ISE posture requirement to check if endpoint's USP port is disabled

Similar Messages

• Cisco ISE posture requirements whats the ordering of requirements?

  Hi Everyone,
  I am in the middle of deploying the anyconnect posture module (ac 4.0), with ISE 1.3. I have a problem, with the order of which the posture requirements get checked, it does not seem to order the requirements alphabetically, and can't figure out how to make it check for certain things, before other things. An example :
  I have Symantec SEP 12.1 AV in this environment, and i have the following checks :
  - AV_installed : is the av agent installed ?, if not start installation from a network share
  - AV_started : is the av agent started ?, if not try to start the service
  - AV_uptodate : is the av definitions up to date?, if not start the update function in the av client
  Now this is the order it needs to be checked in, as it would fail if i tried to check if the AV is running, before i check if it's actually installd,  but i can't get posture to do that, going on the names of the rules, these should alphabetically be run in the order i have, but they are not.
  Any ideas?, the documentation for posture is lacking to be polite, i have not been able to find anything describing this process.

  Abhishek,
  This is possible, please use this link for reference:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
  Your AV vendor will have to be supported based on the release notes:
  http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE to check Windows Firewall is enabled or not in Posture Requirement.

  I have already a running setup for wireless employees. Everything is working fine. Wireless Employees authenticate by AD through ISE. URL redirection is working fine. Posture requirements to check Hotfixs & AV installation & definition is working fine. Now I have new requirement to check whether Window firewall is enabled or not, if not then put the users in temporary access & do the remediation, if failed then put the user in noncompliant.
  I want to know under which option i can create Window Firewall requirement.
  Thanks

  Windows Firewall in Windows XP creates  a registry key
  Registry Key:
  HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  Registry Value:
  EnableFirewall
  If the XP Firewall is on the Value will be = to “1”
  The following link shows how to tell if firewalls of different brands are running
  http://cisconac.blogspot.com/2007/05/custom-checks-personal-firewall.html
  So, the ISE config will be something like the following picture. Please rate if it helps

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• ISE Hardware Requirements

  Cisco's docs are not providing the information in regards to ISE hardware requirements.  I am looking at 3 different documents and see 3 different requirements.
  Does anyone have the tried an true numbers for the ISE deployment?  Specifically for the PSN?
  Also, i there a hardware restrictions on the servers that can be used in the event the customer decides to go with their own hardware rather than using VM?
  thanks for any assistance anyone can offer.
  Mike
  Received answer from Cisco...
  Posting in case anyone else needs this info
  Your Question:
  If I am using a distributed deployment, for example, running 1 node as admin and monitoring, another node for PSN, would I need 250gb disk space for each node?  Or would I use a shared 250gb disk space on a storage server?
  Answer:
  As you informed that you are " running 1 node as admin and monitoring, another node for PSN, would I need 250gb disk space for each node ", so YES each node will have individual 250Gb of space.
  Now the node running as admin and monitoring would have to share the 250Gb available on the ISE on which they would be implemented.
  Your Question:
  Additionally, say I were to scale and create 2 admin nodes, and 4 PSNs, how would the disk space work in that case?
  Answer:
  As the 2 Admin nodes would be on individual ISE hardware appliance, so individually they would have 250Gb of space and if the 4 PSN are also the same ISE hardware, then each PSN would have it's own 250Gb space.
  Your Question:
  If however, the admin node and PSN were on the same chassis, different VM (if supported) how would the disk space work then?
  Answer:
  If the VM used for the above scenario is only one and is configured according/equivalent to ISE hardware appliance, then the space mentioned (250Gb as example) would be shared between the two persona's.
  Message was edited by: Michael Mistretta

  Hello,
  The Below link's might help you out:-
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/install_guide/ise104_vmware.html
  and
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/data_sheet_c78-656174.html

• Required field check in ALV

  Hi,
  I'm trying to make a required field check on a ALV field. I can see that the function works as required and produces an error to display in the message_manages
  but when I return to the program no error is shown and no red box is displayed arround the field.
  Any help is welcome...
  Thanks,
  Kris
  This is my code:
    DATA: l_attr_list  TYPE cl_wd_dynamic_tool=>t_check_mandattr_tab,
               l_attr       TYPE cl_wd_dynamic_tool=>t_check_mandattr_struct,
               errors       TYPE boolean.
    l_attr-node_path = 'QUOTATION_TO_CREATE'.
    l_attr-element_index = 0.
    l_attr-attribute_name = 'KWMENG'.
    APPEND l_attr TO l_attr_list.
    errors = cl_wd_dynamic_tool=>check_mandatory_attributes(
        attribute_list   = l_attr_list
        display_messages = abap_true
        context_root     = wd_context
    CHECK errors EQ abap_false.

  Hi Hans,
    What ever you said is not possible because while returning to your program, the data won't be saved and it will closed in any situation.
    If you want to do like this, Please display the pop-up before you are going to Program saying that " Do you want to save this data?" that time it will display the error and you can do what ever you want.
  I think My answer will give helpful information to you. If not please reply with some more information then i will try to reslove your problem
  Warm Regards,
  Vijay

• ISE Posture Assessment

  Hi,
  While reading about ISE posture, I got to know that ISE searches” User Agent” attribute for string “NAC Agent” to confirm that NAC agent is present on particular machine.This information is passed to ISE when user opens Web Browser i.e. user gets redirected
  If NAC agent is not present on machine then NAC agent will get downloaded and then Posture assessment starts.
  While testing this on ISE, I noticed that
  If NAC agent is already present on machine then directly posture assessment starts even without opening web browser.
  Now my question is, how ISE does come to know that NAC agent is already present on machine without opening web browser.
  Regards,
  Aditya

  I second Richard on the fact that it can't be done. However, I was going through this and wanted to share in case it helps.
  Default Posture Status
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp1919363
  Jatin Katyal
  - Do rate helpful posts -

• Store Procedure required to check Quantity total

  Dear Experts,
  Kindly help me in writing Store Procedure, my requirement is to have an validation on Inventory Transfer Form where i have created two udf fields in row level as A & B contains where user enter value which is calculated as A * B  that is equal to  total Quantity,  for ex. (A * B = Quantity).
  So i need here a validation check before adding this document, that Field A value multiply by Field  B value that should to be total Quantity in case changes made in field A or Field B but not update before saving this document it would result be wrong Quantity total.
  To avoid such user entering mistakes a SP is required to check whether the Quantity total is equal to Field A value * Field B value.
  Thanking in Advance....
  Regards,
  Krishnakumar

  Hi!  Gordon,
  Already there is an FMS to Calculate Field A value * Field B value and it through it's result to the Field Quantity. Now am looking to have an validation check or control that should actually check before document get saved that the value entered in Field value A multiply by Field value B  is that get tallied with the Field Quantity.
  For ex: Field A value contain figure 100 and Field  B value contain figure 200 then the Field A * Field B = Quantity i.e. (100 * 200 = 20,000). In case if the user change the field Value of A or B without updating the Field Quantity then it result in correct Quantity.
  So I need a Store Procedure that check the field value of A & B and check the product sum Field value Quantity if it matches then it should allow to save the document other wise it should print a Error message "Calculation Error".
  I hope you understand what am exactly required, so i need  your helping hands to get this Store Procedure.
  Thanks in Advance,
  Regards,
  Krishna
  Edited by: krishnaoctopus on Jun 14, 2011 2:49 PM

• Transfer of Requirement & Availability Check

  Dear All,
  In simple words can anybody tell me the concept of Transfer of Requirement & Availability Check..
  I am not looking for Configuration details but want to know the basic things like......
  What is Transfer of Requirement & Availability Check?
  Where we are using ?
  How it help us ?
  etc...........
  Points will definately awarded.
  Regards
  SAGAR

  Dear Sagar
  1)  Transfer of Requirements
  Transfer of Requirements determine whether and how requirements should be transferred and if they should be checked against planned requirements. The transfer of requirements in sales can be switched on or off by transaction as required. For example, you can switch off the transfer of requirements for inquiries and quotations, whereas you can switch it on for sales orders and deliveries.
  2)  Availability Check
  There are three types of availability check:
     --> Check on the basis of the ATP quantities
     --> Check against product allocation
     --> Check against planning
  In Customizing, you determine whether an availability check is to be carried out against the ATP quanitity or against planning. The check against product allocations is controlled in the material master and elsewhere in the system.
  a) Check on the Basis of the ATP Quantities
  The ATP quantity (ATP = Available To Promise) is calculated from the warehouse stock, the planned inward movements of stock (production orders, purchase orders, planned orders) and the planned outward movements of stock (sales orders, deliveries, reservations). This type of check is performed dynamically for each transaction, taking into account the relevant stock and planned goods movements with or without replenishment lead time. Planned independent requirements are not taken into account here.
  b) Check against Product Allocation
  Product allocation facilitates period-based distribution of products for certain customers or regions. As of Release 3.0F, you can carry out an availability check against product allocation. This ensures, for example, that when production is low, the first customer does not get the full amount, resulting in following sales orders not being confirmed or being confirmed far too late.
  c) Check against planning
  The check against planning is performed against independent requirements which are usually created for an ‘anonymous’ market rather than being customer-specific (for example, in the strategy ‘Planning without assembly’, when production occurs only up to the stocking level). The planned independent requirements result from demand program planning and are used for planning expected sales quantities independent of orders
  thanks
  G. Lakshmipathi

• I received a Caution message - your computer contains a variety of suspicious programs.  Your system requires immediate checking! The system will perform a fast and free check of your PC for malicious programs.  Check OK

  I received this message this morning in Safari - Caution! Your computer contains a variety of suspicious programs.  Your system requires immediate checking! The system will perform a fast and free check of your PC for malicious programs.  Check OK

  So what did you do?
  If you fell for the scareware, you probably now have malware installed on your Mac.
  Allan

• How to check whether voltage sensor is enabled or disabled in T5220

  Hi,
  I use command "prtdiag -v" to check current system status in two T5220 servers. However, I find a strange thing in sensors part as below, which Server one has status info for temperature and voltage sensors but Server two has no related info.
  Does it mean the voltage and temperature senors are disabled? How do I check whether voltage sensor is enabled or disabled in T5220?
  Note:
  Server one has output by command 'prtpicl -c voltage-sensor -v', but Server two has nothing.
  Server one:
  Temperature sensors:
  Location Sensor Status
  SYS/MB T_AMB ok
  SYS/MB/CMP0/BR0/CH0/D0 T_AMB ok
  SYS/MB/CMP0/BR0/CH1/D0 T_AMB ok
  SYS/MB/CMP0/BR1/CH0/D0 T_AMB ok
  SYS/MB/CMP0/BR1/CH1/D0 T_AMB ok
  SYS/MB/CMP0/BR2/CH0/D0 T_AMB ok
  SYS/MB/CMP0/BR2/CH1/D0 T_AMB ok
  SYS/MB/CMP0/BR3/CH0/D0 T_AMB ok
  SYS/MB/CMP0/BR3/CH1/D0 T_AMB ok
  SYS/MB/CMP0 T_TCORE ok
  SYS/MB/CMP0 T_BCORE ok
  Current sensors:
  Location Sensor Status
  SYS/PS0 I_IN_MAIN ok
  SYS/PS0 I_IN_LIMIT ok
  SYS/PS0 I_OUT_MAIN ok
  SYS/PS0 I_OUT_LIMIT ok
  SYS/PS1 I_IN_MAIN ok
  SYS/PS1 I_IN_LIMIT ok
  SYS/PS1 I_OUT_MAIN ok
  SYS/PS1 I_OUT_LIMIT ok
  Voltage sensors:
  Location Sensor Status
  SYS/MB V_VMEML ok
  SYS/MB V_VMEMR ok
  SYS/MB V_+3V3_STBY ok
  SYS/MB V_VCORE ok
  SYS/MB V_+3V3_MAIN ok
  SYS/MB V_VDDIO ok
  SYS/MB V_+12V0_MAIN ok
  SYS/MB V_VBAT ok
  SYS/PS0 V_IN_MAIN ok
  SYS/PS0 V_OUT_MAIN ok
  SYS/PS1 V_IN_MAIN ok
  SYS/PS1 V_OUT_MAIN ok
  Voltage indicators:
  Location Indicator Condition
  SYS/MB VCORE_POK ok
  SYS/MB VMEML_POK ok
  SYS/MB VMEMR_POK ok
  SYS/MB I_USB0 ok
  SYS/MB I_USB1 ok
  SYS/HDD0 PRSNT ok
  SYS/HDD1 PRSNT ok
  SYS/ALARM INPUT ok
  SYS/PS0 AC_POK ok
  SYS/PS0 DC_POK ok
  SYS/PS0 CUR_FAULT ok
  SYS/PS0 VOLT_FAULT ok
  SYS/PS0 FAN_FAULT ok
  SYS/PS0 TEMP_FAULT ok
  SYS/PS1 AC_POK ok
  SYS/PS1 DC_POK ok
  SYS/PS1 CUR_FAULT ok
  SYS/PS1 VOLT_FAULT ok
  SYS/PS1 FAN_FAULT ok
  SYS/PS1 TEMP_FAULT ok
  Server two:
  Temperature sensors:
  Location Sensor Status
  SYS/MB T_AMB ok

  Server one has status info for temperature and voltage sensors but Server two has no related info.You are using the prtdiag command as root user whenever you are doing this?
  The output when done as root will give full information, whereas if you are NOT the root user the output will almost always have less information.
  However ...
  Because you have stated that the prtpicl information also seems to follow the same more-versus-less symptoms, I suspect you have a patch level issue.
  Server #2 is probably under-patched when compared to server #1 (both for system OBP level as well as OS level).
  Determining if that is the root of your issue is too much for a forum thread.
  Run Explorer on both systems then use your service contract credentials to log a SR so that Technical Support can analyze those Explorer files for you.

• How to check apache pl/sql listener port

  hai
  can any tell me how to check apache pl/sql listener port
  Thanks
  BhanuChander

  You may get it by searching the portlist.ini file in the ORACLE_HOME of the product you use.....
  So , for instance the following , are the ports those of Dev_Suite_Home:
  Oracle Developer Suite HTTP port = 8889
  Oracle Developer Suite JMS port = 9240
  Oracle Developer Suite RMI port = 23910
  Oracle HTTP Server Diagnostic port = 7200
  Reports Services bridge port = 14011
  Reports Services discoveryService port = 14021But ... note that these ports are valid only at the time of installation....!!!!
  Greetings...
  Sim

• How to check status of a particular port by using netstat command?

  How to check status of a particular port by using netstat command?
  I want to check  port 443 in my server is open or not, is there any other way to check port via commandline?

  Hi,
  You can run the below command in an administrator command prompt on the server:
  netstat -ano|findstr ":443"
  -TP

• Does configuring an endpoint opens a port in the guest VM firewall?

  Hi there. I found out that if I want to access a specific port in a VM (Java RMI in my case), I have to configure an endpoint for this port. However, I was surprised that configuring an endpoint was enough to access the port. I didn't change the firewall
  rules in the guest for this port and it was immediately accessible from outside Microsoft Azure.
  Does configuring an endpoint opens a port in the guest VM firewall?

  Hi,
  According to the official article below, it indicates that "Firewall configuration is done automatically for ports associated with Remote Desktop and Secure Shell (SSH), and in most cases for Windows PowerShell Remoting. For ports specified for
  all other endpoints, no configuration is done automatically to the firewall in the guest operating system. When you create an endpoint, you'll need to configure the appropriate ports in the firewall to allow the traffic you intend to route through the endpoint."
  How to Set Up Endpoints to a Virtual Machine
  Best regards,
  Susie

• How to check if a field is hidden or disabled?

  I have implemented a progress bar, however, it counts all the fields in the form including hidden and disabled fields as well. I need to figure out how to check whether a field is hidden or disabled, and not count them for the progress bar. Please help!

  Try this (javascript):
  if (field.presence == 'visible' && field.access == 'open') {
       include in count...