ISE Profiling Policies

ISE Profiling Policies

Profiling engine matches or compares the traffic to a set of signatures to identify any unwanted or suspicious activity on network. The profiling engine has its own built-in signatures called as profiles which are matched against the Endpoint attributes.

Profiler Feed Service

ISE has by default large set of built-in profiles, but due to large number of devices being manufacture on daily basis, it is required to have profiles for them too. In order to solve this problem, cisco developed a service called profiler feed service.

When a new device is manufactured in market, the profile related to it is created by Cisco partners and Device manufactures, and with the help of ISE Profiler feed service, these profiles are distributed after QA team has passed the quality check.

Configuring Profiler Feed Service

Once profiler feed service is enabled, ISE will contact to Cisco.com to regular interval and downloads any published profile.

It also provides many other features like:

• An option to send an email alert to the administrator when an update occurs,
• An Undo Latest button for reversing the latest update,
• A Test Feed Service Connection button to ensure the feed service is reachable and working,
• A link to view a report on the latest updates.

To configure use below steps:

Administration | Feed Service | Profiler

If Client don’t want to wait for that configured time interval for feed service, then click on Update Now button.

When the profiles are updated, it will cause all endpoints in endpoint database to be compared against new list of profile.

Verification Profile feed Service

Test Feed Service Connection tab is used for Verifying Profile Feed Service. This verification verifies the reachability of feed server, and also check weather connection is successful or not.

Above figure shows the test feed service failure due to Proxy server unavailability in configuration.

Another method to verify the Feed service is to:

Profiler Feed Service Configuration screen | Go to update Report page link | Click

Once click it will open another window and will show the Change configuration audit report prefiltered for Feed service-related entries. 

ISE must be able to reach to Cisco.com so, configure the Proxy Server on ISE to reach to Internet.

Administration| System | Setting | proxy

Offline Manual Update

Step1: If Offline Manual upgrade is required due to Enterprise outbound Communication policy, follow following steps:

Go to Administration | Feed Service | Profiler | Offline Manual Update

Step2: Click Download Updated Profile Policies. Which will opens the feed service at http://ise.cisco.com/partner. Log in with your Cisco.com user ID and password.

Step 3. Choose Offline Feed | Download Package

Step 4. Click Generate Package 

Step 5. Click Download Package and save the resulting tar.gz.gpg file

Step 6: Go Back to Offline Manual Update tab | click Browse to locate the tar.gz.gpg file that you downloaded in Step 5. Select the file and click Apply Update

Endpoint Profile Policies

Endpoint policies are those policy that contains a set of attributes of each device and are matched against those devices which are to be classified as endpoint type. ISE has large number of per-defined profile Policies and to update these policies, Feed service can be used.