Our community includes Cisco experts to answer your questions about the Smart Net Total Care (SNTC) portal and CSP-Collector.
Click the navigation links below to access materials for using our service and supported collectors.
I have a rather worrying situation where the analysis presented via the SNTC portal differs significantly to that contained with any report generated and downloaded.
Specifically this relates to PSIRT alerts. What differs is the number of devices (chassis) and the vulnerability status.
For an example taking the following alert description "Vulnerabilities in Cisco IOS Secure Shell Server"
Within SNTC under Alerts - All PSIRTs, I see that for one of my inventories 4 devices are listed as being 'vulnerable', but when I look at a Product Alerts Report (spreadsheet) the same devices are listed as being 'potentially vulnerable". Which is correct?
As another example alert description "Cisco IOS Software and IOS XE Software TCP Packet Memory Leak Vulnerability (CVE-2015-0646)" shows that via SNTC 484 are 'vulnerable', whereas within the downloaded spreadsheet, 160 devices are reported, 17 as being 'potentially vulnerable' and 143 as 'vulnerable'. Again which information source is correct, if indeed any are?
Currently the SNTC Portal displays a potentially vulnerable and vulnerable device as vulnerable on the online PSIRT reports. You can reference the offline alerts report to get more granular results and verify if a device is reflecting only as potentially vulnerable. A potentially vulnerable device means that the SNTC Portal was not able to completely validate the alert based on the collected device details, and it may require a manual validation.
Please let us know if you have further questions. If there is nothing further, please mark this as solved.
Thanks for the replies, but I'm not entirely happy with the explanation.
Given that the explicit status of each device, WRT any specific PSIRT alert being either vulnerable or potentially vulnerable, is known (since this is provided in the report), I fail to see why this distinction is not shown within the portal view?
Furthermore there is no explanation as to why the summary counts differ between the portal view and the downloaded report?
You're right Graham. CSCvd67358 was filed to address this. It will be fixed in a future release. Stay tuned.
Thanks for the update and I'm pleased to see a case opened to resolve it.
Will this bug case also address the significant differences in the counts (of effected devices)?
In the interim which counts do we use, the counts shown via the portal or those reported within a download spreadsheet?
Thanks for the info you sent me. It helped me to visualize same as you were seeing. There isn't a count mismatch. There is a title/description mismatch that makes it appear that way to you. This is CSCvd87947. If you summarize in the excel by Alert ID instead, you'll see the counts match.