CCNP Security FAQ: Profiling

CCNP Security FAQ: Profiling

Q1. True or False? The profiling service is enabled by default on ISE policy service nodes.
a. True
b. False

Answer: A. Profiler is enabled by default on all policy service nodes and standalone nodes. However, not a single probe is enabled by default in ISE 1.2.

Q2. Name three ways in which an endpoint profile can be used in an authorization policy rule?
a. Logical profiles
b. Endpoint identity groups
c. NMAP OS-Scan result
d. EndPointPolicy attribute
e. EndPointProfile attribute

Answer: A, B, D. There is no such thing as an EndPointProfile attribute. Although OS-Scan is used as a condition to determine the endpoint’s profile, it cannot be used directly in an authorization policy. The authorization policy can use identity groups (which contain a list of MAC addresses), EndPoint Policy attribute (which is the actual endpoint profile), and logical profiles (a group of profiles).

Q3. Which probe is used to trigger the SNMPQUERY probe to query a NAD?
e. Both A and D
f. Both C and D

Answer: E. The SNMPQUERY probe will periodically query all the NADs configured with SNMP strings, but it is also a reactive probe. The SNMPQUERY probe will reactively query a NAD when the RADIUS probe receives an accounting START message or when an SNMP trap is received.

Q4. Which three probes exist with device sensor?

Answer: C. The three probes that exist in device sensor on Cisco switches are CDP, DHCP, and LLDP. Wireless controllers have two probes: DHCP and HTTP.

Figure: DHCP SPAN logical design.

Q5. How are updated profiles distributed to customer ISE deployments?
a. Cisco’s Profiler Feed Service.
b. Each new version of ISE or ISE patch includes new profile policies.
c. The profiles are distributed together with the posture checks and compliance modules.
d. Import the update packs that are downloaded from

Answer: A. Cisco no longer includes profile updates within the ISE version updates or patches. All new profiles are included and downloaded as part of the Cisco Profiler Feed Service.

Q6. What determines when an endpoint is assigned to a profile?
a. The profile that matches the most conditions will be assigned.
b. All profiles are manually assigned by the administrator.
c. The certainty value must equal or exceed the minimum certainty value of the profile.
d. The ISE posture agent will identify the profile of an endpoint to ISE.

Answer: C. Profiling is all about the certainty value. Each profile has a minimum certainty value, and matching the conditions will increase the certainty value. A higher the certainty value of any profile means it will be assigned.

Q7. Which ISE tool enables an administrator to drill down in to the profiles that have been assigned to locate a specific endpoint with that profile?
a. Endpoints Drill-down
b. Cisco Endpoint Profiling Examination Tool (CEPET)
c. Profiled Endpoints Counter
d. Profiler Activity Window

Answer: A. The Endpoints Drill-down tool is an excellent way to look into the profiled endpoints and verify that the profiling service is working.

Q8. What are two ways to collect HTTP user agent strings?
a. Through the AnyConnect HTTP User Agent Reporting Tool
b. SPAN port mirroring
c. The Cisco WSA device sensor
d. Directly from ISE web portals
e. Device sensor in the switch

Answer: B, D. HTTP user agent strings could be gleaned through SPAN monitoring and VACLS and directly from the ISE web portals. Wired switches do not currently have an HTTP device sensor probe, but wireless controllers do.

Q9. True or False? ISE deployments must wait for Feed Service updates for new profiles.
a. True
b. False

Answer: B. ISE provides the ability for administrators to create their own custom profiles using any of the attributes available to the profiling engine.

Q10. What will happen when an ISE administrator has modified a profile and then a Feed Service update is downloaded that contains an updated version of that profile?
a. The profile is overwritten with the version in the Feed Service Update.
b. The admin will be prompted to choose to overwrite or ignore the profile update.
c. All nonconflicting profiles will be downloaded and installed. The conflicting profiles will be ignored.
d. The update will fail and an alarm will be triggered on the dashboard and in email.

Answer: C. Profiles are classified as Cisco provided, administratively modified, or administrator created. Only Cisco-provided profiles will be overwritten.

About the author

James Palmer

Leave a Comment