Network Discovery

Network Discovery is a subscription service that enables the Firebox to discover devices on your internal networks and show them on a network map in Fireware Web UI. The Network Discovery map is organized by your Firebox interfaces and networks.

You can see this information for each device on your network:

  • IP address
  • Device name and host name
  • MAC address
  • Operating system and services
  • Open network ports
  • Mobile Security devices and mobile compliance status

You can remember specific devices on your network map, and customize descriptive details for each device.

You can also specify any device as an Approved Device to indicate known devices on your network and help you identify rogue devices.

Network Discovery is only available from Fireware Web UI, and requires Fireware OS v11.11 or higher and a Network Discovery security subscription. Network Discovery is only supported on Firebox M Series ,T Series, FireboxV, and XTMv devices.

For more information about the Dashboard > Network Discovery page, go to Network Discovery.

Enable Network Discovery

To enable Network Discovery, from Fireware Web UI:

  1. Select Subscription Services > Network Discovery.
    The Network Discovery page appears.
  2. Select the Enable Network Discovery check box.
    A confirmation message appears.
  3. Click Yes.
  4. Click Save.

When you enable the Network Discovery feature on your Firebox, the process load increases and consumes additional memory. This could noticeably affect the performance of your Firebox, particularly if you have a large network. Make sure to only enable the Network Discovery feature if you plan to use it. To help minimize the performance impact on your Firebox, we recommend that you configure the Network Discovery Scan settings to only scan the networks that you must monitor.

Network Discovery Scan

Before you can see devices on the Network Discovery map, you must configure your Network Discovery scan settings and run a scan of your Firebox interfaces and networks. To configure and run a network scan, from Fireware Web UI, select Subscription Services > Network Discovery.

To update the information in the Network Map, you can run a manual scan. Click Scan Now. For more information about network scan options, go to Network Discovery Scan.

View the Network Map

To see the Network Map, from Fireware Web UI, select Dashboard > Network Discovery.

Network Visibility - Network Map page

The map is organized by Firebox interfaces, networks, and devices.

On the Network Map tab, you can:

  • Select a specific device
  • Click a link to see the device activity in FireWatch or Traffic Monitor
  • Remember the device to add a description and save the device details in the map

Network Map - Device Details


To filter the information that appears in the Network Map, you can use the Search feature. This can be helpful if you have a large network with many devices, and you only want to see specific types of devices or a specific device status.

To run a search:

  1. At the top of the Network Discovery page, click Search.
    The Search dialog box appears.

Screen shot of the Search dialog box filter options

  1. From the Search for devices by drop-down list, select a filter option and specify the filter details for the filter option you select:
    • Approval Status — The approval status of a device:  Approved Device or Non-Approved Device.
      For more information, go to Approved Device.
    • Compliance Status — The compliance status for mobile devices: Passed, Failed, or Unknown.
      For more information, go to About Mobile Security and Configure Mobile Security Device Compliance.
    • Device Name — The device name configured in the device details. If there is no device name, search results return the host name or IP address.
    • Device Status — The device status: New Device, Updated Device, FireClient Connected, FireClient Disconnected, Send traffic in the last two hours, or Not sent traffic in the last two hours.
    • Device Type — The type of device (if detected): Android Device, Android Phone, Android Tablet, iOS Device, iPad, iPhone, or Undefined.
      For example, a mobile device can be detected as an iPhone or Android device.
    • Discovered By — The method used to discover a device when the network scan runs: Network Scanning, DHCP Detection, Exchange Monitoring, HTTP Detection, SSL VPN Detection, IKE Detection, and Mobile Security.
    • Fireclient UUID — The UUID of mobile devices with FireClient installed.
    • Host Name — The host name of a device.
    • IP Address — The IP address of a device.
    • Known/Unknown Status — The known status of a device: Known Device or Unknown Device.
    • Last Seen — The last time a device was detected in a network scan, based on the date.
    • MAC Address — The MAC address of a device.
    • Open Port — Search for a specific open port number on your devices.
    • OS Version — The operating system version on a device. You can search on the type of OS or the numbered version.
      For example, Microsoft Windows, Linux, or 8.1.
    • User Name — The authenticated user name, if the user is authenticated to a device.
  2. Click OK.

Device List

On the Device List tab, you can see and manage a list of all the devices in your Network Map.

Screen shot of the Device List page

For each device in the Device List, you can see these details:

  • Device — The name of the device. This can be a host name or an IP address if the device name is not defined.
  • IP Address — The IP address of the device. A device can have multiple IP addresses depending on the type of device.
  • Device Type — If available, the type of device is displayed. For example, a mobile device can be detected as an iPhone or Android device.
  • OS Version — The detected OS version of the device.
  • Last Seen — Indicates the last time this device was online during a network scan.
  • Approved Device — An Approved Device designation is enabled in the device details. An Approved Device indicates that this is a known device on your network. An Approved Device is also persistent in the network map, even when it is offline. An offline Approved Device appears in the Idle Devices section of the network map.

Not all details of the device are always detected and shown in the Network Map. For example, the Device Type or OS Version do not appear if they are not found.

See Device Information

To see more information about a device on your network, from the Device List, click the link for a device and open the device information dialog box.

The device information dialog box includes these tabs and options:

Device Details

From the Details tab, you can:

  • See the device activity in FireWatch or Traffic Monitor.
  • Remember the device to add a description and save the device details in the map.

Network Map - Device Details

Device Groups

From the Device Groups tab, you can see any device groups that this device belongs to.

Screen shot of the Device Groups tab

Predefined device groups include:

  • Approved — Devices that are designated as Approved Devices.
  • Any-Mobile — Device group for all mobile devices.
  • Any-iOS — Device group for all Apple iOS devices.
  • Any-Android — Device group for all Android devices.

The Any-Mobile, Any-iOS, and Any-Android groups can be used in the From and To lists of policies and in aliases. For more information, go to Use Device Groups in Policies and Aliases.

Scanned Ports

From the Scanned Ports tab, you can see information about which ports were scanned on the device.

  • Port — The port number.
  • Protocol — The protocol in use on the port. For example, TCP or UDP.
  • State — The current state of the port.
  • Service — The name of the service running on the port.
  • Version — The service version is displayed if detected.

Network Map - Device Details - Scanned Ports

Remember Device

To more easily identify devices that frequently connect to your network, you can add details to the description of a device. The details you add are saved in the map configuration.

To add details for a device:

  1. Click Remember Device.
    The Edit Device dialog box appears.

Network Map - Device Details - Approved Device

  1. Specify a Name and Description.
  2. To identify this device as known and approved, select the Approved Device check box.

To remove a device you have already specified as a remembered device, click Forget Device.

Approved Device

An Approved Device enables you to keep track of known devices on your network. The Approved Device designation also enables remembered devices to be persistent in the Network Map, even when the device is offline. When an approved device is offline, it appears in the Idle Devices section of the map.

You can use this feature to identify the devices on your network that are known and approved devices. For example, after a Network Scan, you might find that there are four HTTP web servers on your network, but only three of them are known, official web servers. The other server is an unknown rogue server that can introduce vulnerabilities to your network. You can select the Approved Device option for your three known HTTP web servers, so that you know which devices are known and which are rogue devices in your Network Map.

Device Expiration

Previously detected devices in the Network Map expire and are removed from the map when:

  • A new manual or scheduled scan does not discover the device
  • No manual or scheduled scan is performed after 7 days
  • Mobile devices are considered offline if no traffic is detected for more than 2 hours and will expire after 7 days