Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
281
Views
0
Helpful
1
Comments

Cisco Secure Firewall - Default Network Discovery Policy for Apps

vagner.araujo
Level 1
Level 1
‎02-04-2025 10:08 AM

The Cisco Secure Firewall comes with a default Network Discovery Policy which is configured for 0.0.0.0 discovering applications.

I'm commonly seeing some people doing 2 configurations:

- Edit default Network Discovery Rule:
 . Delete 0.0.0.0 and put RFC 1918
 . Add Host discovery

What I have learned it's the default rule should not be changed, because it will affect layer 7 capabilities:

Network_Discovery_Keep_Enabled.png

 

So, I instruct customers to create a new rule for host discovery only internal networks. 

Network_Discovery.png

 

You can also add a rule for exclusions Guest network, NAT devices, Proxies, partners coming through VPN.

I'd like to know what are you doing guys? What is your Best Practice? Are you trashing/changing the default rule 0.0.0.0 for application?

 

Obs:
I know if you configure host for 0.0.0.0 it will affect FMC host discovery limit, but I'm not talking about host discovery in the default, I'm talking about application discovery.

0 Helpful
1 Comment
ccieexpert
VIP
VIP
‎02-04-2025 09:39 PM
‎02-04-2025 09:39 PM

you are correct.. the applications discovery should discover applications for every network. Whereas as hosts and users should be limited to the internal network (and DMZ if you want to protect those).. bascially what you want to protect.. if you put 0/0 for host discovery, it will quickly exceed the host limit...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents