Solved: Profiler Feed

Donald Fisher · ‎01-30-2020

Team,

Is there a way to identify what will be in the profile feed? I had a customer that due to new GE profiles, their author policy stop working. We turned off the feed, and modify the profile, but wanted to see if there is anyway that we can give customer before new profile are sent thought the feed.

Greg Gibbs · ‎01-30-2020

Hi Donald,

There is always a bit of risk in using the automated feed service updates on a production system. Ideally, you would want to test the feed service updates in a non-prod environment before updating them in production.

Typically, there are two ways this is done by customers:

Disable the Online Subscription Update for the Feed Service in the Prod system. Allow a Non-Prod system to auto-update via the Feed Service and use the option to notify an Administrator via email when the update occurs. After testing in the Non-Prod environment, enable the Online Update in Prod and perform a manual update during a change window. Perform endpoint testing and back out (Undo Latest) the update if any issues are found.
Disable the Online Subscription Update in the Prod system and use Offline updates. Register for the Offline Feed Service Management via https://ise.cisco.com/partner and sign up for update notifications via email. When new updates are available, download and evaluate the XML file for any overlapping or conflicting profiler updates and test in Non-Prod (if possible). Perform the offline update during a change window, perform endpoint testing, and back out the update if any issues are found.

Cheers,

Greg

View solution in original post

Colby LeMaire · ‎01-30-2020

The customer can do manual offline updates and verify any changes to profiling policies that they currently use before uploading to ISE. It really isn't that often that you need to update profiling policies, especially in corporate environments that are relatively static.

Greg Gibbs · ‎01-30-2020

Hi Donald,

There is always a bit of risk in using the automated feed service updates on a production system. Ideally, you would want to test the feed service updates in a non-prod environment before updating them in production.

Typically, there are two ways this is done by customers:

Disable the Online Subscription Update for the Feed Service in the Prod system. Allow a Non-Prod system to auto-update via the Feed Service and use the option to notify an Administrator via email when the update occurs. After testing in the Non-Prod environment, enable the Online Update in Prod and perform a manual update during a change window. Perform endpoint testing and back out (Undo Latest) the update if any issues are found.
Disable the Online Subscription Update in the Prod system and use Offline updates. Register for the Offline Feed Service Management via https://ise.cisco.com/partner and sign up for update notifications via email. When new updates are available, download and evaluate the XML file for any overlapping or conflicting profiler updates and test in Non-Prod (if possible). Perform the offline update during a change window, perform endpoint testing, and back out the update if any issues are found.

Cheers,

Greg

Damien Miller · ‎01-30-2020

My general recommendation for customers is that for any profiling policy that you are using to provide network access, leverage a custom made copy and following a naming standard indicating that it is self made.

There have been a few issues in the past where the automated profiler feed update has burnt me in the same way you experienced.