Network Discovery Policy
Cisco Secure Firewall Network Discovery Policy Guidance
Introduction
This document provides network discovery policy configuration and deployment guidance. The Firewall Management Center (FMC) network discovery policy controls how the system collects asset data on an organization's networks and traffic, and which network segments and ports to monitor.
Network Discovery Policy
A discovery policy specifies the networks and ports that a Secure Firewall system passively monitors to generate discovery data based on the network traffic passing through the deployed firewalls. A discovery rule defines the hosts, applications, and non-authoritative users to monitor. Similarly, a discovery rule can exclude networks and zones from discovery.
The system ships with a discovery rule that enables application discovery for all traffic. However, by default, host and user discovery is not defined.
Network discovery configuration
Default network discovery rule
The network discovery policy ships with a default rule, assigned to all IPv4 and IPv6 network, applying application discovery. Cisco strongly recommends this rule be left in place, as it ensures proper functioning of the application discovery capabilities of the platform. If this rule has been modified or deleted, it is recommended to create a new rule targeted to any networks with action of discover applications.
Step 1: Navigate to Policies > Network Discovery.
Step 2: Click Add Rule on the right side to add a discovery rule. The Add Rule window displays.
Discovery rule creation
Step 3: Choose the predefined network objects or create new network objects that define your company's internal network precisely. Ideally, only the specific network address ranges in use should be added, which may include certain RFC1918 ranges, but in some environments might also include reserved public IP space (such as DMZ ranges, or for organizations who use public addressing internally). The system IPv4-Private-All-RFC1918 network object may be suitable initially if the networks in use are unknown.
Step 4: Choose an action from the drop-down menu at the top and then check one of the checkboxes. The following table describes possible actions, options, and functions.
| Action | Option | Function |
|---|---|---|
| Discover | Hosts | Adds hosts to the network map based on discovery events. (Optional, unless user discovery is enabled, then required.) |
| Discover | Applications | Adds applications to the network map based on application detectors. Note that the Secure Firewall system cannot discover hosts or users in a rule without also discovering applications. (Required) |
| Discover | Users | Adds users to the user's table and logs user activity based on traffic-based detection on the user protocols configured in the network discovery policy. (Optional) |
| Exclude | N/A | Excludes the specified network from monitoring. If the source or destination host for a connection is excluded from discovery, the connection is recorded, but discovery events are not created for excluded hosts. |
Step 5: Possible hosts to consider for exclusion from monitoring include load balancers (or specific ports on load balancers) and NAT devices. These devices may create excessive and misleading events, which fill the FMC database. For example, a monitored NAT device might exhibit multiple updates of its operating system in a short period. However, excluding the NAT device from monitoring, the excessive and duplicate discovery events do not appear in the network map and no events are reported.
Step 6: Once the rule conditions are defined, click Save to save the discovery rule. The Discovery Policy window redisplays.
Discovery rules
Step 7: From the Advanced tab, click the pencil icon to edit the General Settings. A pop-up window displays.
Figure 4: Enabling Capture Banners in the Advanced Settings
Step 9: Check the Capture Banner checkbox to store header information from network traffic that advertises server vendors and versions. This banner information can provide additional context to the information gathered during discovery.
Step 10: Deploy the discovery policy. Click Deploy, choose the desired FTD device(s), and then click the Deploy button.
Recommended rules
The FMC starts building a network map as soon as a discovery policy is deployed and traffic is seen on managed devices with a discovery policy applied. After running a discovery policy for several days, you should see a network map and host profiles with details about the operating systems, servers, and client applications running in your environment, along with potential vulnerabilities that may be present based on these details. The FMC's recommended rules feature allows an FMC to automatically enable intrusion rules to protect against these potential vulnerabilities.
Organizations can run recommended rules on an on-demand basis after introducing new hosts or services into the network. Firewall Recommendations allow the Secure Firewall system to automatically tune the intrusion policy for efficiency and to ensure the appropriate network protection. For example, if a network runs only the Windows operating system, intrusion rules that address vulnerabilities on a Linux or Mac OS don't need to be included. However, if Linux is introduced into the network, network discovery would update the host profiles and modify the Firewall Recommendations the next time it is run.
For guidance on recommended rules refer to the Intrusion Policy page.
Verification/Troubleshooting
The FMC database has a limit of how many hosts and users it can store. If you exceed the host limits, by default, the FMC will stop inserting new hosts. Hosts which haven't been seen in seven days expire from the database, allowing more to be inserted. The host timeout length and host limit behavior can be modified by navigating to the Advanced tab of your network discovery policy.
Network discovery data storage settings under the Advanced tab
Each FMC model has a different limit to how many hosts it can store:
| Maximum network map size | FMC 1700 | FMC 2700 | FMC 4700 | FMCv | FMCv300 |
|---|---|---|---|---|---|
| Hosts | 50,000 | 150,000 | 600,000 | 50,000 | 150,000 |
| Users | 50,000 | 150,000 | 600,000 | 50,000 | 150,000 |
Here are options for handling a situation where your FMC is hitting the host limit:
-
Adjust the timeout thresholds to be more aggressive, or change the host limit behavior to drop old hosts instead of pausing host creation.
-
Fine tune your network discovery ranges. Some network ranges might provide less value and can be excluded from your network discovery rules. Common examples include guest networks and IP phone networks. Or, if including the entire RFC1918 range, there may be peer networks or extranet resources accidentally being tracked. Trimming the range will result in fewer hosts eligible for tracking.
Summary
The network discovery feature provides deeper visibility into a network environment, allowing the Secure Firewall administrator to take advantage of the Cisco Recommendations feature to enable an FMC to automatically optimize its intrusion policy or use it as a tuning reference. The combined network discovery and intrusion prevention functionalities save administrators time by automating policy optimization and reducing false positives alerts.
📚Additional Resources
To learn more about the network discovery policy on the Cisco Secure Firewall system, refer to the following publication:
Updated 20 days ago