Fulfilling Prerequisites – Cisco Network Discovery Policy
Fulfilling Prerequisites
Before you begin configuring a network discovery rule, consider the following issues:
- If you want to discover certain subnets or ports, do not use an access control rule or a prefilter rule to trust connections from those subnets or ports because the trusted connections are not subject to deep inspection or discovery; hence, they do not contain detailed information during discovery.
- Secure Firewall uses the Adaptive Profiles option to perform application control. This option enhances detection capabilities of a threat defense. The Adaptive Profile Updates option leverages the service metadata and helps a threat defense to determine whether a particular intrusion rule is pertinent to an application running on a particular host and whether the rule should be enabled. To ensure superior detection, this option should be always enabled. You can verify the configuration status in the Advanced tab of an access control policy, under Detection Enhancement Settings (see Figure 9-5).
Figure 9-5 Adaptive Profiles Setting for an Access Control Policy
Configurations
In the following section, you first learn the options to create reusable objects for network resources. Then you learn the steps to configure a network discovery policy using predefined objects. To demonstrate the impact of an intermediate networking device representing multiple internal hosts, a router has been placed between the threat defense and the LAN switch in the topology.
Figure 9-6 shows the topology that is used in the lab exercise of this chapter to demonstrate the configuration of a network discovery policy. Here, a router performs the Network Address Translation (NAT) operation. It translates all the end-user traffic from the 192.168.1.0/24 subnet to the IP address 172.16.100.110. The following lab exercise shows how to exclude this translated address in a network discovery policy from being monitored.
Figure 9-6 Lab Topology to Demonstrate the Operation of a Network Discovery Policy