09-14-2016 06:39 PM
Staring with 2.0 (may have been earlier) ISE changed the default NMAP scan used for most printer classes to doing OS and SNMP scan only. This is unhelpful of course because one of the nice factors when profiling printers is knowing if port 9100 is open. Now ISE doesn't collect that information by default as it did before. Of course, ISE won't let me modify the system NMAP scan definitions so I can't just add port 9100 to the SNMP and OS NMAP scan action.
I think my only way around for this is to create my own scan action that does OS, common ports and SNMP. Then go find all the potential top level printer built in profiles and change the NMAP scan action. Is there an easier way to do this?
It is also frustrating that my only choice is common ports to scan port 9100. All I want to really do is do OS scan, SNMP scan and port 9100 check, but I can't add port 9100 as a custom port because "It is a predefined port".
Thanks in advance for the help.
Solved! Go to Solution.
09-16-2016 12:19 PM
Fortunately, there are less than 10 default top-level printer profiles that would need default scan action to be changed to your custom setting. Doing scan against additional common ports will add negligible impact on profile process.
/Craig
09-14-2016 10:42 PM
As you've mentioned, by Default profiling policies for printers are not configured to trigger NMAP. NMAP has by default UDP 9100 and TCP 9100 as part of the common ports
One way to gather information could be to run a manual subnet SCAN, ISE 2.1 has many enhancements for NMAP
09-16-2016 12:19 PM
Fortunately, there are less than 10 default top-level printer profiles that would need default scan action to be changed to your custom setting. Doing scan against additional common ports will add negligible impact on profile process.
/Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide