The network discovery policy on the
controls how the system collects data on your organization’s network assets and
which network segments and ports are monitored.
In a multidomain
deployment, each leaf domain has an independent network discovery policy.
Network discovery policy rules and other settings cannot be shared, inherited,
or copied between domains. Whenever you create a new domain, the system creates
a network discovery policy for the new domain, using default settings. You must
explicitly apply any desired customizations to the new policy.
Discovery rules within the policy specify which networks and
ports the Firepower System monitors to generate discovery data based on network
data in traffic, and the zones to which the policy is deployed. Within a rule,
you can configure whether hosts, applications, and non-authoritative users are
discovered. You can create rules to exclude networks and zones from discovery.
You can configure discovery of data from NetFlow exporters and restrict the
protocols for traffic where user data is discovered on your network.
The network discovery policy has a single default rule in place, configured to discover applications from all observed traffic. The rule does not exclude any networks, zones, or ports, host and user discovery is not configured, and the rule is not configured to monitor a NetFlow exporter. This policy is deployed by default to any managed devices when they are registered to the Firepower Management
Center. To begin collecting host or user data, you must add or modify discovery rules and re-deploy the policy to a device.
If you want to adjust the scope of network
discovery, you can create additional discovery rules and modify or remove the
Remember that the access control policy for each managed device
defines the traffic that you permit for that device and, therefore, the traffic
you can monitor with network discovery. If you block certain traffic using
access control, the system cannot examine that traffic for host, user, or
application activity. For example, if an access control policy blocks access to
social networking applications, the system cannot provide any discovery data on
If you enable traffic-based user detection in your discovery
rules, you can detect non-authoritative users through user login activity in
traffic over a set of application protocols. You can disable discovery in
particular protocols across all rules if needed. Disabling some protocols can
help avoid reaching the user limit associated with your
model, reserving available user count for users from the other protocols.
Advanced network discovery settings allow you to manage what
data is logged, how discovery data is stored, what indications of compromise
(IOC) rules are active, what vulnerability mappings are used for impact
assessment, and what happens when sources offer conflicting discovery data. You
can also add sources for host input and NetFlow exporters to monitor.