Each host profile provides basic information about a detected
host or other device.
Descriptions of each of the basic host profile fields follow.
associated with the host.
All IP addresses (both IPv4 and IPv6) associated with the host.
The system detects IP addresses associated with hosts and, where supported,
groups multiple IP addresses used by the same host. IPv6 hosts often have at
least two IPv6 addresses (local-only and globally routable), and may also have
IPv4 addresses. IPv4-only hosts may have multiple IPv4 addresses.
The host profile lists all detected IP addresses associated with
that host. Where available, routable host IP addresses also include a flag icon
and country code indicating the geolocation data associated with that address.
Note that only the first three addresses are shown by default.
show all to show all addresses for a host.
The fully qualified domain name of the host, if known.
The NetBIOS name of the host, if available. Microsoft Windows
hosts, as well as Macintosh, Linux, or other platforms configured to use
NetBIOS, can have a NetBIOS name. For example, Linux hosts configured as Samba
servers have NetBIOS names.
the reporting device for the network where the host resides, as
defined in the network discovery policy, or
the device that processed the NetFlow data that added the host
to the network map
The number of network hops between the device that detected the host
and the host itself follows the device name, in parentheses. If multiple
devices can see the host, the reporting device is displayed in bold.
If this field is blank, either:
the host was added to the network map by a device that is not explicitly monitoring the network where the host resides, as
defined in the network discovery policy, or
the host was added using the host input feature and has not also been detected by the Firepower System.
The host’s detected MAC address or addresses and associated NIC vendors, with the NIC’s hardware vendor and current time-to-live
(TTL) value in parentheses.
If multiple devices detected the host, the Firepower Management Center displays all MAC addresses and TTL values associated with the host, regardless of which device reported them.
If the MAC address is displayed in bold font, the MAC address is the actual/true/primary MAC address of the host, definitively
tied to the IP address by detection through ARP and DHCP traffic.
MAC addresses that are not displayed in bold font are secondary addresses, which cannot be definitively associated with the
IP address of the host. For example, since the Firepower device can obtain MAC addresses only for hosts on its own network
segments, if traffic originates from a network segment to which the Firepower device is not directly connected, the observed
MAC address (i.e. the router MAC address) will be displayed as a secondary MAC address for the host.
The type of device that the system detected: host, mobile
device, jailbroken mobile device, router, bridge, NAT device, or load balancer.
The methods the system uses to distinguish network devices
the analysis of Cisco Discovery Protocol (CDP) messages, which
can identify network devices and their type (Cisco devices only)
the detection of the Spanning Tree Protocol (STP), which
identifies a device as a switch or bridge
the detection of multiple hosts using the same MAC address,
which identifies the MAC address as belonging to a router
the detection of TTL value changes from the client side, or TTL
values that change more frequently than a typical boot time, which identify NAT
devices and load balancers
The methods the system uses to distinguish mobile devices
analysis of User-Agent strings in HTTP traffic from the mobile
device’s mobile browser
monitoring of HTTP traffic of specific mobile applications
If a device is not identified as a network device or a mobile
device, it is categorized as a host.
The date and time that any of a host’s IP addresses was last
The user most recently logged into this host.
Note that a non-authoritative user logging into a host only
registers as the current user on the host if the existing current user is not
an authoritative user.
Links to views of connection, discovery, malware, and intrusion
event data, using the default workflow for that event type and constrained to
show events related to the host; where possible, these events include all IP
addresses associated with the host.