La siguiente tabla muestra las reglas necesarias en un firewall para las comunicaciones de ISE. La información recogida en este post no es oficial, ha sido recogida del manual de Cisco en la URL: https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_7.html se presenta dicha información en formato tabla y agregando el orígen y el destino para cada regla, en aquellas en las que ha sido posible identificarlos.
Puedes descargar la tabla en formato excel desde este enlace.
| Persona ISE | Servicio ISE | SRC | DST | Protocolo IP | Puerto | Servicio | Notas |
| PAN, MnT, PSN | Admin | Mgmt net | ISE PAN ISE PSN ISE MnT |
TCP | 22 | SSH | |
| PAN, MnT, PSN | ISE PAN ISE PSN ISE MnT |
SMTP Servers | TCP | 25 | SMTP | PSN is for SMTP guest notifications from guest and sponsor portals | |
| PSN | Device Administration | ISE PSN | NAD | TCP | 49 | TACACS+ | Incoming TACACS requests. This port is configurable in Release 2.1 and later releases |
| PSN | Device Administration | NAD ISE PSN |
ISE PSN | TCP | 49 | TACACS+ | Incoming TACACS requests. This port is configurable in Release 2.1 and later releases |
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
DNS Servers | TCP | 53 | DNS | DNS Servers |
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
DNS Servers | UDP | 53 | DNS | DNS Servers |
| PSN | External Identity Sources and Resources | Endpoints | ISE PSN | TCP | 53 | DNS | DNS Servers |
| PSN | External Identity Sources and Resources Profiling |
Endpoints | ISE PSN | UDP | 53 | DNS | DNS Servers |
| PSN | Profiling | ISE PSN | NAD | UDP | 67 | DHCP | This port is configurable. |
| PSN | Profiling | NAD | ISE PSN | UDP | 67 | DHCP | This port is configurable. |
| PSN | Profiling | ISE PSN | NAD | UDP | 68 | DHCP | DHCP SPAN Probe |
| PSN | Profiling | NAD | ISE PSN | UDP | 68 | DHCP | DHCP SPAN Probe |
| PAN, MnT, PSN | Admin | Mgmt net NAD |
ISE PAN ISE PSN ISE MnT |
TCP | 80 | HTTP | Redirects to 443 |
| PSN | Admin | ISE PSN | NAD | TCP | 80 | HTTP | |
| PSN | Admin, SPAN, Profiling | Mgmt net NAD |
ISE PSN | TCP | 80 | HTTP | Redirects to 443 |
| PSN | Posture | Endpoints | ISE PSN | TCP | 80 | Discovery, SCEP | |
| PSN | SPAN, Profiling | ISE PSN | NAD PIP* |
TCP | 80 | HTTP | PIP=Policy Information Point=LDAP,AD… |
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
PIP* | TCP | 88 | KDC | Admin User Interface and Endpoint Authentications. PIP=Policy Information Point=LDAP,AD… |
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
PIP* | UDP | 88 | KDC | Admin User Interface and Endpoint Authentications. PIP=Policy Information Point=LDAP,AD… |
| PSN | External Identity Sources and Resources | Endpoints | ISE PSN | TCP | 88 | KDC | Kerberos (SPAN) |
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
NTP Servers | UDP | 123 | NTP | |
| PSN | External Identity Sources and Resources | ISE PSN | PIP* | UDP | 123 | NTP | |
| PSN | External Identity Sources and Resources | Endpoints | ISE PSN | TCP | 135 | WMI | Client probe |
| PSN, PAN, MnT | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
PIP* | TCP | 135 | WMI | |
| PAN, MnT | Monitoring | Mgmt Network | ISE PAN ISE MnT |
UDP | 161 | SNMP QUERY | Network Monitoring System servers |
| PSN | Monitoring | ISE PSN | NAD | UDP | 161 | SNMP QUERY | Network Monitoring System servers |
| PSN | Monitoring | NAD | ISE PSN | UDP | 161 | SNMP QUERY | Network Monitoring System servers |
| PSN, PAN, MnT | logging | ISE PSN ISE PAN ISE MnT |
Syslog Servers | UDP | 162 | SNMP Traps | Network Monitoring System servers |
| PAN, MnT, PSN | logging Profiling |
ISE PAN ISE PSN ISE MnT |
NMS | UDP | 162 | SNMP Traps | Network Monitoring System servers |
| PSN | logging Profiling |
ISE PSN | NAD | UDP | 162 | SNMP Traps | Network Monitoring System servers |
| PSN | logging Profiling |
NAD | ISE PSN | UDP | 162 | SNMP Traps | |
| PSN | logging Profiling |
NAD | ISE PSN | UDP | 162 | SNMP Traps | Network Monitoring System servers |
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
PIP* | TCP | 389 | LDAP | Admin User Interface and Endpoint Authentications. PIP=Policy Information Point=LDAP,AD… |
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
PIP* | UDP | 389 | LDAP | Admin User Interface and Endpoint Authentications. PIP=Policy Information Point=LDAP,AD… |
| PAN | Admin | Mgmt Network | ISE PAN | TCP | 443 | HTTPS | ISE Gui access Rest API(MnT) |
| PSN, MnT | Admin | NAD ISE MnT |
ISE PSN | TCP | 443 | HTTPS | Webauth Sync |
| PSN, PAN, MnT | Admin TC-NAC |
ISE PSN | NAD PIP* ISE MnT ISE PAN FireAmp/Qualys SXP |
TCP | 443 | HTTPS | FireAmp/Qualys is for TC-NAC (Threat Centric Network Access Control) SXP is for TrustSec setups |
| PSN | Bring Your Own Device (BYOD) / Network Service Protocol (NSP) |
Endpoints | ISE PSN | TCP | 443 | Provisioning – Wizard Install from Google Play (Android) | |
| PAN | Cisco cloud | ISE PAN | Cisco cloud | TCP | 443 | HTTPS | Posture updates Smart licensing (Connection to SSM On-Prem server over TCP/443 and ICMP) |
| All Persona | Replication and Synchronization | ISE PAN ISE PSN ISE MnT |
ISE PAN ISE PSN ISE MnT |
TCP | 443 | HTTPS | SOAP |
| MnT | SYNC | ISE MnT | ISE MnT | TCP | 443 | HTTPS | SOAP |
| PAN, MnT | SYNC | ISE PAN | ISE Mnt ISE PAN |
TCP | 443 | HTTPS | SOAP |
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
PIP* | TCP | 445 | SMB | Admin User Interface and Endpoint Authentications. PIP=Policy Information Point=LDAP,AD… |
| PSN | External Identity Sources and Resources | Endpoints | ISE PSN | TCP | 445 | SMB | Client probe |
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
PIP* | TCP | 464 | KPASS | Admin User Interface and Endpoint Authentications. PIP=Policy Information Point=LDAP,AD… |
| PSN | IPSEC/ISAKMP | ISE PSN | NAD | UDP | 500 | IPSEC/ISAKMP | IPSEC/ISAKMP |
| PSN | IPSEC/ISAKMP | NAD ISE PSN |
ISE PSN | UDP | 500 | IPSEC/ISAKMP | IPSEC/ISAKMP |
| PSN | Profiling | ISE PSN | NAD | UDP | 547 | DHCPv6 | DHCP SPAN Probe |
| PSN | Profiling | NAD | ISE PSN | UDP | 547 | DHCPv6 | DHCP SPAN Probe |
| PSN, PAN, MnT | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
PIP* | TCP | 1433 | ODBC | Microsoft SQL Server |
| MnT | logging | NAD | ISE MnT | TCP | 1468 | SYSLOG | |
| PSN, MnT | logging | ISE MnT | ISE PSN Syslog Servers |
TCP | 1468 | SYSLOG | |
| PSN, PAN, MnT | logging | ISE PSN ISE PAN |
ISE MnT Syslog Servers |
TCP | 1468 | SYSLOG | |
| PSN, PAN, MnT | logging | ISE PSN ISE PAN ISE MnT |
Syslog Servers | TCP | 1468 | SYSLOG | |
| PAN, PSN, MnT | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
PIP* | TCP | 1521 | ODBC | Oracle |
| PAN, MnT | SYNC | ISE PAN | ISE Mnt | TCP | 1521 | ODBC | Port 1521 must be enabled for the MnT nodes. Port 1521 is required for inbound communication from PAN. If this port is not enabled for the MnT nodes, MnT node failover might result in loss of logs or reports |
| PSN | Session | ISE PSN | NAD | UDP | 1645 | RADIUS | Authentication |
| PSN | Session | NAD | ISE PSN | UDP | 1645 | RADIUS | Authentication |
| PSN | Session | ISE PSN | NAD | UDP | 1646 | RADIUS | Accounting |
| PSN | Session | NAD | ISE PSN | UDP | 1646 | RADIUS | Accounting |
| PAN | Session | ISE PAN | NAD | UDP | 1700 | RADIUS | RADIUS Change of Authorization (CoA) |
| PSN, MnT | Session | NAD ISE MnT |
ISE PSN | UDP | 1700 | RADIUS | RADIUS Change of Authorization (CoA) |
| PSN, PAN, MnT | Session | ISE PSN | NAD ISE PAN ISE MnT |
UDP | 1700 | RADIUS | RADIUS Change of Authorization (CoA) |
| PSN | Session | ISE PSN | NAD | UDP | 1812 | RADIUS | Authentication |
| PSN | Session | NAD | ISE PSN | UDP | 1812 | RADIUS | Authentication |
| PSN | Session | ISE PSN | NAD | UDP | 1813 | RADIUS | Accounting |
| PSN | Session | NAD | ISE PSN | UDP | 1813 | RADIUS | Accounting |
| PSN | Session | ISE PSN | NAD | UDP | 2083 | RADIUS DTLS | RADIUS DTLS Authentication/Accounting |
| PSN | Session | NAD | ISE PSN | UDP | 2083 | RADIUS DTLS | RADIUS DTLS Authentication/Accounting |
| PSN | Admin | ISE PSN | NAD | TCP | 2560 | OCSP | Online Certificate Status Protocol |
| PSN | Admin | NAD | ISE PSN | TCP | 2560 | OCSP | Online Certificate Status Protocol |
| PSN, PAN, MnT | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
PIP* | TCP | 2638 | ODBC | Sybase |
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
PIP* | TCP | 3268 | LDAP | Admin User Interface and Endpoint Authentications. PIP=Policy Information Point=LDAP,AD… |
| PSN | Session | ISE PSN | NAD ISE PAN |
UDP | 3799 | RADIUS | RADIUS Change of Authorization (CoA) Listen/Relay. UDP port 3799 is not configurable |
| PSN | Session | NAD | ISE PSN | UDP | 3799 | RADIUS | RADIUS Change of Authorization (CoA) Listen/Relay. UDP port 3799 is not configurable |
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
PIP* | TCP | 5432 | ODBC | PortgreSQL |
| All Persona | Replication and Synchronization | ISE PAN ISE PSN ISE MnT |
ISE PAN ISE PSN ISE MnT |
TCP | 6379 | Profiler Endpoint Ownership Synchronization/ Replication | |
| MnT | logging | NAD | ISE Mnt | TCP | 6514 | Secure SYSLOG | NMS |
| PSN, MnT | logging | ISE MnT | ISE PSN Syslog Servers |
TCP | 6514 | Secure SYSLOG | NMS |
| PSN, PAN, MnT | logging | ISE PAN ISE PSN ISE MnT |
Syslog Servers | TCP | 6514 | Secure SYSLOG | NMS |
| PSN, PAN, MnT | logging | ISE PSN ISE PAN |
ISE MnT Syslog Servers |
TCP | 6514 | Secure SYSLOG | NMS |
| PSN | Clustering (Node Group) | ISE PSN | ISE PSN | TCP | 7800 | inter-node communication | |
| PSN | SPAN, Profiling | ISE PSN | NAD | TCP | 8080 | HTTP | |
| PSN | SPAN, Profiling | NAD | ISE PSN | TCP | 8080 | HTTP | |
| PSN | Bring Your Own Device (BYOD) / Network Service Protocol (NSP) |
Endpoints | ISE PSN | TCP | 8084 | For Android devices with EST authentication: TCP/8084. Port 8084 must be added to the Redirect ACL for Android devices | |
| PSN | ISE PSN | PIP* | TCP | 8084 | |||
| PSN | Bring Your Own Device (BYOD) / Network Service Protocol (NSP) |
Endpoints | ISE PSN | TCP | 8443 | Provisioning – Wizard Install from Cisco ISE (Windows and Mac OS) | |
| PSN | Posture | Endpoints | ISE PSN | TCP | 8443 | HTTPS | Discovery, SCEP |
| PSN | Posture | ISE PAN | Cisco cloud | TCP | 8443 | HTTPS | Profiler Feed |
| PSN | Session | ISE PSN | NAD | UDP | 8443 | HTTPS | CWA (Central Web Auth) |
| PSN | Session | NAD | ISE PSN | UDP | 8443 | HTTPS | CWA (Central Web Auth) |
| PSN | Web Portal Services | Endpoints | ISE PSN | TCP | 8443 | HTTPS | Guest Portal and Client Provisioning, configurable to any port from range: TCP/8000-8999 |
| PSN | Web Portal Services | Endpoints | ISE PSN | TCP | 8443 | HTTPS | Certificate Provisioning Portal, configurable to any port from range: TCP/8000-8999 |
| PSN | Web Portal Services | Endpoints | ISE PSN | TCP | 8443 | HTTPS | My Devices Portal, configurable to any port from range: TCP/8000-8999 |
| PSN | Web Portal Services | Mgmt network | ISE PAN | TCP | 8443 | HTTPS | Sponsor Portal, configurable to any port from range: TCP/8000-8999 |
| PSN | Web Portal Services | Endpoints | ISE PSN | TCP | 8444 | HTTPS | Blocked List Portal, configurable to any port from range: TCP/8000-8999 |
| PSN | Web Portal Services | Admin network | ISE PSN | TCP | 8445 | HTTPS | Sponsor Portal, configurable to any port from range: TCP/8000-8999 |
| PSN | Posture | Endpoints ISE PSN |
ISE PSN endpoints |
TCP | 8449 | Posture Flow, configurable to any port from range: TCP/8000-8999 | |
| All Persona | Replication and Synchronization | ISE PAN ISE PSN ISE MnT |
ISE PAN ISE PSN ISE MnT |
TCP | 8671 | HTTPS | ISE Messaging Service |
| PSN | Posture / BYOD / (PARA/KA) | endpoints | ISE PSN | TCP | 8905 | HTTPS | – Discovery and Assessment (Posture Negotiation and Agent Reports). – Provisioning – Supplicant Provisioning Process From Cisco ISE 3.1 onwards, port 8905 is disabled by default on non-Policy Service nodes. To enable this port, check the Enable Port 8905 on non-Policy Service Nodes for Posture Services check box in the General Settings window (Administration > System > Settings > Posture > General Settings). |
| MnT | Bulk Download for pxGrid pxGrid subscribers |
PxGrid clients | ISE PXG ISE MnT |
TCP | 8910 | Bulk Download for pxGrid | |
| PAN | Admin | Mgmt net | ISE PAN | TCP | 9002 | HTTP/HTTPS | To manage guest accounts from Admin GUI |
| PAN | Admin | Mgmt Network | ISE PAN | TCP | 9060 | HTTP/HTTPS | External RESTful Services (ERS). The ERS and OpenAPI services are HTTPS-only REST APIs that operate over port 443. Currently, ERS APIs also operate over port 9060. However, port 9060 might not be supported for ERS APIs in later Cisco ISE releases. We recommend that you only use port 443 for ERS APIs. |
| PSN | TrustSec | ISE PSN | NAD | TCP | 9063 | Use HTTP and Cisco ISE REST API to transfer TrustSec data to network devices over port 9063. | |
| PSN | SCEP | ISE PSN | NAD | TCP | 9090 | Simple Certificate Enrollment Protocol | |
| PSN | SCEP | NAD ISE PSN |
ISE PSN | TCP | 9090 | Simple Certificate Enrollment Protocol | |
| PSN | Passive ID | ISE PSN | PIP* | TCP | 9094 | TS Agent | TS Agent |
| PSN | Passive ID | ISE PSN | PIP* | TCP | 9095 | AD Agent | AD Agent |
| PAN | Admin | ISE PAN | ISE PAN | TCP | 9300 | ElasticSearch (Context Visibility; to replicate data from primary to secondary Admin node) must be open on both Primary and Secondary Administration Nodes for incoming traffic. | |
| MnT | ISE API | ISE MnT ISE API Gateway |
ISE MnT | TCP | 9443 | HTTPS | MnT inbound communication from an ISE node with the ISE API Gateway enabled to route the MnT REST APIs |
| PSN | SXP | ISE PSN | SXP node | TCP | 9644 | inter-node communication | |
| MnT | Netflow for TS | NAD | ISE MnT | UDP | 9993 | NetFlow | |
| PSN | Profiling | ISE PSN | NAD | UDP | 9996 | NetFlow | This port is configurable. |
| PSN | Profiling | NAD | ISE PSN | UDP | 9996 | NetFlow | This port is configurable. |
| PSN | Passive ID | ISE PSN | PIP* | TCP | 11468 | SYSLOG | |
| All Persona | Replication and Synchronization | ISE PAN ISE PSN ISE MnT |
ISE PAN ISE PSN ISE MnT |
TCP | 12001 | Data Synchronization/ Replication (JGroups) | |
| MnT | logging | NAD | ISE MnT | UDP | 20514 | SYSLOG | |
| PSN, MnT | logging | ISE MnT | ISE PSN ISE MnT |
UDP | 20514 | SYSLOG | |
| PSN, PAN, MnT | logging | ISE PSN ISE PAN |
ISE MnT | UDP | 20514 | SYSLOG | |
| PSN, PAN, MnT | logging | ISE PSN ISE PAN ISE MnT |
Syslog Servers | UDP | 20514 | SYSLOG | |
| PSN | Passive ID | ISE Servers | PIP* | UDP | 40514 | SYSLOG | |
| PSN | SXP | ISE PSN | NAD | TCP | 64999 | ||
| PSN | SXP | NAD ISE PSN |
ISE PSN | TCP | 64999 | ||
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
Repository | TCP | 21 22 111 2049 80 443 |
FTP SFTP NFS HTTP HTTPS |
Repository for backups and/or file copy.. Not all ports required it depends on needs NFS may need another ports |
| PAN, MnT, PSN | External Identity Sources and Resources | ISE PAN ISE PSN ISE MnT |
Repository | UDP | 69 111 2049 |
TFTP NFS |
Repository for backups and/or file copy.. NFS may need another ports |
| PSN | Bring Your Own Device (BYOD) / Network Service Protocol (NSP) |
ISE PSN | TCP | 80 or 443 | SCEP Proxy to CA (Based on SCEP RA URL configuration) | ||
| PAN, MnT | Monitoring | ISE PAN ISE MnT |
ICMP | Network Monitoring System servers | |||
|
|
*PIP=Policy Information Point=LDAP,AD…
Si encuentras cualquier error o deseas realizar alguna aportación, por favor no dudes en dejar un comentario.