Configure Scan Routing

With scan routing, you can automatically dispatch scanning across multiple scanner groups according to the network areas to which each group has access. Scan routing reduces scan configuration and management overhead by eliminating the need to configure specific scanners for each individual scan. This feature can represent a significant benefit in large deployments. To improve operational efficiency, team members with higher privileges can manage the scanner pools, which can then be used by lower-privileged team members during scan configuration

Note: Scan routing is available for linked scanners only.

If you configure scan routing for a scan, when the scan runs, Tenable Vulnerability Management automatically does the following:

Assigns the scan targets to the scanner group configured with the narrowest matching target range.
Within that scanner group, assigns targets to scanners as they check in, according to their capacity and the targets still available.

For more information, see Configuration Guidelines.

Note: Tenable recommends pre-planning your scan routing strategy to efficiently target discrete areas of your network. If configured improperly, scan routing can prevent scanners from reaching their targets.

To configure scan routing:

Review the configuration guidelines for scan routing.
Configure a scanner group for scan routing.
1. Create or edit a scanner group.
2. In the Targets for Scan Routing box, type a comma-separated list of scan routing targets.
  
  Targets in the list must be in the supported formats.
  
  Note: You can specify up to 10,000 individual scan routing targets for an individual scanner group. For example, 192.168.0.1, example.com, *.example.net, 192.168.0.0/24 specifies four scan routing targets. To condense a scan routing target list, Tenable recommends using wildcard and range formats, instead of individual IP addresses.
3. Click Save.
  Tenable Vulnerability Management saves your changes to the scanner group.

Configure a scan for scan routing.

Create or edit a scan configuration.

In the Basic settings section, configure the following options:

Option	Action
Scanner	Select the Auto-Select option. When you select this option, the Network box appears.
Network	Do one of the following: If your scans involve separate environments with overlapping IP ranges, select the network that contains the scanner groups that you configured for scan routing. If your scans do not involve separate environments with overlapping IP ranges, retain the Default network.
Targets / Upload Targets / Tags	Specify targets for the scan, using one of the following options: In the Targets box, type the list of targets. In the Upload Targets box, upload a file of targets. In the Tags box, specify targets by tag. When specifying scan targets, note the following: Be sure to match scan targets to the scan routing targets you specify in your scanner groups. If you specify scan targets outside the range of scanner group targets, Tenable Vulnerability Management scans only those hosts inside the scanner group range and returns the partial results with a warning that lists the hosts that were not scanned. When matching scan routing targets to scan targets, Tenable Vulnerability Management does not resolve FQDNs to IP addresses. For example, if you specify *.example.com as a scan routing target, Tenable Vulnerability Management can assign a scan to that scanner group if the scan is configured with the scan target www.example.com. However, Tenable Vulnerability Management does not assign a scan to that scanner group if a scan is configured with the target 192.168.0.1, even if www.example.com could potentially resolve to 192.168.0.1.

Option

Action

Scanner

Select the Auto-Select option.

When you select this option, the Network box appears.

Network

Do one of the following:

If your scans involve separate environments with overlapping IP ranges, select the network that contains the scanner groups that you configured for scan routing.
If your scans do not involve separate environments with overlapping IP ranges, retain the Default network.

Targets / Upload Targets / Tags

Specify targets for the scan, using one of the following options:

In the Targets box, type the list of targets.
In the Upload Targets box, upload a file of targets.
In the Tags box, specify targets by tag.

When specifying scan targets, note the following:

Be sure to match scan targets to the scan routing targets you specify in your scanner groups.
If you specify scan targets outside the range of scanner group targets, Tenable Vulnerability Management scans only those hosts inside the scanner group range and returns the partial results with a warning that lists the hosts that were not scanned.
When matching scan routing targets to scan targets, Tenable Vulnerability Management does not resolve FQDNs to IP addresses.
For example, if you specify *.example.com as a scan routing target, Tenable Vulnerability Management can assign a scan to that scanner group if the scan is configured with the scan target www.example.com. However, Tenable Vulnerability Management does not assign a scan to that scanner group if a scan is configured with the target 192.168.0.1, even if www.example.com could potentially resolve to 192.168.0.1.

Click Save.
Tenable Vulnerability Management saves your changes to the scan configuration.

Configuration Guidelines

When configuring scan routes, Tenable recommends using IP ranges and CIDR ranges instead of individual IP addresses where possible. This approach differs from the recommended approach for scan targets, where narrower target values are recommended.
Tenable Vulnerability Management does not support a numeric range format for IPv6 addresses. Instead, use a CIDR format for IPv6 address ranges.
Typically, Tenable recommends adding an individual scanner to only one scanner group. In some cases, however, you may want to configure overlapping scanner groups to ensure scanning coverage or redundancy. Two or more scan groups are redundant if they target the same area of your organization's network. If Tenable Vulnerability Management executes a scan with redundant scanner groups, it attempts the scan using the narrowest, most-specific scanner group exclusively.
For example, two scanner groups might specify the following scan routing targets:
- Scanner Group #1 - 192.168.0.1-192.168.0.200
- Scanner Group #2 - 192.168.0.10-192.168.0.20
If your scan specifies a scan target of 192.168.0.15-192.168.0.19, Tenable Vulnerability Management assigns the scan to Scanner Group #2, because that group's scan routing target range is narrower than the range specified in Scanner Group #1.
For a definition of scanner availability in a scanner group, see Scanner Groups.

Supported Scan Routing Target Formats

Tenable Vulnerability Management supports the following formats for scan routing targets:

Target Format	Example
A single IPv4 address	192.168.0.1
A single IPv6 address	2001:db8::2120:17ff:fe56:333b
An IPv4 range with a start and end address	192.168.0.1-192.168.0.255
An IPv4 subnet with CIDR notation	192.168.0.0/24
An IPv6 subnet with CIDR notation	2001:db8::/32
A host resolvable to either an IPv4 or an IPv6 address	www.yourdomain.com
A host resolvable to either an IPv4 address or an IPv 6 address with a wildcard as the subdomain	*.yourdomain.com