topic Re: Defining "Common Ports" in "Custom Ports" for in Network Access Control

Defining "Common Ports" in "Custom Ports" for NMAP scanning...

rezaalikhani — Fri, 02 Feb 2024 07:06:21 GMT

Hi everybody;

According to Cisco's documents, if a port is defined in "Common Ports", when you want to add it again to the "Custom Ports" section, the "Port is predefined" error message appears (as shown below). In other words, you cannot use the same port numbers that ISE already configured by Cisco to use in Common Ports section.

All is well; however, when utilizing TCP port 515, it can be successfully added, even though it has been defined as a common port, as you can see below:

Any ideas?

Thanks

Re: Defining "Common Ports" in "Custom Ports" for

ahollifield — Fri, 02 Feb 2024 13:09:28 GMT

I'm not sure of your specific issue here but what is the use-case for the NMAP probe at all? In my experience it doesn't offer much (especially with operating systems becoming more secure) and has led to a number of mis-categorizations in many of my deployments. I typically disable the probe on new deployments and rely on other less resource intensive probes like Device Sensor (RADIUS), DHCP, and HTTP (for captive portal use-cases).

Re: Defining "Common Ports" in "Custom Ports" for

Arne Bier — Sun, 04 Feb 2024 21:29:00 GMT

@ahollifield isn't the NMAP probe also responsible to getting the SNMP data from the endpoints? If you didn't enable NMAP probing, would you lose SNMP?

Re: Defining "Common Ports" in "Custom Ports" for

Arne Bier — Sun, 04 Feb 2024 21:31:29 GMT

@rezaalikhani - perhaps open a TAC case for this - it does look like a defect. I have never even seen this dialogue to be honest. I don't tend to probe for open ports much. As @ahollifield said, the ISE prediction of what the OS might be, based on open ports is usually wrong. I'd never rely on that. But I am still unsure if SNMP would be killed off if I disabled NMAP scanning,

Re: Defining "Common Ports" in "Custom Ports" for

rezaalikhani — Mon, 05 Feb 2024 05:08:36 GMT

@Arne Bier - I am using this feature primarily because the target switch does not support Device Sensor, and the connected devices are 'noname' CCTV cameras. However, they have some distinct open ports. By using something like the following example, I can successfully profile them:

Re: Defining "Common Ports" in "Custom Ports" for

ahollifield — Mon, 05 Feb 2024 13:46:11 GMT

Yes, to trigger SNMP on endpoints the NMAP probe needs to be used. SNMP Query Probe only polls NADs.

Note: The SNMP Query probe queries NADs, not endpoints. To query the actual endpoints connected to network devices, the NMAP probe must be used. The NMAP probe can trigger an endpoint query based on the detection of open SNMP ports on the endpoint. Endpoint query using SNMP is configurable in the NMAP probe configuration.

https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456#toc-hId--1464449051