Scan Engine Settings
Every Tenable Nessus deployment — whether it is a standalone Tenable Nessus Professional or Tenable Nessus Expert, or a Tenable Nessus scanner managed by Tenable Vulnerability Management or Tenable Security Center — is equipped with advanced settings. Some of these settings, known as scan engine settings, control the Tenable Nessus scan engine's scanning performance. You can adjust scan engine settings in the Performance Options section of the scan policy Settings.
Tenable Nessus Scanner Settings
The following table is not an exhaustive list of all advanced settings. It is a list of the settings that affect scan engine performance. For a full list of the advanced settings, see Advanced Scan Settings.
Setting | Identifier | Definition |
---|---|---|
Global Max Hosts Concurrently Scanned | global.max_hosts | The total number of targets that the scanner processes simultaneously across all running scans. This value limits the total number of targets running in the scan engine. The scan engine does not process more targets than the value assigned to global.max_hosts. |
Max Concurrent Scans | global.max_scans | The total number of scans the scan engine runs concurrently. |
Global Max TCP Sessions | global.max_simult_tcp_sessions | The maximum number of concurrent TCP sessions allowed for all scans. |
Global Max Port Scanners | global.max_portscanners | The maximum number of threads allocated to the port scanner task thread pool. This value represents the maximum number of port scanners the engine runs simultaneously across all scans. |
Max Concurrent Hosts Per Scan | max_hosts | The maximum number of targets that the scan engine processes simultaneously for a given scan. |
Max Concurrent Checks Per Host | max_checks | The maximum number of plugins that can run concurrently for a given target. This setting's value determines the number of plugins that each engine thread runs for a target. |
Max TCP Sessions Per Scan | max_simult_tcp_sessions | The maximum number of concurrent TCP sessions allowed for a given scan. |
Max TCP Sessions Per Host | host.max_simult_tcp_sessions | The maximum number of concurrent TCP sessions allowed for a single target. |
Max Hosts Per Engine Thread | engine.max_hosts | The maximum number targets than an engine thread processes. |
Optimal Hosts Per Engine Thread | engine.optimal_hosts | The number of targets the scan engine assigns to an engine thread before starting a new engine thread. |
Max Engine Checks | engine.max_checks | The total number of plugins allowed to run for an engine thread across all the targets running in that thread. |
Max Engine Threads | engine.max | The maximum number of engine threads that the scan engine starts. |
Minimum Engine Threads | engine.min | The minimum number of engine threads that the scan engine starts to handle a scan. |
The following sections provide brief explanations of precedence and caveats regarding how some of the settings affect the scan engine's processing of targets.
Max Host Settings
The following settings affect the scan engine’s processing of targets:
-
global.max_hosts
-
max_hosts
-
engine.max_hosts
-
engine.max
In the majority of scenarios, global.max_hosts takes precedence over the other settings in determining maximum numbers of concurrent targets, but it is possible to engineer a situation where it does not. For example, you could limit the maximum number of targets a scanner would scan concurrently by manipulating engine.max_hosts and engine.max. If the engine.max_hosts and engine.max values are configured such that the following occurs:
(engine.max_hosts x engine.max) < global.max_hosts
In this case, the scanner applies the more stringent limit, which is the value from engine.max_hosts multiplied by engine.max.
Max Simultaneous TCP Sessions Settings
Three advanced settings affect the number of concurrent TCP sessions in the scan engine:
-
global.max_simult_tcp_sessions
-
max_simult_tcp_sessions
-
host.max_simult_tcp_sessions
The global.max_simult_tcp_sessions setting is an absolute cap that applies across all running scans on a scanner. The max_simult_tcp_sessions value caps the concurrent TCP sessions for a specific scan, and the host.max_simult_tcp_sessions setting limits the concurrent TCP sessions per host.
Max Checks Settings
Two settings control the number of plugins allowed to run concurrently by the scan engine:
-
max_checks
-
engine.max_checks
The engine.max_checks setting takes precedence over the max_checks setting so that the total number of concurrent plugins the engine runs at any given time does not exceed (engine.max_checks x engine.max).
Tenable Vulnerability Management and Tenable Security Center Policy Settings
When you launch a scan in Tenable Vulnerability Management or Tenable Security Center, they do not assign a single scan to a single scanner. Instead, to utilize multiple scanners effectively, they break up a single scan into smaller chunks (referred to as tasks) and distribute the tasks to multiple scanners. This allows multiple scanners to execute a single overall scan in parallel, but it also affects how the scan engine settings are applied. The Tenable Nessus scan engine interprets each individual task as an entire scan.
For example, assume there is a single scan targeting 1,000 IPs. Tenable Vulnerability Management and Tenable Security Center process the scan in the following ways:
-
Tenable Vulnerability Management — Tenable Vulnerability Management turns the scan targets into 8 tasks of 120 IPs each and a 9th task with 40 IPs, and assume that the scan policy has max_hosts (Max simultaneous hosts per scan in the user interface) set to 5. In this scenario, a given scanner would get 5 of those 9 tasks and execute a max of 25 hosts in parallel — 5 per scan, according to the scan engine — not a max of 5 hosts in parallel. Once the scanner completes the 5 tasks, it may receive a new batch of tasks from Tenable Vulnerability Management and continues scanning until the entire scan job is complete.
-
Tenable Security Center — Tenable Security Center turns the scan targets into 125 tasks of 8 IPs each, and assume that the scan policy has max_hosts (Max simultaneous hosts per scan in the user interface) set to the default value of 30. In this scenario, a given scanner would get 4 of those 125 tasks and execute a max of 30 hosts in parallel — 8 in the first 3 tasks and 6 in the final task, according to the scan engine. Once the scanner completes a task, it receives a new task from Tenable Security Center and continues scanning until the entire scan job is complete.
Each "per scan" setting applies to the individual Tenable Vulnerability Management or Tenable Security Center tasks rather than the overall scan. This can sometimes lead to confusion and unanticipated scanner behavior when setting those performance tuning parameters in the scan policy.