cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

Cisco ISE Medical NAC Profile Library v2.0

8091
Views
8
Helpful
2
Comments

 

Caution - Please Read First

 

This library contains a large number of endpoint profile policies.  Before importing to a production ISE deployment, be sure you have read and understand the following conditions and caveats:

  • Before importing the profile library to a production ISE deployment, it is highly recommended that you first complete the following tasks:
    • Backup the ISE configuration database under Administration > System > Backup& Restore, or via CLI.
    • Optionally, export all current ISE profiles under Policy > Profiling > Profiling Policies > Export > Select All.
    • Restore current ISE configuration to a lab system and test the import of new profile library.  Note resulting profile policy changes to current endpoints which may impact policy assignment in the production deployment.
  • The maximum number of profiles that has been QA tested and officially supported for ISE 2.1 and above is 2000.  Before importing the new library, check the current number of profiles under Policy > Profiling > Profiling Policies.

    This library contains approximately 315 new profiles.  Increasing the profiler policy total beyond 2000 profiles (whether via Profiler Feed Service, manual import or custom profile creation) may result in resource capacity issues and service disruption.

 

  • This library is based on Profiler Version 3 compatible updates which ensures that only ISE deployments running ISE 2.1 and above can import the library.  This also ensures that each ISE appliance is minimally running 16GB RAM.
  • To ensure sufficient memory is allocated to ISE services running on a virtual appliance, verify that your appliance platform is properly detected.  There are a couple ways to verify proper the platform detected by ISE.
    • From CLI...

                ise-node/admin# show tech | begin PlatformProperties

    • From Admin UI (ISE 2.2 +)...
      Operations > Reports > Diagnostics > ISE Counters > [node] (Under ISE Profile column)

          Valid platform sizes include:

    • UCS_SMALL
    • UCS_LARGE
    • SNS_3515
    • SNS_3595
    • SNS_3595 <super>  (ISE 2.4 only)

 

Any other platform (for example, EVAL, IBM_SMALL_MEDIUM, or IBM_LARGE) will result in insufficient (or less than expected) memory resource allocation for ISE services.  Also, make sure that platform detected the platform for which you expect.  For example, if deployed 35x5-equivalent VM appliance, make sure it is not displaying as a UCS appliance.

 

Related defects (Note that many are duplicate or resolved via same patch version):

    • ISE VM platform properties defects:
      • CSCvd24296    ISE: Revise platform selection rules for ISE installed on VMs
        • Fixed In: 2.3P0
      • CSCvh71644 VMware OVA templates for SNS-35xx are not detected correctly in platform.properties-active
        • Fix: Updated OVAs will be posted to Cisco Software Center for 2.1, 2.2, 2.3, 2.4
    • Context Visibility Resource Issues
      • CSCvf22318 Exception: All Shards Failed due to "java.lang.OutOfMemoryError"
        • Fixed In: 2.1P6, 2.2P4, 2.3P1, 2.4P0
      • CSCvf42061 Unable to load Context Visibility all shards failed due to CircuitBreakingException
        • Fixed In: 2.1P6, 2.2P4, 2.3P1, 2.4P0
      • CSCvh48558 ISE 2.2p5 Unable to load Context Visibility
        • Fixed In: 2.2P8, 2.3 P3, 2.4P0
      • CSCvg54641 ISE 2.3p1/2.2p4 Unable to load context visibility - java heap size not modified for ibmSmallMedium
    • Profiler Feed Service / High Profile Count Issues (Fixed In 2.4 P0)
      • CSCvh13873 ISE PSN/PAN App server crashes after profiler feed update
      • CSCvh14378 ISE nodes APP Initializing after Feed Service update - out of mem
      • CSCvh17860 Profiler Feed Server Proactively taken offline for maintenance
      • CSCvh20783 Feed Server undo on PAN does not roll back rules and checks
    • Upgrade / Restore issues related to Mem Allocation
      • CSCvh57345 Restore of 1.4/2.0/2.0.1 backup fails which taken after Feed update
        • Fixed In: 2.2P8, 2.4P0
      • CSCvi38845 Upgrade fails after Feed update due to less heapspace
        • Requires new Upgrade Bundles to be posted to Cisco Software Center
  • After installing a large Profile library, be sure to take the following precautions prior to a major ISE version upgrade…
    • Backup ISE Configuration database
    • Test restore of the ISE configuration to a separate ISE server in a lab environment to verify upgrade process, or else restore to newer version.
    • Review the related defects above related to upgrade/restore.
      • If you plan to restore existing configuration to a newer version of ISE, be sure you have applied the current patch with the fix for CSCvh57345 on the new ISE PAN node before restore.
      • If you plan to use the standard upgrade process, ensure you are using one of the newer upgrade bundles (dated April 2018 or later) which contains the fix for CSCvi38845.

        The above steps will ensure that you are not hitting a 2GB Heap memory limitation in upgrade/restore process.

  • Logical Profile creation:  ISE does not currently support import or API update of logical profiles.  Therefore, it is necessary to manually assign the new profiles to a new or existing logical profile.  Each of the profiles do have descriptions which can aid in deciding how to logically group the profiles.  Each profile can be a member of more than one logical profile. Logical profiles allow groups of devices to be distinguished in Context Visibility and facilitate the creation of policy rules based on logical groupings versus individual profiles.

 

  • When the number of top-level profiles exceeds 500, you will need to switch from Tree-View to List-View to navigate entries beyond the first 500.

 

Installation

 

To install, the Medical NAC endpoint profile library:

  1. Download the Medical NAC library ZIP file
  2. Unzip the ZIP file on your local computer to get the XML file.
  3. In ISE, navigate to Work Centers > Profiler > Profiling Policies
  4. Click Import ()
    1. Click Browse...
    2. Choose the Medical NAC XML file
    3. Click on Submit.
  5. Wait 1-2 minutes for the Medical NAC endpoint profiles to be imported!

 

Once the endpoint profiles are imported, you may view the list of medical devices by choosing Quick Filter and enter "health" under the Description header:
    

 

 

 

Included Profiles

1. 3M-Device
2. 3M-Company-Device
3. 3M-Deutschland-Device
4. 3M-Germany-Device
5. Abbott-Device
6. Abbott-Diagnostics-Device
7. Abbott-Medical-Optics-Device
8. Abbott-Point-of-Care-Device
9. Baxter-International-Device
10. Gambro-Lundia-Device
11. Baxter-Healthcare-Device
12. Beckman-Coulter-Device
13. Beckman-Lab-Automation-Device
14. Bosch-Device
15. Robert-Bosch-Healthcare-Device
16. Robert-Bosch-Healthcare-Germany-Device
17. Robert-Bosch-Healthcare-Systems-Device
18. Danaher-Device
19. Danaher-Motion-Kollmorgen-Device
20. Kollmorgen-Corp-Device
21. Kollmorgen-Servotronix-Device
22. Leica-Biosystems-Device
23. Leica-Microsystems-Device
24. Cepheid-Device
25. Draeger-Device
26. Draeger-Medical-Device
27. Draeger-Medical-Systems-Device
28. Fluke-Device
29. Fluke-Biomedical-Device
30. General-Electric-Device
31. GE-Healthcare-Device
32. Datex-Ohmeda-Device
33. GE-Medical-System-Device
34. Imatron-Device
35. Getinge-Device
36. Jostra-Device
37. Getinge-IT-Solutions-Device
38. Getinge-Sterilization-Device
39. Honeywell-Device
40. Honeywell-HomMed-Device
41. ICU-Medical-Device
42. Hospira-Device
43. Physiometrix-Device
44. Kontron-Device
45. Kontron-Medical-Device
46. Maquet-Device
47. Maquet-Cardiopulmonary-Device
48. Maquet-CardioVascular-Device
49. Maquet-Critical-Care-Device
50. Maquet-Germany-Device
51. Masimo-Device
52. Masimo-SET-Pulse-Oximeter
53. MedAvant-Device
54. MedAvant-Healthcare-Device
55. MedAvant-Healthcare-Solutions-Device
56. Mindray-Device
57. Mindray-Co-Device
58. Mindray-DS-USA-Device
59. Nicolet-Device
60. Nicolet-Instruments-Device
61. Nicolet-Neuro-Device
62. Olympus-Device
63. Olympus-Image-Systems-Device
64. Olympus-Soft-Imaging-Device
65. Omron-Device
66. Omron-Healthcare-Device
67. Omron-Tateisi-Device
68. Panasonic-Device
69. Panasonic-Healthcare-Device
70. Philips-Device
71. Philips-Analytical-X-Ray-Device
72. Philips-CareServant-Device
73. Philips-Electronics-Netherlands-Device
74. Philips-Healthcare-PCCI-Device
75. Philips-Medical-Systems-Device
76. Marconi-Medical-Systems-Device
77. Philips-Medical-Systems-Cardiac-Monitoring-Device
78. Philips-Oral-Healthcare-Device
79. Philips-Patient-Monitoring-Device
80. Philips-SureSigns-Patient-Monitor
81. Philips-SureSigns-VS3-Patient-Monitor
82. Philips-SureSigns-VS4-Patient-Monitor
83. Philips-Personal-Health-Device
84. Philips-Respironics-Device
85. Siemens-Device
86. Acuson-Ultrasound-Device
87. Siemens-AG-Healthcare-Sector-Device
88. Siemens-Healthcare-Diagnostics-Device
89. Siemens-Healthcare-Diagnostics-Manufacturing-Device
90. SonoSite-Device
91. Sonosite-MicroMaxx-Ultrasound
92. St-Jude-Medical-Device
93. Thoratec-Device
94. Zimmer-Device
95. ORTHOsoft-Zimmer-CAS-Device
96. Zimmer-Elektromedizin-Device
97. AB-Sciex-Device
98. ACIST-Medical-Systems-Device
99. Acteon-Group-Device
100. ADInstruments-Device
101. Advance-Sterilization-Products-Device
102. Advanced-Medical-Information-Device
103. Advantage-Pharmacy-Device
104. Aeroscout-Device
105. Alaris-Inc-Device
106. Alaris-Medical-Systems-Device
107. Alcon-Laboratories-Device
108. Alpinion-Medical-Systems-Device
109. AmbiCom-Device
110. American-Telecare-Device
111. Amgen-USA-Device
112. Andon-Health-Device
113. Applied-Biosystems-Device
114. Applied-Medical-Technologies-Device
115. ARKRAY-Device
116. Avizia-Device
117. Axis-Shield-PoC-Device
118. B-Braun-Melsungen-Device
119. Bang-Olufsen-Medicom-Device
120. Ascensia-Diabetes-Care-Device
121. Bausch-Lomb-Device
122. Beacon-Medical-Device
123. Becton-Dickinson-Device
124. Bestcare-Cloucal-Device
125. Bio-logic-Systems-Device
126. Bio-Rad-Lab-Device
127. Biodevices-Device
128. bioMerieux-Italia-Device
129. Bionet-Device
130. BIOPAC-Systems-Device
131. Biosoundlab-Device
132. Biospace-Device
133. Biotage-Device
134. Biotronik-Device
135. BL-Healthcare-Device
136. BMT-Medical-Technology-Device
137. Boston-Scientific-Device
138. Breathometer-Device
139. C8-MediSensors-Device
140. Calypso-Medical-Device
141. Cambridge-Medical-Robotics-Device
142. Camtronics-Medical-Systems-Device
143. CardioMEMS-Device
144. CardioNet-Device
145. Cardiopulmonary-Corp-Device
146. CardioTek-Device
147. Care-Everywhere-Device
148. CareCom-Device
149. CareFusion-Device
150. CarePredict-Device
151. Carestream-Health-Device
152. CareTech-Device
153. CareView-Communications-Device
154. Celectronic-eHealth-Device
155. Centrak-Device
156. Cerner-Device
157. CHG-Hospital-Beds-Device
158. Chile-School-of-Medicine-Device
159. CIRTEC-Medical-Systems-Device
160. CliniComp-Device
161. Cogent-Healthcare-Systems-Device
162. Colorado-Med-Tech-Device
163. Compumedics-Device
164. Conmed-Linvatec-Device
165. Convergent-Bioscience-Device
166. Corometrics-Medical-Systems-Device
167. Criticare-Systems-Device
168. Cutera-Device
169. Cytyc-Device
170. Dainippon-Pharma-Device
171. DENTSPLY-Gendex-Device
172. Diatek-Patient-Management-Device
173. Dictum-Health-Device
174. Disetronic-Medical-Systems-Device
175. Dixtal-Biomedica-Device
176. Dragerwerk-Device
177. Durr-Dental-Device
178. Edwards-Lifesciences-Device
179. Ellex-Medical-Device
180. Eppendorf-Device
181. Etymonic-Design-Device
182. Essilor-Device
183. Fisher-Paykel-Device
184. Fresenius-Medical-Care-Device
185. Fukuda-Denshi-Device
186. Gem-Med-Device
187. GN-ReSound-Device
188. Haag-Streit-Device
189. Health-Hero-Device
190. Health-Life-Device
191. Heart-Force-Medical-Device
192. HemoCue-Device
193. Heraeus-Noblelight-Device
194. Hidea-Solutions-Device
195. Hill-Rom-Device
196. Hitachi-Aloka-Medical-Device
197. Hoana-Medical-Device
198. Home-Skinovations-Device
199. HORIBA-Medical-Device
200. Huntleigh-Healthcare-Device
201. ICU-Scandinavia-Device
202. Imricor-Medical-Systems-Device
203. Indiana-Life-Sciences-Device
204. InnerSpace-Device
205. Innomed-Medical-Device
206. INSIDE-Technology-Device
207. INTEGRA-Biosciences-Device
208. Integra-LifeSciences-Device
209. Integrated-Medical-Systems-Device
210. Intel-GE-Care-Innovations-Device
211. Interacoustics-Device
212. Intuitive-Surgical-Device
213. Invivo-Device
214. Ivoclar-Vivadent-Device
215. Ivy-Biomedical-Device
216. JASCO-Device
217. JCT-Healthcare-Device
218. Johnson-Johnson-Medical-Device
219. JEOL-Device
220. Karl-Storz-Imaging-Device
221. KaVo-Dental-Device
222. KeyMed-Device
223. LABiTec-Device
224. Laerdal-Medical-Device
225. LI-COR-Biosciences-Device
226. LifeSync-Device
227. LRE-Medical-Device
228. MDS-SCIEX-Device
229. MEDAV-Device
230. Mediana-Device
231. Medicis-Device
232. Medicore-Device
233. Medison-X-Ray-Device
234. Medrad-Device
235. Medtronic-Diabetes-Device
236. Mennen-Medical-Device
237. Micropoint-Biotechnologies-Device
238. MIR-Medical-International-Research-Device
239. MOCACARE-Device
240. Molecular-Devices-Corp-Device
241. Mortara-Instrument-Device
242. MX-Imaging-Device
243. NDS-Surgical-Imaging-Device
244. Networked-Robotics-Device
245. Neural-Image-Device
246. NIDEK-Device
247. Nihon-Kohden-Device
248. Nipro-Diagnostics-Device
249. Nonin-Medical-Device
250. Novartis-Pharma-Device
251. Novo-Nordisk-Device
252. Onyx-Healthcare-Device
253. Optimedical-Systems-Device
254. Ortivus-Medical-Device
255. Oticon-Device
256. Otsuka-Electronics-Device
257. Pacific-Biosciences-Device
258. PaloDEx-Device
259. Palomar-Medical-Device
260. Peerbridge-Health-Device
261. Perkin-Elmer-Device
262. Pharma-Smart-Device
263. Phonak-Communications-Device
264. Physio-Control-Device
265. Planmeca-Oy-Device
266. Pointe-Conception-Medical-Device
267. Power-Medical-Interventions-Device
268. Midmark-Progeny-Device
269. Proteus-Digital-Health-Device
270. Quantum-Medical-Imaging-Device
271. Radisys-Device
272. Radiometer-Medical-Device
273. Rauland-Borg-Device
274. ResMed-Device
275. Resurgent-Health-Medical-Device
276. RF-Surgical-System-Device
277. Roche-Diagnostics-Device
278. ScottCare-Device
279. Secure-Care-Device
280. SenTec-Device
281. Senticare-Device
282. Shenzhen-Homecare-Device
283. Shenzhen-Lifesense-Medical-Device
284. Shimadzu-Device
285. SHL-Telemedicine-Device
286. Sigma-International-Medical-Device
287. Sirona-Dental-Systems-Device
288. Smiths-Medical-Device
289. Soredex-Device
290. Spacelabs-Healthcare-Device
291. Spectrum-Medical-Limited-Device
292. Sphere-Medical-Device
293. Starkey-Labs-Device
294. Stratec-Biomedical-Device
295. Stryker-Device
296. Sysmex-Device
297. Tecan-Systems-Device
298. Terumo-Device
299. Thermo-Fisher-Scientific-Device
300. Tiba-Medical-Device
301. Tokyo-Boeki-Medisys-Device
302. Toyo-Medic-Device
303. tPlus-Medical-Device
304. Translogic-Device
305. Trendsetter-Medical-Device
306. Triton-Electronic-Systems-Device
307. Tunstall-Healthcare-Device
308. Valtronic-Device
309. Varian-Medical-Systems-Device
310. Versamed-Device
311. Verto-Medical-Solutions-Device
312. VIASYS-Healthcare-Device
313. Vigil-Health-Solutions-Device
314. VitalCARE-Device
315. Vivonic-Device
316. Vocera-Communications-Device
317. Welch-Allyn-Device
318. West-Com-Nurse-Call-Device
319. Widex-Device
320. WL-Gore-Device
321. Zoe-Medical-Device
322. ZOLL-Lifecor-Device
323. DICOM-Client
324. DICOM-Server
325. HL7-Client
326. HL7-Server
Comments
Cisco Employee

A couple questions:

 

(1)  Is there an efficient way to group all medical profiles into a logical profile?  I see we can filter using the "Healthcare" description.  Is there a way to "Select All" at that point and add them to a logical profile?

 

(2)  Are any of these profiles or updates included in the feed service?  When an update to the list comes out, does it hurt anything to manually import it all over again, or will duplicates arise?

 

Thanks,

 

Dave

Advocate

Unfortunately that is a limitation of current ISE version. There is no option to import logical profiles via file or API today. Therefore, the entries must be added manually today.  Recommend have a separate tab/window open to compare list while selecting with CTRL key.

 

These profiles are not part of Feed update. There is a limit to max profiles (2000) and so these are intended fro user by customers interested in specific list of IoT vertical.  There were a couple profiles (parent profiles) at root level which were updated to maintain consistent "scoring" across profiles. Anything flagged as Administrator Created or Modified will not be updated by Feed service, although deleting a profile will cause it to auto-revert to default Feed values if one existed. You can re-import profiles, but realize that any change to profiles--deletion/updates/adds--can impact current classifications and access policy in a production deployment. Treat such imports like patch upgrades to avoid unexpected disruption in service. Also recommend verify all profile updates--including Feed--offline before applying to production deployment.