Cisco FTD Network Discovery gives the capability to collects data on your organization’s network.

Which hosts exists on your network? IP address and MAC address of hosts on your network, operating system running on each host and also clients and web applications running on each host are the most important information retrieved by  network discovery feature.

Network Discovery is not just for monitoring network traffic, but we can later predefine a host profile and then compare if any hosts on the network are violating the profile.

Cisco FTD Network Discovery Policy Configuration

To create a discover rule, go to “Policies -> Network Discoveries -> Networks -> Add Rule”.

Through discovery rules specify which networks and ports to monitors to generate discovery data and the zones to which the policy is deployed. you can configure also whether hosts, applications, and non-authoritative users are discovered. You can exclude some networks and zones from discovery.

Create Cisco FTD Network Discovery Policy
Create Cisco FTD Network Discovery Policy

Users are discovered based on the protocols listed in users tab.

The option I change usually in the Advanced tab is to enable “Capture Banners” which monitor the header of protocols like FTP and Telnet to get user, OS and some other information.

You can also give your topology information through custom topology tab.

Create Custom Topology in FTD Network Discovery
Create Custom Topology in FTD Network Discovery

Monitor Network Discovery MAP

In “Analysis -> Hosts -> Network Map”, you can monitor information based on hosts or based on topology.

Information can be discovered passive or active. With passive monitoring only traffic passing through the FTD is monitored but with active monitoring you can scan hosts by NMAP tool to discover more information.

As you can see, discovered information is classified in a few main sections. Above you can see the IP address and MAC Address.

Monitor Information discovered by Cisco FTD Network Discovery
Monitor Information discovered by Cisco FTD Network Discovery

Then Operating System Information is displayed. it may gather information which cannot decide about operating system. It is named “Operating System Conflicts”. You can give the operating system manually by “Edit Operating System”.

In Server section, it list the services which the host listen on and the details of services. For example FileZilla FTP Server and Apache HTTP Server is displayed here.

In Applications section, you can monitor which applications are installed in the host.

In scan result section you can monitor information actively retrieved by NMAP. This section is displayed when NMAP is already active for the host

NMAP for Active Discovery

In “Policies -> Actions -> Scanners”, you can configure a new NMAP instance with specific parameters to scan a range of IP addresses.

Enable NMAP Active Scan
Enable NMAP Active Scan
Back to: Cisco FTD Design and Implementation > Cisco FTD Network Discovery

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment