FSCP Exam Dumps - Forescout Certified Professional Questions and Answers

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout CounterACT HPS Inspection Engine Configuration Guide Version 10.8, SMB (Server Message Block) is required for Windows Manageability because scripts run on endpoints are copied to a temp directory and run locally on the endpoint.​

SMB Purpose for Windows Management:

According to the HPS Inspection Engine guide:​

"Server Message Block (SMB) is a protocol for file and resource sharing. CounterACT uses this protocol with WMI or RPC methods to inspect and manage endpoints. This protocol must be available to perform the following:

Resolve file-related properties

Resolve script properties

Run script actions"

Script Execution Process Using SMB:

According to the documentation:​

When WMI is used for Remote Inspection:

CounterACT downloads scripts - Scripts are transferred FROM CounterACT TO the endpoint using SMB protocol

Scripts stored in temp directory - By default, scripts are downloaded to and run from:

Non-interactive scripts: %TEMP%\fstmp\ directory

Interactive scripts: %TEMP% directory of currently logged-in user

Scripts execute locally - Scripts are executed ON the endpoint itself (not remotely executed from CounterACT)

Script Execution Locations:

According to the detailed documentation:​

For Remote Inspection on Windows endpoints:

text

Non-interactive scripts are downloaded to and run from:

%TEMP%\fstmp\

(Typically %TEMP% is c:\windows\temp\)

Interactive scripts are downloaded to and run from:

%TEMP% directory of the currently logged-in user

For SecureConnector on Windows endpoints:

text

When deployed as a Service:

%TEMP%\fstmpsc\

When deployed as a Permanent Application:

%TEMP% directory of the currently logged-in user

SMB Requirements for Script Execution:

According to the documentation:​

To execute scripts via SMB on Windows endpoints:

Port Requirements:

Windows 7 and above: Port 445/TCP

Earlier versions (XP, Vista): Port 139/TCP

Required Services:

Server service

Remote Procedure Call (RPC)

Remote Registry service

SMB Signing (optional but recommended):

Can be configured to require digitally signed SMB communication

Helps prevent SMB relay attacks

Why Other Options Are Incorrect:

A. Scripts run on CounterACT are copied to a temp directory and run locally on the endpoint - Scripts don't RUN on CounterACT; they're copied FROM CounterACT TO the endpoint

B. Scripts run on endpoints are copied to a Linux script repository - Forescout endpoints are Windows machines, not Linux; also no "Linux script repository" is involved

C. Scripts run on endpoints are copied to a temp directory and run remotely from CounterACT - Scripts run LOCALLY on the endpoint, not remotely from CounterACT

D. Scripts run on CounterACT are copied to a script repository and run remotely from CounterACT - Inverts the direction; CounterACT doesn't copy TO a repository; it copies TO endpoints

Script Execution Flow:

According to the documentation:​

text

CounterACT --> (copies via SMB) --> Endpoint Temp Directory --> (executes locally) --> Result

The SMB protocol is essential for this file transfer step, which is why it's required for Windows manageability and script execution.

Referenced Documentation:

CounterACT Endpoint Module HPS Inspection Engine Configuration Guide v10.8​

Script Execution Services documentation​

About SMB documentation​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Switch Plugin Configuration Guide, Access Port ACL and Endpoint Address ACL cannot both be used concurrently on the same endpoint. These two actions are mutually exclusive because they both apply ACL rules to control traffic, but through different mechanisms, and attempting to apply both simultaneously creates a conflict.​

Switch Restrict Actions Overview:

The Forescout Switch Plugin provides several restrict actions that can be applied to endpoints:​

Access Port ACL - Applies an operator-defined ACL to the access port of an endpoint

Endpoint Address ACL - Applies an operator-defined ACL based on the endpoint's address (MAC or IP)

Assign to VLAN - Assigns the endpoint to a specific VLAN

Switch Block - Completely isolates endpoints by turning off their switch port

Action Compatibility Rules:

According to the Switch Plugin Configuration Guide:​

Endpoint Address ACL vs Access Port ACL - These CANNOT be used together on the same endpoint because:

Both actions modify switch filtering rules

Both actions can conflict when applied simultaneously

The Switch Plugin cannot determine priority between conflicting ACL configurations

Applying both would create ambiguous filtering logic on the switch

Actions That CAN Be Used Together:

Access Port ACL + Assign to VLAN -✓Can be used concurrently

Endpoint Address ACL + Assign to VLAN -✓Can be used concurrently

Switch Block + Assign to VLAN - This is semantically redundant (blocking takes precedence) but is allowed

Access Port ACL + Switch Block -✓Can be used concurrently (though Block takes precedence)

Why Other Options Are Incorrect:

A. Access Port ACL & Switch Block - These CAN be used concurrently; Switch Block would take precedence

B. Switch Block & Assign to VLAN - These CAN be used concurrently (though redundant)

C. Endpoint Address ACL & Assign to VLAN - These CAN be used concurrently

E. Access Port ACL & Assign to VLAN - These CAN be used concurrently; they work on different aspects of port management

ACL Action Definition:

According to the documentation:​

Access Port ACL - "Use the Access Port ACL action to define an ACL that addresses one or more than one access control scenario, which is then applied to an endpoint's switch port"

Endpoint Address ACL - "Use the Endpoint Address ACL action to apply an operator-defined ACL, addressing one or more than one access control scenario, which is applied to an endpoint's address"

Referenced Documentation:

Forescout CounterACT Switch Plugin Configuration Guide Version 8.12​

Switch Plugin Configuration Guide v8.14.2​

Switch Restrict Actions documentation​

Based on the policy condition image showing "Does not meet the following criteria", the correct statement is that it negates the criteria as part of the property.​

Understanding "Does not meet the following criteria":

According to the Forescout Administration Guide:​

The "Does not meet the following criteria" radio button option in policy conditions creates a logical negation of the condition:

"Meets the following criteria" - Endpoint matches if the condition is true

"Does not meet the following criteria" - Endpoint matches if the condition is FALSE (negated)

How the Negation Works:

According to the documentation:​

"Use the AND value between both properties: Windows>Manageable Domain>Does not meet the following criteria"

This syntax shows that "Does not meet the following criteria" negates the entire criteria evaluation:

Normal condition: "Windows Antivirus Running = True"

Result: Matches endpoints WITH antivirus running

Negated condition: "Windows Antivirus Running Does not meet the following criteria (= True)"

Result: Matches endpoints WITHOUT antivirus running (negates the criteria)

Negation Happens at Property Level:

The negation is applied as part of the property evaluation, not as a separate NOT operator. When you select "Does not meet the following criteria":

The condition is evaluated normally

The result is then negated/inverted

The endpoint matches only if the negated result is true

Why Other Options Are Incorrect:

B. Modifies the irresolvable condition to TRUE - "Does not meet the following criteria" doesn't specifically affect irresolvable property handling

C. Generates a NOT condition in the sub-rule condition - The negation is part of this property's evaluation, not a separate sub-rule NOT condition

D. Irresolvable hosts would match the condition - "Does not meet the following criteria" doesn't specifically target irresolvable hosts

E. Modifies the evaluate irresolvable condition to FALSE - This setting doesn't affect the "Evaluate irresolvable as" setting

Referenced Documentation:

Forescout Administration Guide v8.3​

Forescout Administration Guide v8.4​

ForeScout CounterACT Administration Guide - Policy Conditions section​

Manage Actions documentation​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

When troubleshooting an issue that affects multiple endpoints, you should view Policy logs before Host logs because Policy logs show details for a range of endpoints. According to the Forescout Administration Guide, Policy Logs are specifically designed to "investigate the activity of specific endpoints, and display information about how those endpoints are handled" across multiple devices.​

Policy Logs vs. Host Logs - Purpose and Scope:

Policy Logs:​

Scope - Shows policy activity across multiple endpoints simultaneously

Purpose - Investigates how multiple endpoints are handled by policies

Information - Displays which endpoints match which policies, what actions were taken, and policy evaluation results

Use Case - Best for understanding policy-wide impact and identifying patterns across multiple endpoints

Host Logs:​

Scope - Shows detailed activity for a single specific endpoint

Purpose - Investigates specific activity of individual endpoints

Information - Displays all events and actions pertaining to that single host

Use Case - Best for deep-diving into a single endpoint's detailed history

Troubleshooting Methodology for Multiple Endpoints:

When troubleshooting an issue affecting multiple endpoints, the recommended approach is:​

Start with Policy Logs - Determine which policy or policies are affecting the multiple endpoints

Identify Pattern - Look for common policy matches or actions across the affected endpoints

Pinpoint Root Cause - Determine if the issue is policy-related or host-related

Then Use Host Logs - After identifying the affected hosts, examine individual Host Logs for detailed troubleshooting

Policy Log Information:

Policy Logs typically display:​

Endpoint IP and MAC address

Policy name and match criteria

Actions executed on the endpoint

Timestamp of policy evaluation

Status of actions taken

Efficient Troubleshooting Workflow:

According to the documentation:​

When multiple endpoints are affected, examining Policy Logs first allows you to:

Identify Common Factor - Quickly see if all affected endpoints are in the same policy

Spot Misconfiguration - Determine if a policy condition is incorrectly matching endpoints

Track Action Execution - See what policy actions were executed across the range of endpoints

Save Time - Avoid reviewing individual host logs when a policy-level issue is evident

Example Scenario:

If 50 endpoints suddenly lose network connectivity:

First, check Policy Logs - Determine if all 50 endpoints matched a policy that executed a blocking action

Identify the Policy - Look for a common policy match across all 50 hosts

Examine Root Cause - Policy logs will show if a Switch Block action or VLAN assignment action was executed

Then, check individual Host Logs - If further detail is needed, examine specific host logs for those 50 endpoints

Why Other Options Are Incorrect:

A. Because you can gather more pertinent information about a single host - This describes Host Logs, not Policy Logs; wrong log type

C. You would not. Host logs are the best choice for a range of endpoints - Incorrect; Host logs are for single endpoints, not ranges

D. Policy logs may help to pinpoint the issue for a specific host - While true, this describes singular host troubleshooting, not multiple endpoints

E. Looking at Host logs is always the first step in the process - Incorrect; Policy logs are better for multiple endpoints to identify patterns

Policy Logs Access:

According to documentation:​

"Use the Policy Log to investigate the activity of specific endpoints, and display information about how those endpoints are handled."

The Policy Log interface typically allows filtering and viewing multiple endpoints simultaneously, making it ideal for identifying patterns across a range of affected hosts.

Referenced Documentation:

Forescout Administration Guide - Policy Logs​

Generating Forescout Platform Reports and Logs​

Host Log – Investigate Endpoint Activity​

"Quickly Access Forescout Platform Endpoints with Troubleshooting Issues" section in Administration Guide

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout HPS Inspection Engine Configuration Guide Version 10.8 and the Remote Inspection and SecureConnector Feature Support documentation, the actions that can be performed with Remote Inspection include "Start Secure Connector" and "Attempt to open a browser at the endpoint".​

Remote Inspection Capabilities:

According to the documentation, Remote Inspection uses WMI and other standard domain/host management protocols to query the endpoint, and to run scripts and implement remediation actions on the endpoint. Remote Inspection is agentless and does not install any applications on the endpoint.​

Actions Supported by Remote Inspection:

According to the HPS Inspection Engine Configuration Guide:​

The Remote Inspection Feature Support table lists numerous actions that are supported by Remote Inspection, including:

Set Registry Key -✓Supported by Remote Inspection​

Start SecureConnector -✓Supported by Remote Inspection​

Attempt to Open Browser -✓Supported by Remote Inspection​

Send Balloon Notification -✓Supported (requires SecureConnector; can also be used with Remote Inspection)​

Start Windows Updates -✓Supported by Remote Inspection​

Send Email to User -✓Supported action

However, the question asks which actions appear together in one option, and Option D correctly combines two legitimate Remote Inspection actions: "Start Secure Connector" and "Attempt to open a browser at the endpoint".

Start SecureConnector Action:

According to the documentation:​

"Start SecureConnector installs SecureConnector on the endpoint, enabling future management via SecureConnector"

This is a supported Remote Inspection action that can deploy SecureConnector to endpoints.

Attempt to Open Browser Action:

According to the HPS Inspection Engine guide:​

"Opening a browser window" is a supported Remote Inspection action

However, there are limitations documented:​

"Opening a browser window does not work on Windows Vista and Windows 7 if the HPS remote inspection is configured to work as a Scheduled Task"

"When redirected with this option checked, the browser does not open automatically and relies on the packet engine seeing this traffic"

Why Other Options Are Incorrect:

A. Set Registry Key, Disable dual homing - While Set Registry Key is supported, "Disable dual homing" is not a standard Remote Inspection action

B. Send Balloon Notification, Send email to user - Both are notification actions, but the question seeks Remote Inspection-specific endpoint actions; these are general notification actions not specific to Remote Inspection

C. Disable External Device, Start Windows Updates - While Start Windows Updates is supported by Remote Inspection, "Disable External Device" is not a Remote Inspection action; it's a network device action

E. Endpoint Address ACL, Assign to VLAN - These are Switch plugin actions, not Remote Inspection actions; they work on network device level, not endpoint level

Remote Inspection vs. SecureConnector vs. Switch Actions:

According to the documentation:​

Remote Inspection Actions (on endpoints):

Set Registry Key on Windows

Start Windows Updates

Start Antivirus

Update Antivirus

Attempt to open browser at endpoint

Start SecureConnector (to deploy SecureConnector)

Switch Actions (on network devices):

Endpoint Address ACL

Access Port ACL

Assign to VLAN

Switch Block

Referenced Documentation:

Forescout CounterACT Endpoint Module HPS Inspection Engine Configuration Guide Version 10.8​

Remote Inspection and SecureConnector – Feature Support documentation​

Set Registry Key on Windows action documentation​

Start Windows Updates action documentation​

Send Balloon Notification documentation

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout User Directory Plugin Configuration Guide - Microsoft Active Directory Server Settings, the field that should be configured for Active Directory subdomains is "Domain Aliases".​

Domain Aliases for Subdomains:

According to the Microsoft Active Directory Server Settings documentation:​

"Configure the following additional server settings in the Directory and Additional Domain Aliases sections: Domain Aliases - Configure additional domain names that users can use to log in, such as subdomains."

Purpose of Domain Aliases:

According to the documentation:​

Domain Aliases are used to specify:

Subdomains - Alternative domain names like subdomain.company.com

Alternative Domain Names - Other domain name variations

User Login Options - Additional domains users can use to authenticate

Alias Resolution - Maps aliases to the primary domain

Example Configuration:

For an organization with the primary domain company.com and subdomain accounts.company.com:

Domain Field - Set to: company.com

Domain Aliases Field - Add: accounts.company.com

This allows users from either domain to authenticate successfully.

Why Other Options Are Incorrect:

A. Replicas - Replicas configure redundant User Directory servers, not subdomains

B. Address - Address field specifies the server IP/FQDN, not domain aliases

C. Parent Groups - Parent Groups relate to group hierarchy, not domain subdomains

E. DNS Detection - DNS Detection is not a User Directory configuration field

Additional Domain Configuration:

According to the documentation:​

text

Primary Configuration:

├─ Domain: company.com

├─ Domain Aliases: accounts.company.com

│ services.company.com

│ mail.company.com

└─ Port: 636 (default)

Referenced Documentation:

Microsoft Active Directory Server Settings​

Define User Directory Servers - Domain Aliases section​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Quick Installation Guide and official port configuration documentation, SecureConnector for Windows uses TCP port 10003, and the management packets should be captured from the host IP address reaching the management port (not the monitor port). Therefore, the correct command would use tcpdump filtering for tcp port 10003 traffic reaching the management port.​

SecureConnector Port Assignments:

According to the official documentation:​

SecureConnector Type

Port

Protocol

Function

Windows

10003/TCP

TLS (encrypted)

Allows SecureConnector to create a secure encrypted TLS connection to the Appliance from Windows machines

OS X

10005/TCP

TLS (encrypted)

Allows SecureConnector to create a secure encrypted TLS connection to the Appliance from OS X machines

Linux

10006/TCP

TLS 1.2 (encrypted)

Allows SecureConnector to create a secure connection over TLS 1.2 to the Appliance from Linux machines

Port 2200 is for Legacy Linux SecureConnector (older versions using SSH encryption), not for Windows.​

Forescout Appliance Interface Types:

Management Port - Used for administrative access and SecureConnector connections

Monitor Port - Used for monitoring and analyzing network traffic

Response Port - Used for policy actions and responses

SecureConnector connections reach the management port, not the monitor port.​

Troubleshooting SecureConnector Connectivity:

To verify that SecureConnector management packets from a Windows host are successfully reaching CounterACT, use the following tcpdump command:​

bash

tcpdump -i [management_interface] -nn "tcp port 10003 and src [windows_host_ip]"

This command:

Monitors the management interface

Filters for TCP port 10003 traffic

Captures packets from the Windows host IP address reaching the management port

Verifies bidirectional TLS communication

Why Other Options Are Incorrect:

A. tcp port 10005 from host IP reaching monitor port - Port 10005 is for OS X, not Windows; should reach management port, not monitor port

B. tcp port 2200 reaching management port - Port 2200 is for legacy Linux SecureConnector with SSH, not Windows

C. tcp port 10003 reaching monitor port - Port 10003 is correct for Windows, but should reach management port, not monitor port

D. tcp port 2200 reaching management port - Port 2200 is for legacy Linux SecureConnector, not Windows

SecureConnector Connection Process:

According to the documentation:​

SecureConnector on the Windows endpoint initiates a connection to port 10003

Connection is established to the Appliance's management port

When SecureConnector connects to an Appliance or Enterprise Manager, it is redirected to the Appliance to which its host is assigned

Ensure port 10003 is open to all Appliances and Enterprise Manager for transparent mobility

Referenced Documentation:

Forescout Quick Installation Guide v8.2​

Forescout Quick Installation Guide v8.1​

Port configuration section: SecureConnector for Windows

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Administration Guide, additional recipients for the "Send Mail" action are added through the setting on Tools > Options > General > Mail and adding the recipients separated by commas.​

Managing Email Notification Addresses:

According to the official documentation:​

"From the Tools menu, select Options > General > Mail and DNS. Update any of the following fields: Send Email Alerts/Notifications - List email addresses to receive CounterACT email alerts."

Email Address Separator Options:

According to the documentation:​

"Separate multiple addresses using any of the following characters: semicolon (;), blank space or comma (,)."

So while commas are the primary method shown in the documentation, the system also accepts semicolons and spaces as separators. However, the answer that most specifically matches the Forescout documentation interface is Option A.

How to Configure Email Recipients:

According to the administration guide:​

Open Tools Menu - Select "Tools" from the menu bar

Select Options - Click on "Options"

Navigate to Mail Settings - Select "General > Mail and DNS"

Add Recipients - Enter email addresses in the "Send Email Alerts/Notifications" field

Separate Multiple Addresses - Use commas, semicolons, or spaces between addresses

Example Recipient Configuration:

According to the documentation:​

text

Example 1: user1@example.com,user2@example.com,user3@example.com

Example 2: user1@example.com; user2@example.com; user3@example.com

Policy-Level vs. Global Email Configuration:

According to the documentation:​

Global Email Configuration (Tools > Options > General > Mail) - Sets default recipients for all email alerts

Send Email Action (in policy) - Can be configured to send to administrator email or specify alternative recipients

The global configuration in Tools > Options is where the primary recipient list is maintained.

Why Other Options Are Incorrect:

B. Thru the policy "Send Mail" action, under the Parameters tab - This is not where email recipients are configured; the policy action uses the global settings

C. Thru Tools > Options > Advanced - Mail - The correct path is Tools > Options > General > Mail, not Advanced

D. Thru the Tools > Options > NAC Email - There is no "NAC Email" option in Tools > Options

E. Thru the policy sub rule and adding a condition - Sub-rules contain conditions, not email recipient configuration

Send Email Action in Policies:

According to the documentation:​

"The Send Email action automatically delivers email to administrators when a policy is matched."

This action uses the email addresses configured in the global mail settings.

Referenced Documentation:

Managing Email Notifications documentation​

Initial Setup – Mail section​

Managing Email Notification Addresses documentation​

Core Extensions Module Reports Plugin Configuration Guide​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Platform Administration Guide, the logs available from the GUI Console include: Host Details, Policy, Blocking, Event Viewer, and Audit Trail.​

Available Logs from the Forescout Console GUI:

Host Details Log - Provides detailed information about individual endpoints discovered on the network. This log displays comprehensive host properties and status information directly accessible from the console.​

Policy Log - Shows policy activity and records how specific endpoints are handled by policies. The Policy Log investigates endpoint activity, displaying information about policy matches, actions executed, and policy evaluation results.​

Blocking Log - Displays all blocking events that occur on the network, including port blocks, host blocks, and external port blocks. This log provides an at-a-glance display of blocked endpoints with timestamps and reasons.​

Event Viewer - A system log that displays severity, date, status, element, and event information. Administrators can search, export, and filter events using the Event Viewer.​

Audit Trail - Records administrative actions and changes made to the Forescout platform configuration and policies.

How to Access Logs from the GUI:

From the Forescout Console GUI, administrators access logs through the Log menu by selecting:

Blocking Logs to view block events​

Event Viewer to display system events​

Policy Reports to investigate policy activity​

Why Other Options Are Incorrect:

B. Switch, Policy, Blocking, Event Viewer, Audit Trail - "Switch" is not a standalone log type available from the GUI; switch data is captured through plugin logs and reports

C. Switch, Discovery, Threat Protection, Event Viewer, Audit Trail - "Discovery" and "Threat Protection" are report categories, not GUI logs in the standard log menu

D. HPS, Policy, Threat Protection, Event Viewer, Audit Trail - HPS logs are accessed through CLI, not the GUI; "Threat Protection" is a report, not a GUI log

E. Host Details, Policy, Today Log, Threat Event Viewer, Audit Trail - "Today Log" and "Threat Event Viewer" are not standard log names in the Forescout GUI

Referenced Documentation:

Forescout Platform Administration Guide - Generating Reports and Logs​

Policy Reports and Logs section​

Work with System Event Logs documentation​

View Block Events documentation​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

The Service Banner host property is resolved by NMAP scanning. According to the Forescout Administration Guide - Advanced Classification Properties, the Service Banner property "Indicates the service and version information, as determined by Nmap".​

Service Banner Property:

The Service Banner is an Advanced Classification Property that captures critical service identification information:​

Purpose - Identifies running services and their versions on endpoints

Resolution Method - Uses NMAP banner scanning functionality

Information Provided - Service name and version numbers (e.g., "Apache 2.4.41", "OpenSSH 7.6")

NMAP Banner Scanning Configuration:

According to the HPS Inspection Engine Configuration Guide, the Service Banner is specifically resolved when "Use Nmap Banner Scan" option is selected:​

When Use Nmap Banner Scan is enabled, the HPS Inspection Engine uses NMAP banner scans to improve the resolution of device services, application versions, and other details that help classify endpoints.​

NMAP Banner Scan Process:

According to the CounterACT HPS Inspection Engine Guide, when NMAP banner scanning is enabled:​

text

NMAP command line parameters for banner scan:

-T Insane -sV -p T: 21,22,23,53,80,135,88,1723,3389,5900

The -sV parameter specifically performs version detection, which resolves the Service Banner property by scanning open ports and identifying service banners returned by those services.​

Classification Process:

The Service Banner property is resolved through the following workflow:​

Port Detection - Forescout identifies open ports on the endpoint

Banner Scanning - NMAP sends requests to identified ports

Service Identification - Services respond with banner information containing version data

Property Resolution - The Service Banner property is populated with the version information discovered

Why Other Options Are Incorrect:

A. Packet engine - The Packet Engine provides network visibility through port mirroring, but does not resolve service banners through deep packet inspection

C. Device classification engine - While involved in overall classification, the Device Classification Engine doesn't specifically resolve service banners; NMAP does

D. Device profile library - The Device Profile Library contains pre-defined classification profiles but doesn't actively scan for service banners

E. NetFlow - NetFlow provides network flow data and statistics, but cannot determine service version information

Service Banner Examples:

Service Banner property values resolved by NMAP scanning include:​

Apache/2.4.41 (Ubuntu)

OpenSSH 7.6p1

Microsoft-IIS/10.0

nginx/1.17.0

MySQL/5.7.26-0ubuntu0.18.04.1

NMAP Scanning Requirements:

According to the documentation:​

NMAP Banner Scan must be explicitly enabled in HPS Inspection Engine configuration

Banner scanning targets specific ports typically associated with common services​

Service version information improves endpoint classification accuracy

Referenced Documentation:

Forescout Administration Guide - Advanced Classification Properties​

HPS Inspection Engine - Configure Classification Utility​

CounterACT Endpoint Module HPS Inspection Engine Configuration Guide Version 10.8​

NMAP Scan Logs documentation​