I would like to find out how many host IP's are scanned concurrently by 1 Qualys appliance?
Also, does it make a difference if a scheduled scan with 500 host IP's are scheduled through more than one scheduled scan to kick off at 10 minute intervals. So the first scan starts at 9:00, the next at 9:10 and so on. Or should you only create 1 schedule with all 500 IP's in?
Good morning Herman,
The number of hosts scanned concurrently by a QualysGuard Scanner Appliance (internal or external) is defined in the Option Profile, Performance settings. These vary whether you are running a map or a scan task.
If you run a task (map or scan), against 500 hosts with a setting of 30 hosts in parallel and then 10 minutes later run the same task, you could be assessing 60 hosts at the same time; now if that was an external scan, the task may run on two of our units so it's not a problem but if you were scanning external IP's in a DMZ the firewall may see 60 concurrent assessments and not be able to deal with such volume. Please bare in mind each configuration is different as some firewalls will be absolutely fine with this. If you were running the assessment from a single Scanner Appliance against the hosts and you repeated this task every 10 minutes for an hour, assuming the assessments took a long time, you could be scanning 180 hosts in parallel and the Scanner Appliance may become overloaded. This was more of a concern with our older Scanner Appliances as we not to long ago released a more advanced Scanner Appliance better suited to running more simultaneous tasks but the bigger issues in this scenario would be that you are repetitively scanning the same hosts which is of little value within a short space of time considering you are looking for the same things.
So my advice would be to review the Option Profile to determine settings for map and scan tasks which you find acceptable and run one task against the area you are interested in as defined by an Asset Group. Our standard 'out of the box' Initial Options profile works in the majority of environments but if you have a critical / sensitive area, reduce the performance settings to low or a custom level you are happy with and see how it goes. If you don't need to work around change control windows, it can also be helpful to notify support and networks teams so they are on your side and know who to contact if undesirable situations arise.
Feel free to call or email me if you wish to discuss this further or we can meet up mid-July if you would like to look at this face to face.
All the best,
As Nick mentioned, be very careful about doubling up on scans not so much on the appliance side but on the Network and Target Host side of things.
You need to be very sure you won't DOS your network if your running more than one scan at a time. If you run more than one Scan at a time, you are exponentially increasing the amount of traffic on your network.
You also need to take note of the Host side as well (maybe even more so), as you'd be sending the same exponential amount of traffic at a single Host if, for whatever reason, you have the same Host list in both scans.
I've found it better to slowly increase the Hosts & Processes to run in parallel in a single scan Option Profile than try and run multiple scans at once.
Sorry to dig this out of the weeds, but can you explain the math with regard to 'exponentially increasing the amount of traffic on your network'? Are you using 'exponentialy' in place of 'significantly', or is it truly exponential growth? As best I can determine, traffic will only double if two identically configured scans running against identically configured hosts are run from the same scanner at the same time.
You have to take into account all of the following:
The last one is what got me...If you enable parallel scanning AND you have the newer scanners (Serial Number beginning with 19###) that's when your exponentially increasing traffic with each scan job. The way I understand it, your multiplying the Hosts/Process scanned in parallel by both # Cores AND # Jobs per scanner. You can add a lot of packets on your Network and jam them into a Host that may not be able to handle it all that well if your not careful. I don't have either the parallel scaling nor the multiple jobs running....
With load-balancers and dual-home firewalls, let's assume that a firewall will not be the bottleneck, what is the limit on how many IP addresses can be scanned in parallel by the scanner? Large cloud networks might have millions of IP addresses.
You can set this to a pretty aggressive mode. Typically a scanner is going to be sending packets to 30 to 35 IPs per second per core in the appliance. Older appliances don't have that many cores, newer appliances have more. So, in a quad-core appliance, you are talking about over 120 packets to distinct IPs per appliance. Then you can scale up. Our biggest customer has 290+ appliances deployed internally, this is quite a few packets. You can make this more or less aggressive in the options for the scan.
One of our customers scans 350,000 ips per month. If your environment is smaller, you will be fine.
How many cores is the most that is possible in the latest version? Is there a place on the scan configuration dashboard that I can look at to find out how many cores our scanner has?
The newest appliances have 4 cores, the older ones have 1. Basically you would have to ask support or your account rep to see if you have the older scanners or the newer scanners, if you don't already know.