-17-2020 10:46 AM

you dont have to apply the default network discovery. but you must have to define the network discovery in your network. for example if you know the hosts/network subnet you define it in network discovery policy. later it will become handy when you define intrusion policy. as intrusion policy reflect to the network discovery.

please do not forget to rate.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card