10-25-2011 08:34 AM
In the eventlog I can see these actions on single ip adresses:
Tue Oct 25 17:04:22 2011 System System NMAP Scan of "18.104.22.168" (22.214.171.124/255.255.255.255) using credentials "": completed: 1 probes in 144 seconds
Tue Oct 25 17:01:58 2011 System System NMAP Scan of "126.96.36.199" (188.8.131.52/255.255.255.255) using credentials "": started
- Why is AMP doing this on these single ip adresses (there are a lot more servers on the network) ?
- How/where can you manage this behaviour?
10-25-2011 10:10 AM
The Automatic behavior is configured on the RAPIDS-->Setup page. In the Basic configuraiton section the setting is 'Automatically OS scan rogue devices'. If you do not want AirWave to perform NMAP scans, make sure no is selected.
The scans can also be run manually from the modify devices link on the rogue list and from the identify OS button on the rogue detail page.
10-26-2011 03:42 AM
There are also no roque rules configured with OS scan enabled.
Even these systems are classified as Valid. (manual override)
But the login attemts are still there.
10-26-2011 01:40 PM
It should require user interaction to initiate. If you look at the RAPIDS audit log on the bottom of the RAPIDS-->Overview page, do you see any 'Identify Operating System' lines?
If you do they will let you know who initiated the scan and when.
If you do not, please open a support case for further troubleshooting and debugging.