The purpose of this article is to present various methods of optimizing and modifying the settings of the Footprint Platform in order to ensure that scans have enough time to finish executing, all assets are scanned and no redundant scans are scheduled. Hence, following these methods is recommended if there are assets that have not been scanned lately or scans do not have enough time to finish executing.
We recommend following our best practices at all times, since using these we can guarantee that scans should be running unless there is an underlying issue (IP unreachable, Internal Scanner not responding accordingly) for which we would troubleshoot. If these practices are not followed, scans may or may not execute as expected based on each particular case (e.g.: how many IPs are scanned, how many Internal Scanners are deployed), hence, we recommend following them regardless.
Method A - Tunning ARP Settings
Default settings are in seconds unless they end in _ms
The commands must be run with root permission
Optimizing for Alive Hosts:
#cd /proc/sys/net/ipv4/neigh/eth0
-
Set GC Stale time to 5 minutes:
#echo "300" > gc_stale_time
-
Set unicast solicit number of probes before fallback:
#echo "1" > ucast_solicit
Optimizing for Dead Hosts:
-
Set number of sent multicast/broadcast probes:
#echo "1" > mcast_solicit
-
Set retransmission rate to 10 seconds:
#echo 10000 > retrans_time_ms
Reference:
https://www.baeldung.com/linux/arp-settings
Method B - Optimizing Port Scanning Parameters in Footprint
This method ensures that there are no redundant port scans scheduled.
It is recommend that you configure your Scan Surface in its entirety before making adjustments to Scan Scheduler.
Go to Settings > Scheduler and Select the Internal Scanner by Name.
-
Use only the Full Perimeter Service Scan (scan against ~65k ports) and disable the Limited Perimeter Service Scan (scan against top 100 ports).
Disable the Limited Perimeter Service Scan
-
Disable the Limited Perimeter Service Scan (scan against top 100 ports) as well as the Full Perimeter Service Scan (scan against ~65k ports) and add or remove the ports scanned by the Critical Service Health & Change Monitoring (TCP/ UDP) scans in order to best comply with the most ports that you know of having in your network.
Disable the Limited Perimeter Service Scan as well as the Full Perimeter Service Scan
Add or remove the ports scanned by the Critical Service Health & Change Monitoring (TCP/ UDP) scans in order to best comply with the most ports that you know of having in your network.
Method C - Setting a Scan Window or Optimizing Time Frequency of the Scans in Footprint
This method ensures that scans have enough time to execute and finish.
Go to Settings > Scheduler and Select the Internal Scanner by Name.
Edit the tasks below and set the timer to 3x, 5x or 7x the configured time. You may use other multipliers, these are our recommendations and you may use different multipliers for different tasks. The frequency may be custom set depending on your preferences. For example, there are scanning tasks (such as the Advanced Scanner) and Reporting Tasks (for example, the Contextual Risk Scoring Report), one may prefer to have scanning done more often than reports, and change the frequency for the scanning tasks to be higher, than that of the reports.
-
Limited Perimeter Service Scan
-
Full Perimeter Service Scan
-
Health & Change Monitoring(TCP)
-
Critical Service Health & Change Monitoring(TCP)
-
Critical Service Health & Change Monitoring(UDP)
-
Health & Change Monitoring(UDP)
-
Web Application Availability Scan
-
Advanced scanner tasks without brute force scans
-
Advanced scanner tasks with brute force scans
Go to Scan Surface > Deployed Scanners > Pick the Internal Scanner by Name and click Edit Scan Window. This will set the time when the scanner should not run so you could pick business hours 08:00-18:00 (aligned to the console time). This will prevent scanning during business hours and impact but will leave less time for possible scans to finish. This should be perfectly fine for small subnets or subnets that do not have many alive hosts.
If the Last Run Duration is Higher than the Frequency of the task,
then that is an exceptional case in which we recommend setting (either by multiplying or not) the frequency value higher than the Last Run Duration so as to avoid any conflicts between the two and to ensure that scans have enough time to finish executing.
Comments
0 comments
Please sign in to leave a comment.