Configure and run a vulnerability scan to assess and identify security vulnerabilities in your internal network devices using the Network Vulnerability Scanner.
![]() |
ImportantThis is a "Pre-release" feature and is not considered an official release. Please
review the
Pre-release disclaimer
before using the feature.
|
Scans created from the vulnerability scan template conduct a deep security assessment
by logging into network devices using valid credentials. The scan identifies vulnerabilities
such as missing patches, user permission issues, misconfigurations, and outdated applications
in devices that require authenticated access.
To configure a basic network vulnerability scan, you need:
-
A deployed Service Gateway virtual appliance with the Network Vulnerability Scanner service installed
-
IP addresses or FQDNs for the target network segment
-
Authentication credentials for the target network assets
![]() |
NoteWhen running a vulnerability scan, a discovery scan is first conducted using the supplied
IP addresses and FQDNs. The discovery scan allows for the detection of system configuration
risk events based on open port, service, and certificate information. For details
on discovery scans, see Create and run a discovery scan in Network Vulnerability Scanner.
|
Ensure you have deployed a Service Gateway virtual appliance to the network environment
you wish to scan. For more information, see the Service Gateway deployment guides.
Procedure
- Install the Network Vulnerability Scanner service on your deployed Service Gateway.
- In , click the name of the desired Service Gateway to view details.
- Click Manage services to view the list of available services.
- Find and install the latest version of the Network Vulnerability Scanner service.
Note
The Network Vulnerability Scanner service requires at least 2 CPUs and 4 GB of virtual memory.
The Network Vulnerability Scanner service appears in the list of installed services for the Service Gateway. - Create a new network vulnerability scan.
- In , click Create scan from either Network scans or under vulnerability scan in Scan templates.
- Specify a name and description for the scan.
- Select the Service Gateway to use for the scan. Only Service Gateways with the Network Vulnerability Scanner service installed are available.
- Specify up to 10,000 IPv4 addresses, ranges, or FQDNs separated by commas to scan
for target network assets. CIDR notation is supported.
Important
Only supported devices running a supported operating system are available for scanning. No device details or vulnerability results are supplied for other network devices at the target IPs. For a list of supported products, see Network Vulnerability Scanner supported products. - Specify your authentication credentials for the target network devices. The following authentication methods are available:
-
Secure shell (SSH) with password (default login port: 22)
-
Secure shell (SSH) with private key (default login port: 22)
-
SNMPv3 with configured port, security level, and algorithms and passwords as required based on the selected security level
-
SNMPv2c with community string and port
Note
-
Only one set of credentials is currently supported per scan. To scan targets requiring a different set of credentials for authentication, create a separate scan.
-
Passphrase-protected SSH private keys cannot be used to authenticate.
-
SNMPv3 security levels include:
-
Authentication and encryption: Requires both authentication and encryption algorithms and passwords
-
Authentication only: Requires authentication algorithm and password
-
No authentication or encryption
-
- Choose whether to trigger the scan at a specified scheduled interval or to only allow manual scanning.
- Click Save only to save the scan and wait for the scan to run according to your configured schedule or Save and run scan to save and trigger the scan immediately.
The newly configured scan appears on the list in Network scans. - After the scan completes, you can download a report containing the scan results from
Scan reports. Up to 15 scans can run at the same time.
Important
Only the most recent scan report for each scan is available. To keep a record of an earlier scan, download the report before the next scheduled scan. - Manage detected vulnerabilities in Threat and Exposure Management.
- After the scan completes, click View latest vulnerability risk events or View latest system configuration risk events.
- View and manage risk events and vulnerable devices detected during the scan.