Manage Scan Routing
With scan routing, you can automatically dispatch scanning across multiple scanner groups according to the network areas to which each group has access. Scan routing reduces scan configuration and management overhead by eliminating the need to configure specific scanners for each individual scan. This feature can represent a significant benefit in large deployments. To improve operational efficiency, team members with higher privileges can manage the scanner pools, which can then be used by lower-privileged team members during scan configuration.
Scan routing is available for linked scanners only.
If you configure scan routing for a scan, when the scan runs, Tenable Vulnerability Management automatically does the following:
- Assigns the scan targets to the scanner group configured with the narrowest matching target range.
- Within that scanner group, assigns targets to scanners as they check in, according to their capacity and the targets still available.
For more information, see Configuration Guidelines.
Note
Tenable recommends pre-planning your scan routing strategy to efficiently target discrete areas of your network. If configured improperly, scan routing can prevent scanners from reaching their targets.
Configure Scan Routing
To configure scan routing:
- Review the configuration guidelines for scan routing.
- Create a scanner group.
- Configure the scanner group for scan routing:
- In the
routes
query parameter, specify a comma-delimited list of scan routing targets in the supported formats. - Note that you can specify up to 10,000 individual scan routing targets for an individual scanner group. For example,
192.0.2.1, example.com, *.example.net, 192.0.2.0/24
specifies four scan routing targets. To condense a scan routing target list, Tenable recommends using wildcard and range formats, instead of individual IP addresses.
- In the
- Configure a new scan or an existing scan for scan routing:
- The
scanner_id
query parameter must specifyAUTO-ROUTED
. - The
target_network_id
query parameter must specify the UUID of the network object you want to associate with the scan, as follows:- If your scans involve separate environments with overlapping IP ranges, specify the network where you have assigned the scanner groups that you configured for scan routing.
- Otherwise, specify the Default network (
00000000-0000-0000-0000-000000000000
).
- The target parameter you choose must specify scan targets that match the scan routing targets in your scanner groups.
- If you specify scan targets outside the range of scanner group targets, Vulnerability Management scans only those hosts inside the scanner group range and returns the partial results with a warning about the hosts that were not scanned.
- When matching scan routing targets to scan targets, Vulnerability Management does not resolve FQDNs to IP addresses. For example, if you specify
*.example.com
as a scan routing target, Vulnerability Management can assign a scan to that scanner group if the scan is configured with the scan targetwww.example.com
. However, Vulnerability Management does not assign a scan to that scanner group if a scan is configured with the target192.0.2.1
, even ifwww.example.com
could potentially resolve to192.0.2.1
. - Note that before configuring your scan, you can test your targets against your configured scan routes using the POST /scans/check-auto-targets endpoint.
- The
Configuration Guidelines
-
When configuring scan routes, Tenable recommends using IP ranges and CIDR ranges instead of individual IP addresses where possible. This approach differs from the recommended approach for scan targets, where narrower rather than broader target values are recommended.
-
Vulnerability Management does not support a numeric range format for IPv6 addresses. Instead, use a CIDR format for IPv6 address ranges.
-
Typically, Tenable recommends adding an individual scanner to only one scanner group. In some cases, however, you may want to configure overlapping scanner groups to ensure scanning coverage or redundancy. Two or more scan groups are redundant if they target the same area of your organization's network. If Vulnerability Management executes a scan with redundant scanner groups, it attempts the scan using the narrowest, most-specific scanner group exclusively.
For example, two scanner groups might specify the following scan routing targets:- Scanner Group #1 - 192.0.2.1-192.0.2.200
- Scanner Group #2 - 192.0.2.10-192.0.2.20
If your scan specifies a scan target of 192.0.2.15-192.0.2.19, Vulnerability Management assigns the scan to Scanner Group #2, because that group's scan routing target range is narrower than the range specified in Scanner Group #1.
For a definition of scanner availability in a scanner group, see "Scanner Groups" in the Tenable Vulnerability Management User Guide.
Supported Scan Routing Target Formats
Vulnerability Management supports the following formats for scan routing targets:
Target Format | Example |
---|---|
A single IPv4 address | 192.0.2.1 |
A single IPv6 address | 2001:db8::2120:17ff:fe56:333b |
An IPv4 range with a start and end address | 192.0.2.1-192.0.2.255 |
An IPv4 subnet with CIDR notation | 192.0.2.0/24 |
An IPv6 subnet with CIDR notation | 2001:db8::/32 |
A host resolvable to either an IPv4 or an IPv6 address | www.yourdomain.com |
A host resolvable to either an IPv4 address or an IPv 6 address with a wildcard as the subdomain | *.yourdomain.com |
View Scan Routes
Scan routes are not included in the GET /scanner-groups/{group_id} response. Instead, to view the scan routes configured for a scanner group, use the GET /scanner-groups/{group_id}/routes endpoint.
Updated 6 days ago