Passive Discovery

Admin > Discovery > Discovery Settings > Passive Discovery tab.

Passive Discovery detects all devices on your corporate network. It listens for any devices that come online, once an ARP (Address Resolution Protocol) request is detected, it captures the device details on the subnet. Name resolution for discovered devices is carried out using NetBIOS and reverse DNS queries. The Operating System for the device can be discovered using OS Fingerprinting technology, if enabled for the network.

The results are reported back to the Discovered Devices view.

The self-election process is enabled when Detect devices as they connect to the network is enabled. The use of client self-electing services ensures that discovery is always on and always listening. A VPN check is initially carried out by detecting connected client VPN adapters, using case sensitive keywords. If a device is found to be connected to a VPN then the device does not take part in the self-election process, only devices on the corporate network are to be discovered. If devices can communicate with the corporate network, they self-organize and use a smart election process to elect which device listens and sends data back to Ivanti Neurons. If the devices can communicate with the elected device, they all trust each other. If the elected device goes offline, the self-organizing process identifies and elects a replacement device, so discovery is uninterrupted. The smart election process ranks available devices by configuration and ability to provide service, for example, more CPU cores or more free disk space.

flow diagram showing the CSEP decision process

Detect devices as they connect to the network: Select to enable passive discovery to listen for network traffic on the subnet to detect any connecting devices.

A device must be nominated to enable the Self-election process which runs in the background.

  • Device Name: Enter the name of a device on your corporate network. The self-elected device will contact this device to verify it is on your corporate network, so choose a device that will always be online and is only available in your corporate network, e.g. a domain controller.

  • Device IP: Enter the IP address of the device. The device is validated by confirming a ping on the device name that matches the IP address.

OS Detection: Enabled by default. Allows discovery to attempt to detect the OS and type of device being discovered. If disabled, it will prohibit OS and device type details from being detected for discovered devices.

OS Detection scans are done in batches of 5 simultaneously.

Important: OS Detection may generate false positives and trigger Intrusion Detection Systems (IDS) due to how the technology scans remote devices by sending TCP/UDP and ICMP probes to attempt to determine the operating system.

Deployment Representatives only: Select to only run passive discovery and OS detection from deployment representatives. Default setting is Off.

An increased volume of network traffic caused by OS detection can trigger internal security issues, this setting limits the traffic to only those devices that are dedicated deployment representatives. Security software can then be configured to allow these devices to perform scanning.

Ivanti Neurons Discovery uses NPCAP for ARP detection, and NMAP for OS detection, both require Admin permissions. If you select Deployment Representatives only then devices that are not deployment representatives will not have NPCAP or NMAP installed.

The Ivanti Neurons Agent must successfully check-in before these settings, or any changes you have made, will take effect.

Related topics

Discovery Troubleshooting