Scanning Best Practices

Tenable recommends that you read the Tenable Security Center Scan Tuning Guide before configuring your scans.

For quick scans, Tenable recommends using pre-defined scanning templates available in Tenable Security Center. This reduces the need for you configure detailed scan settings. Select the scanning template that best suits your scanning requirements. For most use cases, the Basic Network Scan and Advanced Scan templates are sufficient. For more information about scan templates, see Scan Policy Templates in the Tenable Security Center documentation.

If you are using repositories that are not Universal Repositories, and you are scanning static assets (assets that do not change their IP address), disable the Track hosts which have been issued new IP address option. If the asset changes its IP address regularly (for example, via DHCP), enable this option. This option helps Tenable Security Center track hosts and merge vulnerabilities to the host asset for the same host. For more information about this option, see Active Scan Settings.

Tenable recommends keeping the Enable safe checks option (which is enabled by default for all scan policies) enabled, as this helps to prevent unnecessary scan target or service outages stemming from the scanner attempting to exploit a vulnerability that may have an adverse impact on the target. For more information about this option, see Scan Policy Options.

If you are using assets instead of IP address or DNS name to define scan targets, ensure that you first build your inventory list using a Host Discovery scan, according to the Troubleshooting Scan Error "Entered IPs and Assets are empty" knowledge base article, so that you do not run into an error where Tenable Security Center shows empty IP addresses and assets.