I gathered some more insights since I posted the question:
- NMAP (in Audit) will not work until the device is profiled. It makes sense, becasue only then it knows the ip address of the device
- You have to have L3 information (ARP) from some source - DHCP, SPAN port, Router etc. for NMAP to work. Again make sense becasue NMAP is IP based.
- Obviously the firewall need to allow port scanning.
- Could have been better to have an audit and profiler log per endpoint. I guess the logs are there, but a little bit scattered.