[EDIT] Prime to check open ports of monitored devices of its inventory

Gioacchino · ‎11-28-2023

Hi all,

my apologies if the question is very basic. I was asked to check if CP could monitor, for objectives of compliance, open ports on the devices and send reports in case we have deviation from pre-defined baselines.

I guess CP might only run, in case, a sort of netstat on each device and check if some daemons run on specific ports. Of course, from my understanding, it cannot launch a true TCP/UDP port-scanning and check the packets it gets or it doesn't get as a normal scan SW may do.

Am I correct with my reasoning or it's a no way?

In case, may DNAC play this role of checking the complaince from the point of view of open ports?

TIA,

Gio

balaji.bandi · ‎11-28-2023

Prime doe compliance report based on the information available on the device config :

https://www.cisco.com/c/dam/en_us/training-events/product-training/prime-infrastructure-30/ja-audit/PI30_JA1_Audit.pdf

most industry uses NMAP to scan the port-scan to check any Open ports against devices. (subject to you are allowed if any FW between Scanner and devices) - that is basic requirement.

DNAC also does the compliance checks :

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-2-2/user_guide/b_cisco_dna_center_ug_2_2_2/m-compliance-audit-for-network-devices.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Gioacchino · ‎11-28-2023

Thanks BB,

by "devices", do you mean end-users devices or right the devices in control of CP itself? In my case I mean the devices controlled by CP itself, hence routers, switches and so on.

Regards,

Gio