The Freshservice Discovery Probe is a lightweight agent you install inside your network to scan and inventory devices the cloud cannot reach. Configured well, you get a real-time CMDB without manual entry. Configured poorly, you trigger every IDS alarm in your security stack.
Where to install
Install the Probe on a server that has network reachability to the subnets you want to scan. One Probe per network zone is standard. For most mid-size companies, that means three to five Probes total: HQ, each major regional office, datacenter, cloud VPC.
Probes run on Windows or Linux. The Linux footprint is smaller (300MB RAM idle). Choose Linux when running on shared infrastructure to avoid contention.
Network requirements
Outbound TCP 443 to the Freshservice cloud endpoint. No inbound required; the Probe pulls work from the queue. This makes firewall conversations easier (“just outbound HTTPS”) than agent-pushed approaches.
For internal scanning, the Probe needs:
- ICMP for ping discovery.
- TCP 22, 135, 139, 445, 3389 for OS fingerprinting.
- SNMP UDP 161 for network device discovery.
- WMI on Windows targets (TCP 135 plus dynamic high ports).
Document the required ports and get them whitelisted in advance. Surprise SNMP traffic from a new IP triggers SOC tickets.
Scope configuration
Define scan scopes by IP range, not by subnet definition. A scope of “10.10.0.0/24” is clear; “all production subnets” is not.
Exclude:
- Printers (unless you are tracking printer fleet; default to no).
- VoIP phones unless you have an active phone asset program.
- Network management VLANs (the Probe should not scan management plane).
Document exclusions; auditors will ask why a known device is missing.
Credentials
The Probe needs credentials to authenticate to scanned devices. Use service accounts with read-only privileges:
- Active Directory: domain user in the “Read all properties” group.
- Linux: SSH user with sudo for
lshw,dmidecode,lsof(read-only sudoers entry). - SNMP: SNMPv3 with auth only, no encryption (for performance).
- VMware: vCenter read-only role.
Rotate credentials quarterly. Build a workflow that alerts the Probe owner 14 days before service account password expiration.
Scan schedule
Default is daily. For most environments, that is overkill and creates network noise. Configure:
- Daily for servers (configuration changes matter).
- Weekly for workstations (low change rate).
- Monthly for network devices (rarely change).
Stagger schedules to avoid scan storms. Server scans at 2am, workstation scans Sunday morning, network scans first Sunday of month.
Handling scan failures
The Probe console shows last-scan status per scope. Failed scans usually fall into three buckets:
- Credential failure: account locked or password expired.
- Network unreachable: subnet changed, Probe placement wrong.
- Permission denied: scan account lost privileges.
Build an automation: failed scan for 3 consecutive days creates a ticket assigned to the Probe owner.
Update cadence
The Probe self-updates by default. Pin version in regulated environments where every binary needs change approval; manually push updates after testing.
Asset reconciliation
Discovered assets create or update CMDB records. Reconciliation key is MAC address by default. For VMs, MAC can change; switch to instance UUID via the Probe configuration. Otherwise you get duplicate VM records on every host migration.
What to do this week
Audit your Probe scan coverage. Pick one scope and confirm the IP range matches reality. Check the last successful scan timestamp on every Probe; anything older than 7 days needs attention.
