1 of 1 people found this helpful
The active device profiling is done from the NTBA appliance and uses an NMAP scan. The passive device profiling is done by the sensor itself and uses things like sequence numbers and user agents to determine the OS type.
The NTBA Appliance sends active host scan details to the Manager. The Manager will collaborate data
from all sources and provide a comprehensive view of the hosts on the network. It also uses the data
for alert relevancy.
Here's a KB article that gives more details of the passive device profiling:
Thank you for the answer. Since both scans are doing the same thing, is there some sort of difference between the accuracy or the amount of details the scan can find?
I also have noticed that you can configure the active scans on the NTBA. i would also like to know the following.
1. how do we know the scans run? i cannot see any option where we can manually run or schedule them.
2. how can we view the scan results?
Thanks in advance
The passive device profiling is trying to make an educated guess at what the details on the target system are. The active one is using NMAP which will have a much higher likelyhood of being correct.
The schedule can be setup on the NTBA's active device profiling once the option is enabled. The schedule is at the bottom of the same screen.
The details can be seen on the cli with 'show fingerprinting stats'. The manager will have context information for each host when the profiling is enabled under the 7.5 analyze tab as well as in the threat analyzer.
Do we have to integrate NMAP or does the NTBA already have it and uses it for the scan?