Learn how to configure Secret Server's automated discovery engine to scan networks for routers, switches, firewalls, and other infrastructure devices โ then vault their credentials securely.
Understand the architecture and flow before you configure anything.
Secret Server's Discovery engine automates the detection and onboarding of accounts on network infrastructure โ routers, switches, load balancers, wireless controllers, and firewalls. Instead of manually entering every device credential, Discovery scans IP ranges via SSH or Telnet, fingerprints each device, and surfaces detected accounts so they can be imported directly into the vault.
| Vendor / Platform | Protocol | Built-in Scanner |
|---|---|---|
| Cisco IOS / IOS-XE / NX-OS | SSH / Telnet | โ Yes |
| Cisco ASA Firewall | SSH | โ Yes |
| Juniper JunOS | SSH | โ Yes |
| Palo Alto PAN-OS | SSH | โ Yes |
| F5 BIG-IP | SSH | โ Yes |
| HP / Aruba ProCurve | SSH / Telnet | โ Yes |
| Fortinet FortiGate | SSH | โ Yes |
| Custom / Other | SSH / Telnet | ๐ง Custom Scanner |
Discovery is best used when you have many devices across multiple subnets and want continuous detection of new accounts. Manual import via CSV is better for a one-time migration of a small, well-defined inventory.
Complete these before attempting to configure Discovery.
Admin โ Licenses that the Discovery feature is active on your instance.
Each discovered account needs to map to a Secret Template. Secret Server ships with templates for Cisco, Juniper, and generic SSH. Verify or create one:
If a suitable template doesn't exist, duplicate the Unix Account (SSH) template and rename it. Key fields to ensure are present:
| Field Name | Purpose |
|---|---|
| Machine req | Hostname or IP of the device |
| Username req | Local user account name |
| Password req | Account password (encrypted) |
| Enable Password | Cisco enable/privileged-exec secret |
| Notes | Optional metadata (device role, site, etc.) |
Discovery needs an existing credential to authenticate to devices during scanning to enumerate local accounts. This is a read-only SSH user created on representative devices (or via TACACS+/RADIUS).
Minimum privileges required for the scan account:
The Secret Server node (or Distributed Engine) performing discovery must have TCP connectivity to target devices on the following ports:
| Port | Protocol | Purpose |
|---|---|---|
| 22 | TCP (SSH) | Primary device authentication & account enumeration |
| 23 | TCP (Telnet) | Legacy devices only โ avoid where possible |
| 443 | TCP (HTTPS) | F5, Palo Alto REST API scanners |
Click each item to mark it complete before moving on:
Step-by-step setup of the Discovery Source, scanners, and rules.
Log in to Secret Server as an Administrator and navigate to the Discovery configuration area:
Ensure the Enable Discovery toggle is turned ON. Save the page if you need to toggle it.
Administer Discovery role permission. Contact your SS administrator.
A Discovery Source defines the IP range to scan and the scanner type. For network devices, select the appropriate source type:
On the creation form, configure these fields:
| Field | Value / Notes |
|---|---|
| Name req | Descriptive name, e.g. "Core Network โ Datacenter 1" |
| Discovery Source Type req | Select Network (IP Range) |
| Enabled | Toggle ON |
| Discovery Site | Choose the Distributed Engine site closest to the target network, or "Local" for the main SS server |
Under the IP Address Ranges tab of your new Discovery Source, add one or more IP ranges:
| Field | Example | Notes |
|---|---|---|
| Friendly Name | Core Switches | Label for this subnet block |
| Start IP req | 10.10.1.1 | First IP in scan range |
| End IP req | 10.10.1.254 | Last IP in scan range |
/8 or /16 of a large flat network. Use targeted /24 or management-VLAN ranges to reduce noise and scan time.
The Machine Scanner is the first phase โ it probes each IP to determine if a device is present and identifies its type. Navigate to the Scanners tab:
Select the relevant built-in scanner for your environment:
| Scanner Name | Use For |
|---|---|
| Network Device โ Cisco | Cisco IOS, IOS-XE, NX-OS, ASA |
| Network Device โ Juniper | Juniper JunOS routers & switches |
| Network Device โ Palo Alto | PAN-OS firewalls |
| Network Device โ F5 | F5 BIG-IP load balancers |
| Network Device โ Generic SSH | Any SSH-capable device not listed above |
After machines are found, an Account Scanner authenticates to each device and enumerates local user accounts:
| Field | Value |
|---|---|
| Scanner | Match the vendor scanner used in the Host Range step |
| Credential Secret req | Select the scan service account Secret created in Prerequisites |
| Default Secret Template | Select the network device template from Prerequisites Step 1 |
| Default Folder | Target folder in SS where new Secrets will land after import |
Discovery Rules allow Secret Server to automatically create Secrets from discovered accounts without manual review. Use cautiously in production.
| Field | Recommended Value |
|---|---|
| Rule Name | e.g. "Auto-Import Cisco Accounts" |
| Scanner | Select matching account scanner |
| Import Enabled | โ Toggle ON to activate auto-import |
| Secret Template | Network device template |
| Folder | Target vault folder for auto-created secrets |
| Site | Match the Distributed Engine site |
Execute scans, interpret outputs, and import accounts into the vault.
For the initial scan, trigger Discovery manually so you can monitor the results in real time:
The scan runs asynchronously. Track progress under the Discovery Network Scan Log tab โ each IP probed is logged with a status (Reachable / Unreachable / Auth Failure / Found Accounts).
After a scan completes, review found devices and accounts in two separate views:
The Computers tab lists every IP that responded. The Accounts tab lists accounts found on each device, colour-coded by import status:
| Status | Meaning |
|---|---|
| ๐ก Not Managed | Account found, no Secret exists yet โ action required |
| ๐ข Managed | A Secret exists and is actively managed by SS |
| โช Ignored | Account has been manually excluded from management |
| ๐ด Missing | Previously found account no longer detected โ investigate |
For Not Managed accounts you want to vault without auto-import rules:
Once the first run looks clean, schedule Discovery to run automatically to catch new devices and accounts:
| Setting | Recommended |
|---|---|
| Discovery Interval | Daily (or every 4โ8 hours for dynamic networks) |
| Scan Time | Off-peak hours (e.g. 02:00 AM) |
| Email Notification | Enable for newly found unmanaged accounts |
| Symptom | Likely Cause | Fix |
|---|---|---|
| No computers found | Firewall blocking TCP/22 | Verify ACL/NSG rules; test with SSH client from engine host |
| Auth failure on all devices | Wrong scan credential Secret | Test credential manually; check username format (user@domain vs domain\user) |
| Some devices show "Unreachable" | ICMP blocked or device offline | SS uses TCP ping โ ensure TCP/22 is open even if ICMP is blocked |
| Accounts found but 0 imported | No matching Discovery Rule / no import action taken | Either add a Discovery Rule or manually import from Results |
| Discovery log shows "Engine Offline" | Distributed Engine service not running | Restart the Distributed Engine service on the engine server |
Test your understanding before signing off on this module.