Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7551
Views
5
Helpful
2
Replies

Why or what is need of Cisco ISE automatically scan NMAP in thhe Network & Saves log ?

Go to solution
gors
Beginner
Beginner

‎09-04-2019 11:56 PM - edited ‎02-21-2020 11:09 AM

Why Cisco ISE NMAP scan of the Network & saves log ?

 

My security team find alert in to their system for one IP that scan the Server. PFB Alert.

image.png

 

After I`ve checked the ISE logs & I found below NMAP log & its saves the output to Nmap.log file.

 

# Nmap 7.00 scan initiated Thu Sep 5 01:16:21 2019 as: /usr/bin/nmap -v -sU -p
U:161,162 -Pn --disable-arp-ping -oN /opt/CSCOcpm/logs/nmap.log --append-output
-oX - (File Server IP)
--
Nmap scan report for (File Server IP)

 

ISE NMAP scans mostly all the IP of network. From output We can say that NMAP scans UDP 161, 162 port which is SNMP ports.

My question is Why ISE scans via NMAP automatically or what is need for scan NMAP?

 

PLS Help !!!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-05-2019 01:06 AM

Hi,

ISE uses NMAP in order to profile the devices that authenticate to ISE to determine make/model, OS version etc. The NMAP probe could be disabled, but you do get a lot of useful information from it. I'd suggest whitelisting the ISE IP addresses and let them run the NMAP Probes.

 

Here is the ISE profiling guide with more information.

 

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎09-05-2019 01:06 AM

Hi,

ISE uses NMAP in order to profile the devices that authenticate to ISE to determine make/model, OS version etc. The NMAP probe could be disabled, but you do get a lot of useful information from it. I'd suggest whitelisting the ISE IP addresses and let them run the NMAP Probes.

 

Here is the ISE profiling guide with more information.

 

HTH

0 Helpful

Go to solution
Mohammed al Baqari
VIP
VIP

‎09-05-2019 01:25 AM

ISE performs NMAP scanning part of its profiling function. Initially, ISE
will match the device against a parent profile (for example Cisco Access
Point) using enabled probes such as radius, cdp, etc. Most of parent
profiles have NMAP enabled to perform NMAP scan against the device on 1st
match to detect its specific model such as Cisco Aironet 3802

You can enable dot1x on client endpoints instead of servers to avoid
similar cases.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents