This article presents recommended methods to follow when scanning using Footprint.
We recommend following these practices at all times, since using these we can guarantee that scans should be running unless there is an underlying issue (IP unreachable, Internal Scanner not responding accordingly) for which we would recommend contacting our support team.
-
Optimizing Port Scanning Parameters in Footprint
-
Setting a No-Scan Window
-
Scan Frequency Sizing
-
Tuning ARP Settings
It is recommend that you configure your Scan Surface in its entirety before making adjustments to Scan Scheduler.
Optimizing Port Scanning Parameters in Footprint
This method lowers the amount of generated requests, shortening the time it takes for scans to execute.
Go to Settings > Scheduler and Select the Internal Scanner by Name.
-
Use only the Full Perimeter Service Scan (scan against ~65k ports) and disable the Limited Perimeter Service Scan (scan against top 100 ports).
Disable the Limited Perimeter Service Scan
-
Disable the Limited Perimeter Service Scan (scan against top 100 ports) as well as the Full Perimeter Service Scan (scan against ~65k ports) and add or remove the ports scanned by the Critical Service Health & Change Monitoring (TCP/ UDP) scans in order to best comply with the most amount of ports that you know of having in your network.
Disable the Limited Perimeter Service Scan as well as the Full Perimeter Service Scan
Add or remove the ports scanned by the Critical Service Health & Change Monitoring (TCP/ UDP) scans in order to best comply with the most ports that you know of having in your network.
Setting a No-Scan Window
Go to Scan Surface > Deployed Scanners > Pick the Internal Scanner by Name and click Edit Scan Window. This will set the time when the scanner should not run so you could pick business hours 08:00-18:00 (aligned to the console time). This will prevent scanning during business hours and impact but will leave less time for possible scans to finish. This should be perfectly fine for small subnets or subnets that do not have many alive hosts.
Scan Frequency Sizing
This method ensures that scans have enough time to execute and finish.
Scan sizing is the method we recommend following for which we can guarantee that scans should run and finish executing as expected. Generally, we recommend following these even if there are no noticeable issues in the platform.
Adjusting scans could help the overall resource utilization and free up more scanner time for the larger subnets. The scheduler can only be edited once per scanner so you would need to adjust per total scan surface size for each needed scanner on each tenant.
Go to Settings > Scheduler and Select the Internal Scanner by Name.
! If the Last Run Duration is Higher than the Frequency of the task
then that is an exceptional case in which we recommend setting (either by multiplying or not) the frequency value higher than the Last Run Duration so as to avoid any conflicts between the two and to ensure that scans have enough time to finish executing.
An Internal Scanner is recommended for:
One /24 or 254 IP Addresses scanned for daily frequency.
If you are scanning /23 or 512 addresses then the frequency should be 48+ hours
If you are scanning /22 or 1024 addresses then the frequency should be 96+ hours or once a week
Tip: The settings above would apply for the cloud scanner as well.
Tip: No tasks are dependent on others, they execute individually. Hence, changing the frequency of a task does not infer with its execution.
How to modify scan frequency to accommodate large scan surfaces (/23 and /22 IP ranges):
The above values are targeted for the Advanced scanner tasks with/without brute force.
For the other tasks please keep the following ratio:
-
Full Perimeter Service Scan - same as Advanced Scanner
-
Limited Perimeter Service Scan - 1/4 of Advanced Scanner
-
Perimeter Discovery via Reconnaissance - same as Advanced Scanner or 1/2 of Advanced Scanner
-
Health & Change Monitoring (TCP) - 1/8 of Advanced Scanner or 1/4
-
Health & Change Monitoring (UDP) - 1/8 of Advanced Scanner or 1/4
-
Web Applications Health & Change Monitoring - 1/3 of Advanced Scanner
-
Web Application Availability Scan - 1/3 of Advanced Scanner
-
Critical Service Health & Change Monitoring (TCP) - 1/8 of Advanced Scanner or 1/4
-
Critical Service Health & Change Monitoring (UDP) - 1/4 of Advanced Scanner or 1/2
Tuning ARP Settings
This method lowers the amount of generated requests, shortening the time it takes for scans to execute.
Tip: Default settings are in seconds unless they end in _ms
Tip: The commands must be run with root permission
Optimizing for Alive Hosts:
#cd /proc/sys/net/ipv4/neigh/eth0
-
Set GC Stale time to 5 minutes:
#echo "300" > gc_stale_time
-
Set unicast solicit number of probes before fallback:
#echo "1" > ucast_solicit
Optimizing for Dead Hosts:
-
Set number of sent multicast/broadcast probes:
#echo "1" > mcast_solicit
-
Set retransmission rate to 10 seconds:
#echo 10000 > retrans_time_ms
Reference:
https://www.baeldung.com/linux/arp-settings
Comments
0 comments
Please sign in to leave a comment.