Scan Routing

With scan routing, you can automatically dispatch scans across multiple scanner groups based on the network areas that each group can access. Scan routing reduces configuration and management overhead because you do not need to assign specific scanners to each scan. This feature is especially useful in large deployments. Users with higher-level permissions can manage scanner groups, and users with lower-level permissions can select those groups during scan configuration.

Note: Scan routing is available only for linked scanners.

When you configure scan routing for a scan, Tenable Vulnerability Management automatically:

  • Assigns scan targets to the scanner group with the narrowest matching target range.

  • Within that scanner group, assigns targets to scanners as they connect, based on their available capacity and the targets remaining.

Configuration Guidelines

Tenable recommends that you plan your scan routing strategy in advance to ensure efficient coverage of your network. If you configure scan routing incorrectly, scanners may not be able to reach their targets.

  • Use IP ranges and CIDR ranges where possible, rather than individual IP addresses. This approach differs from configuring scan targets, where narrower values are recommended.

  • Tenable Vulnerability Management does not support numeric range format for IPv6 addresses. Use CIDR format instead.

  • Typically, add each scanner to only one scanner group. However, you can configure overlapping groups for redundancy or coverage. If a host is included in multiple overlapping groups, Tenable Vulnerability Management assigns the host to any one of the groups. No group receives preference. For information about scanner availability in a group, see Scanner Groups.

To configure scan routing: