Skip navigation
Discussions Blogs Social Media Events Training Help Center
Up to Discussions in QualysGuard VM
6052 Views 8 Replies Latest reply: May 1, 2012 9:49 AM by QM_SSJ4 RSS
HermanBotha Level 1
HermanBotha
5 posts since
Jan 12, 2011
Currently Being Moderated

Jun 29, 2011 9:01 PM

How many IP's are scanned concurrently by 1 appliance?

Good day,

 

I would like to find out how many host IP's are scanned concurrently by 1 Qualys appliance?

 

Also, does it make a difference if a scheduled scan with 500 host IP's are scheduled through more than one scheduled scan to kick off at 10 minute intervals. So the first scan starts at 9:00, the next at 9:10 and so on. Or should you only create 1 schedule with all 500 IP's in?

 

Kind regards.

  • nthomas Level 2
    nthomas
    40 posts since
    Jul 26, 2010
    Currently Being Moderated
    Jun 30, 2011 12:48 AM (in response to HermanBotha)
    Re: How many IP's are scanned concurrently by 1 appliance?

    Good morning Herman,

     

    The number of hosts scanned concurrently by a QualysGuard Scanner Appliance (internal or external) is defined in the Option Profile, Performance settings. These vary whether you are running a map or a scan task.

     

    If you run a task (map or scan), against 500 hosts with a setting of 30 hosts in parallel and then 10 minutes later run the same task, you could be assessing 60 hosts at the same time; now if that was an external scan, the task may run on two of our units so it's not a problem but if you were scanning external IP's in a DMZ the firewall may see 60 concurrent assessments and not be able to deal with such volume. Please bare in mind each configuration is different as some firewalls will be absolutely fine with this.  If you were running the assessment from a single Scanner Appliance against the hosts and you repeated this task every 10 minutes for an hour, assuming the assessments took a long time, you could be scanning 180 hosts in parallel and the Scanner Appliance may become overloaded. This was more of a concern with our older Scanner Appliances as we not to long ago released a more advanced Scanner Appliance better suited to running more simultaneous tasks but the bigger issues in this scenario would be that you are repetitively scanning the same hosts which is of little value within a short space of time considering you are looking for the same things.

     

    So my advice would be to review the Option Profile to determine settings for map and scan tasks which you find acceptable and run one task against the area you are interested in as defined by an Asset Group. Our standard 'out of the box' Initial Options profile works in the majority of environments but if you have a critical / sensitive area, reduce the performance settings to low or a custom level you are happy with and see how it goes. If you don't need to work around change control windows, it can also be helpful to notify support and networks teams so they are on your side and know who to contact if undesirable situations arise.

     

    Feel free to call or email me if you wish to discuss this further or we can meet up mid-July if you would like to look at this face to face.

     

    All the best,

     

    Nick.

    • QM_SSJ4 Level 2
      QM_SSJ4
      47 posts since
      May 12, 2011
      Currently Being Moderated
      Jun 30, 2011 5:03 AM (in response to nthomas)
      Re: How many IP's are scanned concurrently by 1 appliance?

      As Nick mentioned, be very careful about doubling up on scans not so much on the appliance side but on the Network and Target Host side of things.

       

      You need to be very sure you won't DOS your network if your running more than one scan at a time. If you run more than one Scan at a time, you are exponentially increasing the amount of traffic on your network.

       

      You also need to take note of the Host side as well (maybe even more so), as you'd be sending the same exponential amount of traffic at a single Host if, for whatever reason, you have the same Host list in both scans.

       

      I've found it better to slowly increase the Hosts & Processes to run in parallel in a single scan Option Profile than try and run multiple scans at once.

      • Keith Schoenefeld Level 1
        Keith Schoenefeld
        18 posts since
        Feb 23, 2011
        Currently Being Moderated
        May 1, 2012 9:13 AM (in response to QM_SSJ4)
        Re: How many IP's are scanned concurrently by 1 appliance?

        Sorry to dig this out of the weeds, but can you explain the math with regard to 'exponentially increasing the amount of traffic on your network'?  Are you using 'exponentialy' in place of 'significantly', or is it truly exponential growth?  As best I can determine, traffic will only double if two identically configured scans running against identically configured hosts are run from the same scanner at the same time.

        • QM_SSJ4 Level 2
          QM_SSJ4
          47 posts since
          May 12, 2011
          Currently Being Moderated
          May 1, 2012 9:49 AM (in response to Keith Schoenefeld)
          Re: How many IP's are scanned concurrently by 1 appliance?

          You have to take into account all of the following:

          1. Number of scan jobs your running per scanner
          2. Number of Hosts/Process your scanning in parallel (each job)
          3. Parallel Scanning option On vs Off

           

          The last one is what got me...If you enable parallel scanning AND you have the newer scanners (Serial Number beginning with 19###) that's when your exponentially increasing traffic with each scan job. The way I understand it, your multiplying the Hosts/Process scanned in parallel by both # Cores AND # Jobs per scanner. You can add a lot of packets on your Network and jam them into a Host that may not be able to handle it all that well if your not careful. I don't have either the parallel scaling nor the multiple jobs running....

    • lpt Level 1
      lpt
      15 posts since
      Apr 25, 2012
      Currently Being Moderated
      Apr 25, 2012 5:20 PM (in response to nthomas)
      Re: How many IP's are scanned concurrently by 1 appliance?

      With load-balancers and dual-home firewalls, let's assume that a firewall will not be the bottleneck, what is the limit on how many IP addresses can be scanned in parallel by the scanner? Large cloud networks might have millions of IP addresses.

      • jkent@qualys.com Level 4
        jkent@qualys.com
        435 posts since
        Jul 24, 2010
        Currently Being Moderated
        Apr 26, 2012 1:29 PM (in response to lpt)
        Re: How many IP's are scanned concurrently by 1 appliance?

        You can set this to a pretty aggressive mode.  Typically a scanner is going to be sending packets to 30 to 35 IPs per second per core in the appliance.  Older appliances don't have that many cores, newer appliances have more.  So, in a quad-core appliance, you are talking about over 120 packets to distinct IPs per appliance.  Then you can scale up.  Our biggest customer has 290+ appliances deployed internally, this is quite a few packets.  You can make this more or less aggressive in the options for the scan.

         

        One of our customers scans 350,000 ips per month.  If your environment is smaller, you will be fine.

More Like This

  • Retrieving data ...

Incoming Links

Bookmarked By (1)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 6 points