3 weeks ago
Is it possible to prevent Clearpass from scanning defined subnets? My client has a security requirement to not scan certain parts of the network.
I have configured a Scheduled scan via Configuration\Profile Settings. I set a very specific IP Subnet to Scan (10.10.1.0/24). I also set the same specific Subnet in the SNMP Tab. When that subnet gets scanned, it finds my Core router as it should. Since it has SNMP credentials to scan, it does and discovers devices on all the different subnets (172.16.x.x for example). It then proceeds to SNMP scan these devices as well as checking the default ports 135 and 3389 (as defined in Cluster Wide params). 172.16 has not been configured to scan.
How can I configure it to NOT scan devices in other subnets?
(BTW - I gathered this data by wirehark capture on Clearpass interface)
Solved! Go to Solution.
2 weeks ago
Answering my own question. I opened a TAC case. They have advised it is not possible to filter or prevent certain networks from being scanned. I could of course configured ACL's on the switches but this would be a very tedious effort.