Solved: What service ports need to allow on firewall from endpoint to ISE for Profiling?

jakeraze · ‎12-01-2019

Hi,

Newbie here. can help regarding below.

What are the needed ports to be allowed on firewall in order for Profiling to work.

for example from Endpoints -> FW -> ISE or vice versa?

Thanks a lot in advance.

Mike.Cifelli · ‎12-01-2019

It will vary depending on what probes you decide to use. However, straight from Cisco docs here are the defaults:

NetFlow: UDP/9996
DHCP: UDP/67
DHCP SPAN Probe: UDP/68
HTTP: TCP/80, 8080
DNS: UDP/53 (lookup)
SNMP Query: UDP/161
SNMP TRAP: UDP/162

See here for further detail: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

Good luck & HTH!

View solution in original post

Mike.Cifelli · ‎12-01-2019

It will vary depending on what probes you decide to use. However, straight from Cisco docs here are the defaults:

NetFlow: UDP/9996
DHCP: UDP/67
DHCP SPAN Probe: UDP/68
HTTP: TCP/80, 8080
DNS: UDP/53 (lookup)
SNMP Query: UDP/161
SNMP TRAP: UDP/162

See here for further detail: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

Good luck & HTH!

jakeraze · ‎12-01-2019

Hi Sir. Thanks a lot. so far i've allowed all ports from endpoint to ISE and Vice Versa. i've tried manual scan using nmap in ISE but it's not showing any results. do i need to configure something on the switch. my gw here is an svi on the switch -> FW is the gw of our ISE Server.

Mike.Cifelli · ‎12-03-2019

I would suggest checking out profiling/nmap config guides. This may assist: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010101.html#ID481
Also, labminutes shares from free video tutorials that may help as well.

jakeraze · ‎12-09-2019

Thanks a Lot Sir Mike. Appreciate it.