There are a couple of rules intended to look for systems (servers/workstations) that don't have agents using different kinds of activity we DO see via logs - "DHCP but no Agent" and "Authentication but no Agent".
Firewall/network devices would be tougher though, I can't think of an easy way. There's not really a group like "All Installed Agents" for nodes in general, just for agents. You could add known device IPs or ranges to a User-Defined Group and use that (e.g. copy IPs from Manage>Nodes into a User-Defined Group, then build a rule for "internal network traffic but no node").
The bottom line is we count on receiving some log data giving some indication of a device on the network to make the determination no matter what, so if we never get an event "about" a node we wouldn't be able to tell it's there. The good news is that log data has a lot of footprints.