cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1657
Views
0
Helpful
2
Replies

Easily Changing NMAP Defaults

paul
Level 10
Level 10

Staring with 2.0  (may have been earlier) ISE changed the default NMAP scan used for most printer classes to doing OS and SNMP scan only.  This is unhelpful of course because one of the nice factors when profiling printers is knowing if port 9100 is open.  Now ISE doesn't collect that information by default as it did before.  Of course, ISE won't let me modify the system NMAP scan definitions so I can't just add port 9100 to the SNMP and OS NMAP scan action. 

I think my only way around for this is to create my own scan action that does OS, common ports and SNMP.  Then go find all the potential top level printer built in profiles and change the NMAP scan action.  Is there an easier way to do this?

It is also frustrating that my only choice is common ports to scan port 9100.  All I want to really do is do OS scan, SNMP scan and port 9100 check, but I can't add port 9100 as a custom port because "It is a predefined port".

Thanks in advance for the help.

1 Accepted Solution

Accepted Solutions

Fortunately, there are less than 10 default top-level printer profiles that would need default scan action to be changed to your custom setting.  Doing scan against additional common ports will add negligible impact on profile process.

/Craig

View solution in original post

2 Replies 2

imbashir
Cisco Employee
Cisco Employee

As you've mentioned, by Default profiling policies for printers are not configured to trigger NMAP. NMAP has by default UDP 9100 and TCP 9100 as part of the common ports

One way to gather information could be to run a manual subnet SCAN, ISE 2.1 has many enhancements for NMAP

Fortunately, there are less than 10 default top-level printer profiles that would need default scan action to be changed to your custom setting.  Doing scan against additional common ports will add negligible impact on profile process.

/Craig