Scan Distribution
Overview
Tenable Vulnerability Management's scan distribution method improves scan efficiency for your organization’s scanners and the cloud scanners that Tenable provides. Tenable Vulnerability Management distributes scans as tasks across multiple scanners in the scanner group assigned to the scan, rather than assigning complete scan jobs to individual scanners. When you assign a scan to a single scanner, Tenable Vulnerability Management assigns the scanner tasks that can run in parallel, enabling the scanner to complete the job more efficiently.
Scan distribution allows multiple scan tasks to run simultaneously, reducing bottlenecks that would occur if scans ran sequentially on individual scanners. As your organization’s scanning needs grow, this distribution method makes it less likely for your overall scan performance to degrade.
How Tenable Vulnerability Management Distributes Scans
Scan Job Creation and Queuing
When you launch a scan, Tenable Vulnerability Management creates a scan job and sends it to the job queue of the scanner group or individual scanner defined in the scan configuration. Jobs are always sent from Tenable Vulnerability Management and queued in scanner groups or individual scanners in the order they are created.
Tenable Vulnerability Management determines where and what to send scan jobs based on three aspects of the target scanner or scanner group's capacity:
-
Target capacity — The number of assets a scanner can actively scan simultaneously. This value is by default based on the hardware resources of the scanner, including the number of processors and the amount of memory available.
-
Task capacity — The number of tasks (parts of a scan) that a scanner can perform simultaneously. A scanner's task capacity is determined based on the target capacity.
-
Job capacity — The number of different jobs a scanner can include tasks from at once. In this way, scans can be performed asynchronously, and a scanner that has available capacity can complete multiple tasks even if those tasks are not derived from the same scan. Job capacity is always determined to be less than equal to the task capacity so that when a scanner is at its job capacity, it will be able to complete tasks from every job.
For scanner groups, jobs are queued centrally, and the earliest job is held until the group has available capacity. For individual scanners, the job queue may include jobs assigned directly as well as jobs distributed from groups the scanner belongs to.
Scan Task Assignment
When a scanner or scanner group has available capacity, Tenable Vulnerability Management breaks the earliest job in its queue into scan tasks and dispatches them.
-
For scanner groups, Tenable Vulnerability Management distributes tasks across scanners in the group using a "round robin" method.
-
For individual scanners, tasks are pulled from the job queue and assigned in round robin order until the scanner's task capacity is full.
Each scan task accounts for up to 120 IP addresses. The last task in a job may contain fewer addresses. For example, Tenable Vulnerability Management splits a scan job of 300 IP addresses into two 120-address tasks and one 60-address task.
The way Tenable Vulnerability Management dispatches tasks depends on the scanning scenario. See the following examples for more information:
Example Scenario: One Scanner with One Job
A single standalone scanner processes jobs one at a time in the order they are queued. If the scanner has a task capacity of six, Tenable Vulnerability Management assigns six tasks from the job to run simultaneously. As each task completes, new tasks fill the available capacity until the job is finished.
Example Scenario: One Scanner with Multiple Jobs
If a scanner belongs to two scanner groups and also has a job assigned directly, its job queue may contain three jobs. Because the scanner’s job capacity is three, it can process tasks from all three jobs at the same time.
If the scanner’s task capacity is five, tasks are assigned in succession across the jobs: Job 1, Job 2, Job 3, Job 1, Job 2. In this case, the scanner works on two tasks from Job 1, two tasks from Job 2, and one task from Job 3. When one task completes, the next task from Job 3 is dispatched.
Example Scenario: Multiple Scanners with Multiple Jobs
If Scanner 1 and Scanner 2 are assigned to the same scanner group (SG1), and two jobs are created—Job 1 assigned directly to Scanner 1 and Job 2 assigned to SG1—Tenable Vulnerability Management breaks down both jobs into tasks.
-
Only Scanner 1 works on Job 1.
-
Both Scanner 1 and Scanner 2 work on Job 2.
If both scanners have a job capacity of three and a task capacity of six, Scanner 1 processes three tasks from Job 1 and three tasks from Job 2, while Scanner 2 processes six tasks from Job 2. Tasks from Job 2 continue to be dispatched to both scanners until the job is complete.
View Live Results
As scanners complete tasks, you can view live scan results in Tenable Vulnerability Management. Each time a task completes, the platform updates the scan results with new data. If a scan fails or is interrupted, Tenable Vulnerability Management retains all completed results, though the scan reflects an incomplete status. If a job is assigned to multiple scanners and one of those scanners fails, the remaining scanners continue processing tasks until completion.