Scan Routing
With scan routing, you can automatically dispatch scans across multiple scanner groups based on the network areas that each group can access. Scan routing reduces configuration and management overhead because you do not need to assign specific scanners to each scan. This feature is especially useful in large deployments. Users with higher-level permissions can manage scanner groups, and users with lower-level permissions can select those groups during scan configuration.
Note: Scan routing is available only for linked scanners.
When you configure scan routing for a scan, Tenable Vulnerability Management automatically:
-
Assigns scan targets to the scanner group with the narrowest matching target range.
-
Within that scanner group, assigns targets to scanners as they connect, based on their available capacity and the targets remaining.
Configuration Guidelines
Tenable recommends that you plan your scan routing strategy in advance to ensure efficient coverage of your network. If you configure scan routing incorrectly, scanners may not be able to reach their targets.
-
Use IP ranges and CIDR ranges where possible, rather than individual IP addresses. This approach differs from configuring scan targets, where narrower values are recommended.
-
Tenable Vulnerability Management does not support numeric range format for IPv6 addresses. Use CIDR format instead.
-
Typically, add each scanner to only one scanner group. However, you can configure overlapping groups for redundancy or coverage. If a host is included in multiple overlapping groups, Tenable Vulnerability Management assigns the host to any one of the groups. No group receives preference. For information about scanner availability in a group, see Scanner Groups.
To configure scan routing:
-
Configure a scanner group for scan routing.
- Create or edit a scanner group.
-
In the Targets for Scan Routing box, type a comma-separated list of scan routing targets.
Tenable Vulnerability Management supports the following formats for scan routing targets:
Target Format
Example
A single IPv4 address
192.168.0.1
A single IPv6 address
2001:db8::2120:17ff:fe56:333b
An IPv4 range with a start and end address
192.168.0.1-192.168.0.255
An IPv4 subnet with CIDR notation
192.168.0.0/24
An IPv6 subnet with CIDR notation 2001:db8::/32 A host resolvable to either an IPv4 or an IPv6 address
www.yourdomain.com
A host resolvable to either an IPv4 address or an IPv 6 address with a wildcard as the subdomain *.yourdomain.com Note: You can specify up to 10,000 individual scan routing targets for an individual scanner group. For example, 192.168.0.1, example.com, *.example.net, 192.168.0.0/24 specifies four scan routing targets. To condense a scan routing target list, Tenable recommends using wildcard and range formats, instead of individual IP addresses.
- Click Save.
Tenable Vulnerability Management saves your changes to the scanner group.
-
Configure a scan for scan routing.
- Create or edit a scan configuration.
- In the Basic settings section, configure the following options:
Option Action Scanner Select the Auto-Select option.
When you select this option, the Network box appears.
Network Do one of the following:
- If your scans involve separate environments with overlapping IP ranges, select the network that contains the scanner groups that you configured for scan routing.
- If your scans do not involve separate environments with overlapping IP ranges, retain the Default network.
Targets / Upload Targets / Tags Specify targets for the scan, using one of the following options:
- In the Targets box, type the list of targets.
- In the Upload Targets box, upload a file of targets.
- In the Tags box, specify targets by tag.
When specifying scan targets, note the following:
Be sure to match scan targets to the scan routing targets you specify in your scanner groups.
If you specify scan targets outside the range of scanner group targets, Tenable Vulnerability Management scans only those hosts inside the scanner group range and returns the partial results with a warning that lists the hosts that were not scanned.
When matching scan routing targets to scan targets, Tenable Vulnerability Management does not resolve FQDNs to IP addresses.
For example, if you specify *.example.com as a scan routing target, Tenable Vulnerability Management can assign a scan to that scanner group if the scan is configured with the scan target www.example.com. However, Tenable Vulnerability Management does not assign a scan to that scanner group if a scan is configured with the target 192.168.0.1, even if www.example.com could potentially resolve to 192.168.0.1.
- Click Save.
Tenable Vulnerability Management saves your changes to the scan configuration.