Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
8
Helpful
5
Replies

Defining "Common Ports" in "Custom Ports" for NMAP scanning...

rezaalikhani
VIP
VIP

‎02-01-2024 11:06 PM

Hi everybody;

According to Cisco's documents, if a port is defined in "Common Ports", when you want to add it again to the "Custom Ports" section, the "Port is predefined" error message appears (as shown below). In other words, you cannot use the same port numbers that ISE already configured by Cisco to use in Common Ports section.

1000.png

All is well; however, when utilizing TCP port 515, it can be successfully added, even though it has been defined as a common port, as you can see below:

1000.png

Any ideas?

Thanks

 

0 Helpful
5 Replies 5

ahollifield
VIP
VIP

‎02-02-2024 05:09 AM - edited ‎02-02-2024 05:09 AM

I'm not sure of your specific issue here but what is the use-case for the NMAP probe at all?  In my experience it doesn't offer much (especially with operating systems becoming more secure) and has led to a number of mis-categorizations in many of my deployments.  I typically disable the probe on new deployments and rely on other less resource intensive probes like Device Sensor (RADIUS), DHCP, and HTTP (for captive portal use-cases).

Arne Bier
VIP
VIP
In response to ahollifield

‎02-04-2024 01:29 PM

@ahollifield isn't the NMAP probe also responsible to getting the SNMP data from the endpoints? If you didn't enable NMAP probing, would you lose SNMP?

0 Helpful

ahollifield
VIP
VIP
In response to Arne Bier

‎02-05-2024 05:46 AM

Yes, to trigger SNMP on endpoints the NMAP probe needs to be used. SNMP Query Probe only polls NADs.

Note: The SNMP Query probe queries NADs, not endpoints. To query the actual endpoints connected to network devices, the NMAP probe must be used. The NMAP probe can trigger an endpoint query based on the detection of open SNMP ports on the endpoint. Endpoint query using SNMP is configurable in the NMAP probe configuration.

https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456#toc-hId--1464449051

Arne Bier
VIP
VIP

‎02-04-2024 01:31 PM

@rezaalikhani - perhaps open a TAC case for this - it does look like a defect. I have never even seen this dialogue to be honest.  I don't tend to probe for open ports much. As @ahollifield said, the ISE prediction of what the OS might be, based on open ports is usually wrong. I'd never rely on that. But I am still unsure if SNMP would be killed off if I disabled NMAP scanning, 

rezaalikhani
VIP
VIP
In response to Arne Bier

‎02-04-2024 09:08 PM

@Arne Bier - I am using this feature primarily because the target switch does not support Device Sensor, and the connected devices are 'noname' CCTV cameras. However, they have some distinct open ports. By using something like the following example, I can successfully profile them:

rezaalikhani_0-1707109657590.png

 

 

Customers Also Viewed These Support Documents