
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2016 06:39 PM
Staring with 2.0 (may have been earlier) ISE changed the default NMAP scan used for most printer classes to doing OS and SNMP scan only. This is unhelpful of course because one of the nice factors when profiling printers is knowing if port 9100 is open. Now ISE doesn't collect that information by default as it did before. Of course, ISE won't let me modify the system NMAP scan definitions so I can't just add port 9100 to the SNMP and OS NMAP scan action.
I think my only way around for this is to create my own scan action that does OS, common ports and SNMP. Then go find all the potential top level printer built in profiles and change the NMAP scan action. Is there an easier way to do this?
It is also frustrating that my only choice is common ports to scan port 9100. All I want to really do is do OS scan, SNMP scan and port 9100 check, but I can't add port 9100 as a custom port because "It is a predefined port".
Thanks in advance for the help.
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2016 12:19 PM
Fortunately, there are less than 10 default top-level printer profiles that would need default scan action to be changed to your custom setting. Doing scan against additional common ports will add negligible impact on profile process.
/Craig
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2016 10:42 PM
As you've mentioned, by Default profiling policies for printers are not configured to trigger NMAP. NMAP has by default UDP 9100 and TCP 9100 as part of the common ports
One way to gather information could be to run a manual subnet SCAN, ISE 2.1 has many enhancements for NMAP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2016 12:19 PM
Fortunately, there are less than 10 default top-level printer profiles that would need default scan action to be changed to your custom setting. Doing scan against additional common ports will add negligible impact on profile process.
/Craig
