Discovery overview

Discovery identifies previously undetected network devices. It sends protocol-specific broadcast messages to devices and examines the replies. The sensor repeats this process at predefined intervals transmitting diverse messages based on the devices.

Discovery uses lightweight protocol-specific broadcast messages to identify network devices. These messages trigger a response from the devices, which includes identity information. The process is repeated at predefined intervals. At each interval, the sensor will identify the suitable network interfaces and send broadcast messages through them to discover devices on each subnetwork connected to the sensor.

On Arc, intervals are fixed to 5 minutes, while on Guardian, the intervals start at 5 minutes and gradually increase to a maximum of 60 minutes. Discovery listens for replies on the these ports:

UDP/48888 for most protocols
UDP/1911 for the Fox protocol
UDP/30718 for the SICK CoLa protocol
UDP/47808 for the BACnet protocol

Important:

For Discovery to work correctly, the firewall must allow communication over these ports.

Discovery and Smart Polling

Discovery and Smart Polling complement each other to ensure that devices are safely detected and enriched for accurate profiling and risk assessment, without impacting network stability. Discovery identifies devices on the network, while Smart Polling uses protocol-specific, low-impact methods to retrieve firmware versions, configurations, potential vulnerabilities, and other details that are not available through traffic monitoring.