Endpoint Module: HPS Inspection Engine Configuration Guide
Version 10.8 20
Use Nmap Fingerprint Scan
When this option is selected, HPS Inspection Engine uses Nmap fingerprint scans to
resolve the classification properties.
Use Nmap results with low confidence level
Typically HPS Inspection Engine must detect one open port and one closed port on
an endpoint to implement an Nmap fingerprint scan. When this option is enabled,
HPS Inspection Engine uses low-confidence Nmap estimates when it cannot detect
the open and closed ports required for a full Nmap fingerprint scan.
Nmap Scan Commands Used by HPS Inspection Engine
Nmap output is not logged. For troubleshooting purposes, set the following Boolean
properties create log files in the HPS Inspection Engine’s log file directory.
Nmap output logging consumes significant resources, and should only be
enabled as needed for troubleshooting purposes.
Property Equivalent Nmap Flag
config.nmap_log_banners_normal.value
: enables normal output
config.nmap_log_banners_xml.value
: enables XML output
config.nmap_log_banners_grepable.value
: enabled grep output
config.nmap_log_banners_all.value Enables all output formats
To enable logging, log in to the CLI of the Appliance that handles the range of IP
addresses you wish to examine, and submit the following command:
fstool va set_property <config_property> true
where <config_property> is one of the Nmap logging configuration properties.
To disable logging, submit the following command:
fstool va set_property <config_property> false
Banner Scan
When the Use Nmap Banner Scan option is enabled, Nmap is used to scan
endpoints using the following command line parameters:
-T Insane -sV -p T: 21,22,23,53,80,135,88,1723,3389,5900
Fingerprint Scan
When the Use Fingerprint Scan option is enabled, the following Nmap scans are
implemented as needed for discovery and detection:
1. The endpoint is subjected to an initial Nmap scan of a small set of ports of
interest. The following line parameters are passed to Nmap:
-T Insane -v -v -v -O -P 0 -p T: 80,9100,515
2. If the scan does not yield enough information to classify the device, HPS
Inspection Engine repeats the Nmap scan against a greater range of ports:
T:4,21,22,23,25,79,80,110,111,135,139,220,445,513,631,143,8080,41351,
62078