Recently Viewed Topics
About Scan Distribution
Note: Tenable is deploying this feature to customers in a rolling fashion. No special steps are required to enable scan distribution. This topic only applies to organizations where this feature is enabled.
The scan distribution feature improves the efficiency of scanning both for your organization’s scanners as well as the cloud scanners provided by Tenable.io for the platform as a whole. In the case of the scanners that belong to your organization, Tenable.io distributes scans as tasks across multiple scanners in the scanner group assigned to the scan, rather than assigning complete scan jobs to individual scanners. Similarly, Tenable.io distributes scans utilizing Tenable-provided cloud scanners as jobs across groups of scanners. Tenable.io breaks those jobs down into tasks and funnels them down to scanners within the groups.
In both cases, this effectively allows multiple scans to run simultaneously, eliminating bottlenecks that might otherwise occur if scans were staggered one after another on individual scanners. As the requirements of your organization grow, scan performance is less likely to degrade. Even when scans are assigned to a specific scanner, those scans are broken down into tasks that can be run simultaneously, allowing the scanner to complete the scan job more efficiently.
As scanners complete the tasks, Tenable.io immediately reflects the results. The results that were already obtained will not be lost if the scan is canceled. If a scanner crashes during the scan, or a problem is encountered with a target, the other tasks run as normal.
How the Scan Distribution Feature Works
When scan jobs are created, the jobs are placed either directly in the job queue of a scanner (if that scanner was specified in the scan), or into the job queue of a scanner group.
Tenable.io considers three types of scanner capacities when distributing scans, in order to efficiently determine how many tasks a scanner can process.
The number of assets a scanner can actively scan simultaneously. This value is by default based on the hardware resources of the scanner, including the number of processors and the amount of memory available.
The number of tasks (parts of a scan) that a scanner can perform simultaneously. A scanner's task capacity is determined based on the target capacity.
The number of different jobs a scanner can include tasks from at once. In this way, scans can be performed asynchronously, and a scanner that has available capacity can complete multiple tasks even if those tasks are not derived from the same scan. Job capacity is always determined to be less than equal to the task capacity so that when a scanner is at its job capacity, it will be able to complete tasks from every job.
Scanner Group Capacity
Tenable.io also considers scanner group job capacities when distributing scans. Jobs at the scanner group level are broken down into tasks when there is available capacity. Tasks from those jobs can then be divided among the scanners in the group.
Tenable.io queues scan jobs before separating them into tasks.
Scanner Group Job Queues
Tenable.io queues jobs for a scanner group in the order it receives the jobs. When the scanner group has available job capacity, Tenable.io breaks the earliest job in the queue into tasks and assigns them to each of the scanners in the group, one scanner after another in succession (a “round robin” method). Tenable.io dispatches the tasks to the scanners assigned to the job.
Scanner Job Queues
Tenable.io also queues jobs for a scanner in the order it receives the jobs, regardless of the origin of a scan job.
For example, the job queue for a scanner may include scan jobs that were assigned directly to the scanner as well as jobs distributed to the scanner by the groups the scanner belongs to.
When a scanner has available capacity for tasks, it will poll for and be assigned additional tasks from the jobs that have filled the scanner’s job capacity. Tasks are assigned from each job in succession, in a round robin method, similar to the way jobs are assigned to scanners in a group.
The way the tasks are dispatched to scanners varies depending on the scenario.
Example Scenario: One Scanner with One Job
In this example, assume there is one scanner with a single job queued. This scanner is not a part of a scanner group and as such processes scan jobs one at a time in the order the jobs are queued. This scanner has a task capacity of six. When the job is broken down into tasks, six of those tasks are assigned to the scanner to be executed simultaneously. Tasks continue to fill the scanner’s task capacity until the scan job is completed.
Example Scenario: One Scanner with Multiple Jobs
In this example, assume there is one scanner with multiple jobs queued. The scanner belongs to two scanner groups, SG1 and SG2. Three scan jobs are created. The first scan was configured to use the scanner directly. The other two scans were configured to use SG1 and SG2, respectively.
Because the first scan job was configured to use that particular scanner, it is added to the scanner’s job queue. In the case of SG1 and SG2, the scanner happens to be next in the order of scanners to receive jobs in both groups. The jobs from those groups are also added to the scanner’s job queue.
This scanner has a job capacity of three, so the scanner is able to be assigned tasks from all three jobs.
This scanner has a task capacity of five. Tasks are assigned to the scanner one at a time from each job in succession. In this case, tasks would be assigned in the following order: Job 1, Job 2, Job 3, Job 1, Job 2, filling the task capacity. Using this “round robin” method, the scanner begins working on two tasks from the first job, two tasks from the second job, and one task from the third job. When one of the tasks is completed, the next task from the third job is then dispatched.
Example Scenario: Multiple Scanners with Multiple Jobs
In this example, assume there are two scanners, Scanner 1 and Scanner 2. Both scanners are assigned to a scanner group, SG1. Both Scanner 1 and Scanner 2 have a job capacity of three.
Two scan jobs are created. Job 1 is assigned directly to Scanner 1. Job 2 is assigned to SG1. Both Jobs are broken down into Tasks. Job1 will only be worked by Scanner 1. Job2 can be worked by both Scanner 1 and Scanner 2.
Both Scanner 1 and Scanner 2 have a task capacity of six. Scanner 1 is assigned tasks one at a time from each job in succession, three from Job 1 and three from Job 2. Scanner 2 is assigned six tasks from Job 2.
Tasks for Job 2 are dispatched to Scanner 1 and Scanner 2 from SG1 as task capacity becomes available for the scanners. This process continues until both jobs are completed.
Interacting with Scans
Because of the way the scan distribution feature breaks down scans into tasks that can be completed asynchronously, there is some nuance to the way you can interact with scans.
You can create scanner groups in order to take advantage of the scan distribution feature with your organization’s scanners. Scanner groups maximize the efficiency of your scans by spreading out tasks across the individual scanners you assign to the group, rather than dedicating a single scanner to complete a whole job.
You can view scan results live, as scanners complete tasks. Each time a task completes, Tenable.io updates scan results with new data. If a scan fails or is interrupted, Tenable.io retains the already completed results, though the scan reflects that the process was not completed.
If a job is assigned to multiple scanners and one of those scanners happens to fail, the tasks dispatched to the other scanners will still be completed.
When you stop a scan, Tenable.io terminates all tasks for the scan. The Tenable.io scan results associated with the scan reflect only the completed tasks. You cannot stop individual tasks, only the scan as a whole.
When you a pause a scan, Tenable.io pauses all active tasks for that scan. The paused tasks continue to fill the task capacity of the scanner that the tasks were assigned to. Tenable.io does not dispatch new tasks from a paused scan job.