Nmap Remediation Options

You define the settings for an Nmap scan by creating an Nmap remediation. An Nmap remediation can be used as a response in a correlation policy, run on demand, or scheduled to run at a specific time.

Note that Nmap-supplied server and operating system data remain static until you run another Nmap scan. If you plan to scan a host for operating system and server data using Nmap, you may want to set up regularly scheduled scans to keep any Nmap-supplied operating system and server data up-to-date.

The following table explains the options configurable in Nmap remediations.

Nmap Remediation Options
Option	Description	Corresponding Nmap Option
Scan Which Address(es) From Event?	When you use an Nmap scan as a response to a correlation rule, select one of the following options to control which address in the event is scanned, that of the source host, the destination host, or both: Scan Source and Destination Addresses scans the hosts represented by the source IP address and the destination IP address in the event. Scan Source Address Only scans the host represented by the event’s source IP address. Scan Destination Address Only scans the host represented by the event’s destination IP address.	N/A
Scan Types	Select how Nmap scans ports: The TCP Syn scan connects quickly to thousand of ports without using a complete TCP handshake. This options allows you to scan quickly in stealth mode on hosts where the `admin` account has raw packet access or where IPv6 is not running, by initiating TCP connections but not completing them. If a host acknowledges the Syn packet sent in a TCP Syn scan, Nmap resets the connection. The TCP Connect scan uses the `connect()` system call to open connections through the operating system on the host. You can use the TCP Connect scan if the `admin` user on the Firewall Management Center or managed device does not have raw packet privileges on a host or you are scanning IPv6 networks. In other words, use this option in situations where the TCP Syn scan cannot be used. The TCP ACK scan sends an ACK packet to check whether ports are filtered or unfiltered. The TCP Window scan works in the same way as a TCP ACK scan but can also determine whether a port is open or closed. The TCP Maimon scan identifies BSD-derived systems using a FIN/ACK probe.	TCP Syn: `-sS` TCP Connect: `-sT` TCP ACK: `-sA` TCP Window: `-sW` TCP Maimon: `-sM`
Scan for UDP ports	Enable to scan UDP ports in addition to TCP ports. Note that scanning UDP ports may be time-consuming, so avoid using this option if you want to scan quickly.	`-sU`
Use Port From Event	If you plan to use the remediation as a response in a correlation policy, enable to cause the remediation to scan only the port specified in the event that triggers the correlation response. Select On to scan the port in the correlation event, rather than the ports you specify during Nmap remediation configuration. If you scan the port in the correlation event, note that the remediation scans the port on the IP addresses that you specify during Nmap remediation configuration. These ports are also added to the remediation’s dynamic scan target. Select Off to scan only the ports you specify Nmap remediation configuration. You can also control whether Nmap collects information about operating system and server information. Enable the Use Port From Event option to scan the port associated with the new server.	N/A
Scan from reporting detection engine	Enable to scan a host from the appliance where the detection engine that reported the host resides. To scan from the appliance running the reporting detection engine, select On. To scan from the appliance configured in the remediation, select Off.	N/A
Fast Port Scan	Enable to scan only the TCP ports listed in the `nmap-services` file located in the `/var/sf/nmap/share/nmap/nmap-services` directory on the device that does the scanning, ignoring other port settings. Note that you cannot use this option with the Port Ranges and Scan Order option. To scan only the ports listed in the `nmap-services` file located in the `/var/sf/nmap/share/nmap/nmap-services` directory on the device that does the scanning, ignoring other port settings, select On. To scan all TCP ports, select Off.	`-F`
Port Ranges and Scan Order	Set the specific ports you want to scan, using Nmap port specification syntax, and the order you want to scan them. Note that you cannot use this option with the Fast Port Scan option.	`-p`
Probe open ports for vendor and version information	Enable to detect server vendor and version information. If you probe open ports for server vendor and version information, Nmap obtains server data that it uses to identify servers. It then replaces the Cisco server data for that server. Select On to scan open ports on the host for server information to identify server vendors and versions. Select Off to continue using Cisco server information for the host.	`-sV`
Service Version Intensity	Select the intensity of Nmap probes for service versions. To use more probes for higher accuracy with a longer scan, select a higher number. To use fewer probes for less accuracy with a faster scan, select a lower number.	`--version-intensity` <intensity>
Detect Operating System	Enable to detect operating system information for the host. If you configure detection of the operating system for a host, Nmap scans the host and uses the results to create a rating for each operating system that reflects the likelihood that the operating system is running on the host. Select On to scan the host for information to identify the operating system. Select Off to continue using Cisco operating system information for the host.	`-o`
Treat All Hosts As Online	Enable to skip the host discovery process and run a port scan on every host in the target range. Note that when you enable this option, Nmap ignores settings for Host Discovery Method and Host Discovery Port List. To skip the host discovery process and run a port scan on every host in the target range, select On. To perform host discovery using the settings for Host Discovery Method and Host Discovery Port List and skip the port scan on any host that is not available, select Off.	`-PN`
Host Discovery Method	Select to perform host discovery for all hosts in the target range, over the ports listed in the Host Discovery Port List, or if no ports are listed, over the default ports for that host discovery method. Note that if you also enabled Treat All Hosts As Online, however, the Host Discovery Method option has no effect and host discovery is not performed. Select the method to be used when Nmap tests to see if a host is present and available: The TCP SYN option sends an empty TCP packet with the SYN flag set and recognizes the host as available if a response is received. TCP SYN scans port 80 by default. Note that TCP SYN scans are less likely to be blocked by a firewall with stateful firewall rules. The TCP ACK option sends an empty TCP packet with the ACK flag set and recognizes the host as available if a response is received. TCP ACK also scans port 80 by default. Note that TCP ACK scans are less likely to be blocked by a firewall with stateless firewall rules. The UDP option sends a UDP packet and assumes host availability if a port unreachable response comes back from a closed port. UDP scans port 40125 by default.	TCP SYN: `-PS` TCP ACK: `-PA` UDP: `-PU`
Host Discovery Port List	Specify a customized list of ports, separated by commas, that you want to scan when doing host discovery.	port list for host discovery method
Default NSE Scripts	Enable to run the default set of Nmap scripts for host discovery and server and operating system and vulnerability detection. See https://nmap.org/nsedoc/categories/default.html for the list of default scripts. To run the default set of Nmap scripts, select On. To skip the default set of Nmap scripts, select Off.	`-sC`
Timing Template	Select the timing of the scan process; the higher the number you select, the faster and less comprehensive the scan.	0: `T0` (paranoid) 1: `T1` (sneaky) 2: `T2` (polite) 3: `T3` (normal) 4: `T4` (aggressive) 5: `T5` (insane)