With scan routing, you can automatically dispatch scanning across multiple scanner groups according to the network areas to which each group has access. Scan routing reduces scan configuration and management overhead by eliminating the need to configure specific scanners for each individual scan. This feature can represent a significant benefit in large deployments. To improve operational efficiency, team members with higher privileges can manage the scanner pools, which can then be used by lower-privileged team members during scan configuration.
Scan routing is available for linked scanners only.
If you configure scan routing for a scan, when the scan runs, Tenable.io automatically does the following:
- Assigns the scan targets to the scanner group configured with the narrowest matching target range.
- Within that scanner group, assigns targets to scanners as they check in, according to their capacity and the targets still available.
For more information, see Configuration Guidelines.
Tenable recommends pre-planning your scan routing strategy to efficiently target discrete areas of your network. If configured improperly, scan routing can prevent scanners from reaching their targets.
To configure scan routing:
- Review the configuration guidelines for scan routing.
- Create a scanner group.
- Configure the scanner group for scan routing:
- In the
routesquery parameter, specify a comma-delimited list of scan routing targets in the supported formats.
- Note that you can specify up to 10,000 individual scan routing targets for an individual scanner group. For example,
192.0.2.1, example.com, *.example.net, 192.0.2.0/24specifies four scan routing targets. To condense a scan routing target list, Tenable recommends using wildcard and range formats, instead of individual IP addresses.
- In the
- Configure a new scan or an existing scan for scan routing:
scanner_idquery parameter must specify
target_network_idquery parameter must specify the UUID of the network object you want to associate with the scan, as follows:
- If your scans involve separate environments with overlapping IP ranges, specify the network where you have assigned the scanner groups that you configured for scan routing.
- Otherwise, specify the Default network (
- The target parameter you choose must specify scan targets that match the scan routing targets in your scanner groups.
- If you specify scan targets outside the range of scanner group targets, Tenable.io scans only those hosts inside the scanner group range and returns the partial results with a warning about the hosts that were not scanned.
- When matching scan routing targets to scan targets, Tenable.io does not resolve FQDNs to IP addresses. For example, if you specify
*.example.comas a scan routing target, Tenable.io can assign a scan to that scanner group if the scan is configured with the scan target
www.example.com. However, Tenable.io does not assign a scan to that scanner group if a scan is configured with the target
192.0.2.1, even if
www.example.comcould potentially resolve to
- Note that before configuring your scan, you can test your targets against your configured scan routes using the POST /scans/check-auto-targets endpoint.
When configuring scan routes, Tenable recommends using IP ranges and CIDR ranges instead of individual IP addresses where possible. This approach differs from the recommended approach for scan targets, where narrower rather than broader target values are recommended.
Tenable.io does not support a numeric range format for IPv6 addresses. Instead, use a CIDR format for IPv6 address ranges.
Typically, Tenable recommends adding an individual scanner to only one scanner group. In some cases, however, you may want to configure overlapping scanner groups to ensure scanning coverage or redundancy. Two or more scan groups are redundant if they target the same area of your organization's network. If Tenable.io executes a scan with redundant scanner groups, it attempts the scan using the narrowest, most-specific scanner group exclusively.
For example, two scanner groups might specify the following scan routing targets:
- Scanner Group #1 - 192.0.2.1-192.0.2.200
- Scanner Group #2 - 192.0.2.10-192.0.2.20
If your scan specifies a scan target of 192.0.2.15-192.0.2.19, Tenable.io assigns the scan to Scanner Group #2, because that group's scan routing target range is narrower than the range specified in Scanner Group #1.
For a definition of scanner availability in a scanner group, see "Scanner Groups" in the Tenable.io Vulnerability Management User Guide.
Tenable.io supports the following formats for scan routing targets:
|A single IPv4 address|
|A single IPv6 address|
|An IPv4 range with a start and end address|
|An IPv4 subnet with CIDR notation|
|An IPv6 subnet with CIDR notation|
|A host resolvable to either an IPv4 or an IPv6 address|
|A host resolvable to either an IPv4 address or an IPv 6 address with a wildcard as the subdomain|
Updated about 1 year ago