Configure Scan Routing

With scan routing, you can automatically dispatch scanning across multiple scanner groups according to the network areas to which each group has access. Scan routing reduces scan configuration and management overhead by eliminating the need to configure specific scanners for each individual scan. This feature can represent a significant benefit in large deployments. To improve operational efficiency, team members with higher privileges can manage the scanner pools, which can then be used by lower-privileged team members during scan configuration

Note: Scan routing is available for linked scanners only.

If you configure scan routing for a scan, when the scan runs, Tenable Vulnerability Management automatically does the following:

  • Assigns the scan targets to the scanner group configured with the narrowest matching target range.
  • Within that scanner group, assigns targets to scanners as they check in, according to their capacity and the targets still available.

For more information, see Configuration Guidelines.

Note: Tenable recommends pre-planning your scan routing strategy to efficiently target discrete areas of your network. If configured improperly, scan routing can prevent scanners from reaching their targets.

To configure scan routing:

  1. Review the configuration guidelines for scan routing.
    1. Create or edit a scanner group.

    2. In the Targets for Scan Routing box, type a comma-separated list of scan routing targets.

      Targets in the list must be in the supported formats.

      Note: You can specify up to 10,000 individual scan routing targets for an individual scanner group. For example, 192.168.0.1, example.com, *.example.net, 192.168.0.0/24 specifies four scan routing targets. To condense a scan routing target list, Tenable recommends using wildcard and range formats, instead of individual IP addresses.

    3. Click Save.

      Tenable Vulnerability Management saves your changes to the scanner group.

    1. Create or edit a scan configuration.
    2. In the Basic settings section, configure the following options:
      OptionAction
      Scanner

      Select the Auto-Select option.

      When you select this option, the Network box appears.

      Network

      Do one of the following:

      • If your scans involve separate environments with overlapping IP ranges, select the network that contains the scanner groups that you configured for scan routing.
      • If your scans do not involve separate environments with overlapping IP ranges, retain the Default network.
      Targets / Upload Targets / Tags

      Specify targets for the scan, using one of the following options:

      • In the Targets box, type the list of targets.
      • In the Upload Targets box, upload a file of targets.
      • In the Tags box, specify targets by tag.

      When specifying scan targets, note the following:

      • Be sure to match scan targets to the scan routing targets you specify in your scanner groups.

        If you specify scan targets outside the range of scanner group targets, Tenable Vulnerability Management scans only those hosts inside the scanner group range and returns the partial results with a warning that lists the hosts that were not scanned.

      • When matching scan routing targets to scan targets, Tenable Vulnerability Management does not resolve FQDNs to IP addresses.

        For example, if you specify *.example.com as a scan routing target, Tenable Vulnerability Management can assign a scan to that scanner group if the scan is configured with the scan target www.example.com. However, Tenable Vulnerability Management does not assign a scan to that scanner group if a scan is configured with the target 192.168.0.1, even if www.example.com could potentially resolve to 192.168.0.1.

    3. Click Save.

      Tenable Vulnerability Management saves your changes to the scan configuration.

Configuration Guidelines

  • When configuring scan routes, Tenable recommends using IP ranges and CIDR ranges instead of individual IP addresses where possible. This approach differs from the recommended approach for scan targets, where narrower target values are recommended.

  • Tenable Vulnerability Management does not support a numeric range format for IPv6 addresses. Instead, use a CIDR format for IPv6 address ranges.
  • Typically, Tenable recommends adding an individual scanner to only one scanner group. In some cases, however, you may want to configure overlapping scanner groups to ensure scanning coverage or redundancy. If a host is targeted by two or more overlapping scanner groups, Tenable Vulnerability Management chooses any one of the groups to scan it; none of the groups is given preference.

  • For a definition of scanner availability in a scanner group, see Scanner Groups.

Supported Scan Routing Target Formats

Tenable Vulnerability Management supports the following formats for scan routing targets:

Target Format

Example

A single IPv4 address

192.168.0.1

A single IPv6 address

2001:db8::2120:17ff:fe56:333b

An IPv4 range with a start and end address

192.168.0.1-192.168.0.255

An IPv4 subnet with CIDR notation

192.168.0.0/24
An IPv6 subnet with CIDR notation 2001:db8::/32

A host resolvable to either an IPv4 or an IPv6 address

www.yourdomain.com
A host resolvable to either an IPv4 address or an IPv 6 address with a wildcard as the subdomain *.yourdomain.com