FortiSIEM Discovery Range Definition Options

Leave a reply
Discovery Range Definition Options

When you set the range definition for your discovery processes, several options are available for how you want the discovery process to run.

Option Description
Discovery Type Four types of scans are available for the discovery process:

Smart

Scan

 Smart Scan is an optimized search method in which only the live devices in the network are searched. To use Smart Scan, you first provide a root device (typically the first hop Layer 3 router). FortiSIEM then discovers the root device and learns of its first hop neighbors from the ARP table. These devices are then discovered using existing credentials, and their one hop neighbors are subsequently discovered. This continues until no more devices are discovered. Often a single Layer 3 router, switch, or firewall is sufficient to discover the entire network. However, if a firewall that can block SNMP is installed, then devices on either side of the firewall need to be provided as root devices. Smart Scan is usually faster than Range Scan, but in rare cases discovery can miss a device when it is quiet and not present in the ARP table of adjacent devices.
Range Scan (d

efault)

 In contrast to Smart Scan, Range Scan is a brute force method in which FortiSIEM attempts to discover all the devices in the IP ranges you provide. With Range Scan, FortiSIEM will first attempt to ping a device, and if that succeeds, discovery will proceed.
AWS

Scan

 AWS Scan is used to discover devices in Amazon Web Services. See Discovering Amazon Web Services (AWS) Infrastructure for more information.
L2

Scan

 L2 Scan is used to update the Layer 2 connectivity information used in the Identity and Location report. It does not discover system and application monitors, installed and running software, or users and groups, and, in contrast to the other scan methods, it does not update the CMDB and executes more quickly.
Root IPs For Smart Scan only, provide the root IPs from which you want the Smart Scan to start.
Include/Exclude

Domains (AWS

Only)

 Enter the domains you want to include or exclude from the discovery process.
Include/Exclude

Zones (AWS

Only)

 Enter the zones you want to include or exclude from the discovery process.
Include/Exclude

Ranges

 Enter the IP addresses or host names you want to include or exclude from the discovery process.
Include/Exclude

Device Types

 Click the Edit icon to select devices that you want to include or exclude from the discovery process. Note that if you have entries for both of these option, the discovery process will prioritize included devices over excluded ones.
Do Not Ping

Before

Discovery

 To save time, FortiSIEM first attempts to reach devices by ping before initiating discovery. You should select this option if ping has been disabled for your network, otherwise discovery will fail.
Ping Only

Discovery

 Select this option if you are only interested in discovering whether a device or service is up or down.
Only Discover

Devices not in

CMDB

 If you select this option, discovery will only find those devices whose IP addresses do not match the address of any device in CMDB. To make an exception to this rule, specify a list of IP addresses in the Exclude Ranges field. The primary use case for this is for indirect device discovery such as VCenter-based VM discovery, or WLAN controller-based access point discovery. By specifying the VCenter IP address in the Exclude Ranges field, new guest VMs can always be discovered even if the VCenter is already in the CMDB.
Include

Powered Off

VMs

 By default, only powered on VMs are discovered.
Include VM

Templates

 By default, VM templates are not discovered.
Discover

Routes

 Selected by default, if you clear this option then discovery will not use the route table to find next hop devices. This can be useful if your network includes border routers, which can significantly impact the time required for the discovery process.
This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.