The
discovery feature allows you to monitor network traffic and
determine the number and types of hosts (including network devices) on your
network, as well as the operating systems, active applications, and open ports
on those hosts. You can also configure managed devices to monitor user activity
on your network. You can use discovery data to perform traffic profiling,
assess network compliance, and respond to policy violations.
In a basic deployment (discovery and simple, network-based
access control only), you can improve a device’s performance by following a few
important guidelines when configuring its access control policy.
Note
|
You must use an access control policy, even if it simply allows
all traffic. The network discovery policy can
only examine traffic that the access control policy allows
to pass.
|
First, make sure your access control policy does not require
complex processing and uses only simple, network-based criteria to handle
network traffic. You must implement
all of the following guidelines; misconfiguring any one of
these options eliminates the performance benefit:
-
Do not use the Security Intelligence feature. Remove any populated global Block or Do Not Block list from the policy’s Security
Intelligence configuration.
-
Do
not include access control rules with Monitor or Interactive
Block actions. Use only Allow, Trust, and Block rules. Keep in mind that
allowed traffic can be inspected by discovery; trusted and blocked traffic
cannot.
-
Do
not include access control rules with application, user,
URL, ISE attribute, or geolocation-based network conditions. Use only simple
network-based conditions: zone, IP address, VLAN tag, and port.
-
Do
not include access control rules that perform file, malware,
or intrusion inspection. In other words, do not associate a file policy or
intrusion policy with any access control rule.
-
In the Advanced settings for the access control policy, make sure that Intrusion Policy used before Access Control rule is determined is set to No Rules Active.
-
Select
Network Discovery Only as the policy’s default
action. Do
not choose a default action for the policy that performs
intrusion inspection.
In conjunction with the access control policy, you can configure
and deploy the network discovery policy, which specifies the network segments,
ports, and zones that the system examines for discovery data, as well as
whether hosts, applications, and users are discovered on the segments, ports,
and zones.