09-04-2019 11:56 PM - edited 02-21-2020 11:09 AM
Why Cisco ISE NMAP scan of the Network & saves log ?
My security team find alert in to their system for one IP that scan the Server. PFB Alert.
After I`ve checked the ISE logs & I found below NMAP log & its saves the output to Nmap.log file.
# Nmap 7.00 scan initiated Thu Sep 5 01:16:21 2019 as: /usr/bin/nmap -v -sU -p
U:161,162 -Pn --disable-arp-ping -oN /opt/CSCOcpm/logs/nmap.log --append-output
-oX - (File Server IP)
--
Nmap scan report for (File Server IP)
ISE NMAP scans mostly all the IP of network. From output We can say that NMAP scans UDP 161, 162 port which is SNMP ports.
My question is Why ISE scans via NMAP automatically or what is need for scan NMAP?
PLS Help !!!
Solved! Go to Solution.
09-05-2019 01:06 AM
Hi,
ISE uses NMAP in order to profile the devices that authenticate to ISE to determine make/model, OS version etc. The NMAP probe could be disabled, but you do get a lot of useful information from it. I'd suggest whitelisting the ISE IP addresses and let them run the NMAP Probes.
Here is the ISE profiling guide with more information.
HTH
09-05-2019 01:06 AM
Hi,
ISE uses NMAP in order to profile the devices that authenticate to ISE to determine make/model, OS version etc. The NMAP probe could be disabled, but you do get a lot of useful information from it. I'd suggest whitelisting the ISE IP addresses and let them run the NMAP Probes.
Here is the ISE profiling guide with more information.
HTH
09-05-2019 01:25 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide