Network Discovery is a subscription service that enables the Firebox to discover devices on your internal networks and display them on a network map in Fireware Web UI. The Network Discovery map is organized by your Firebox interfaces and networks.
You can see this information for each device on your network:
- IP address
- Device name and host name
- MAC address
- Operating system and services
- Open network ports
- Mobile Security devices and mobile compliance status
You can remember specific devices on your network map, and customize descriptive details for each device.
You can also specify devices as an Approved Device to indicate known devices on your network and help you identify rogue devices.
Network Discovery is only available from Fireware Web UI, and requires Fireware OS v11.11 or higher and a Network Discovery security subscription. Network Discovery is only supported on Firebox M Series ,T Series, FireboxV, and XTMv devices.
For more information about the Dashboard > Network Discovery page, see Network Discovery.
Enable Network Discovery
To enable Network Discovery, from Fireware Web UI:
- Select Subscription Services > Network Discovery.
The Network Discovery page appears.
- Select the Enable Network Discovery check box.
A confirmation message appears.
- Click Yes.
- Click Save.
When you enable the Network Discovery feature on your Firebox, the process load increases and consumes additional memory. This could noticeably affect the performance of your Firebox, particularly if you have a large network. Make sure to only enable the Network Discovery feature if you plan to use it. To help minimize the performance impact on your Firebox, WatchGuard recommends that you configure the Network Discovery Scan settings to only scan the networks that you must monitor.
Network Discovery Scan
Before you can display the Network Discovery map, you must configure your network discovery scan settings and perform a scan of your Firebox interfaces and networks. To configure and perform a network scan, from Fireware Web UI, select Subscription Services > Network Discovery.
To update the information in the Network Map, you can run a manual scan. Click Scan Now. For more information about network scan options, see Network Discovery Scan.
View the Network Map
To see the Network Map, from Fireware Web UI, select Dashboard > Network Discovery.
The map is organized by Firebox interfaces, networks, and devices.
On the Network Map tab, you can:
- Select a specific device
- Click a link to see the device activity in FireWatch or Traffic Monitor
- Remember the device to add a description and save the device details in the map
To filter the information that appears in the Network Map, you can use the Search feature. This can be helpful if you have a large network with many devices, and you only want to see specific types of devices or a specific device status.
To run a search:
- At the top of the Network Discovery page, click Search.
The Search dialog box appears.
- From the Search for devices by drop-down list, select a filter option and specify the filter details for the filter option you select:
- Approval Status — The approval status of a device. You can select Approved Device or Non-Approved Device. For more information, see Approved Device.
- Compliance Status — The compliance status for mobile devices. You can select Passed, Failed, or Unknown. For more information, see About Mobile Security and Configure Mobile Security Device Compliance.
- Device Name — The device name configured in the device details. If there is no device name, search results will return the host name or IP address.
- Device Status — The device status. You can select New Device, Updated Device, FireClient Connected, FireClient Disconnected, Send traffic in the last two hours, or Not sent traffic in the last two hours.
- Device Type — The type of device (if detected). For example, a mobile device can be detected as an iPhone or Android device. You can select Android Device, Android Phone, Android Tablet, iOS Device, iPad, iPhone, or Undefined.
- Discovered By — The method used to discover a device when the network scan runs. You can select Network Scanning, DHCP Detection, Exchange Monitoring, HTTP Detection, SSL VPN Detection, IKE Detection, and Mobile Security.
- Fireclient UUID — The UUID of mobile devices with FireClient installed.
- Host Name — The host name of a device.
- IP Address — The IP address of a device.
- Known/Unknown Status — The known status of a device. You can select Known Device or Unknown Device.
- Last Seen — The last time a device was detected in a network scan, based on the date.
- MAC Address — The MAC address of a device.
- Open Port — Search for a specific open port number on your devices.
- OS Version — The operating system version on a device. You can search on the type of OS, for example, Microsoft Windows or Linux, or the numbered version, for example 8.1.
- User Name — The authenticated user name if the user is authenticated to a device.
- Click OK.
On the Device List tab, you can see and manage a list of all the devices in your Network Map.
For each device in the Device List, you can see these details:
- Device — The name of the device. This can be a host name or an IP address if the device name is not defined.
- IP Address — The IP address of the device. A device can have multiple IP addresses depending on the type of device.
- Device Type — If available, the type of device is displayed. For example, a mobile device can be detected as an iPhone or Android device.
- OS Version — The detected OS version of the device.
- Last Seen — Indicates the last time this device was online during a network scan.
- Approved Device — An Approved Device designation is enabled in the device details. An Approved Device indicates that this is a known device on your network. An Approved Device also stays persistent in the network map, even when it is offline. An offline Approved Device appears in the Idle Devices section of the network map.
Not all details of the device are always be detected and shown in the Network Map. For example, the Device Type or OS Version do not appear if they cannot be determined.
See Device Information
To see more information about a device on your network, from the Device List, you can click the link for a device and open the device information dialog box, which includes these tabs and options:
From the Details tab, you can:
- See the device activity in FireWatch or Traffic Monitor.
- Remember the device to add a description and save the device details in the map.
From the Device Groups tab, you can view any device groups that this device belongs to.
Predefined device groups include:
- Approved — Devices that are designated as Approved Devices.
- Any-Mobile — Device group for all mobile devices.
- Any-iOS — Device group for all Apple iOS devices.
- Any-Android — Device group for all Android devices.
The Any-Mobile, Any-iOS, and Any-Android groups can be used in the From and To sections of policies and in aliases. For more information, see Use Device Groups in Policies and Aliases.
From the Scanned Ports tab, you can view information about which ports were scanned on the device.
- Port — The port number.
- Protocol — The protocol in use on the port. For example, TCP or UDP.
- State — The current state of the port.
- Service — The name of the service running on the port.
- Version — The service version is displayed if detected.
To more easily identify devices that frequently connect to your network, you can add details to the description of a device, The details you add are saved in the map configuration.
To add details for a device, click Remember Device. You can specify a Name and Description, and make this device an Approved Device.
To remove the device details of a device you have remembered, click Forget Device.
An Approved Device enables you to keep track of known devices on your network. The Approved Device designation also enables remembered devices to be persistent in the Network Map, even when the device is offline. When an approved device is offline, it appears in the Idle Devices section of the map.
You can use this feature to identify the devices on your network that are known and approved devices. For example, after a Network Scan, you might find that there are four HTTP web servers on your network, but only three of them are known official web servers. The other server is an unknown rogue server that can introduce vulnerabilities to your network. You can select the Approved Device option for your three known HTTP web servers so that you know which devices are known and which are rogue devices in your Network Map.
Previously detected devices in the Network Map expire and are removed from the map when:
- A new manual or scheduled scan does not discover the device
- No manual or scheduled scan is performed after 7 days
- Mobile devices are considered offline if no traffic is detected for more than 2 hours and will expire after 7 days