Scanning a System
This is the core operator chapter. It walks through every way to run a scan on the Greenbone Enterprise Appliance: the Task Wizard for a quick first scan, configuring a scan manually (target plus task), authenticated scans with Local Security Checks and credentials, CVE scans, container tasks, and the management of all the objects that scans depend on - targets, port lists, tasks, scan configurations, schedules, scanners, and alerts. It closes with the typical obstacles you hit while scanning.
Based on the Greenbone Enterprise Appliance manual (GOS 22.04 / OPENVAS SCAN 22.04), chapter 10, verified June 2026. The scanning workflow is the same in the free Community Edition. Not every appliance model supports every menu option shown here - check the model tables in manual chapter 3 if a feature is missing.
A vulnerability scan is an active intrusion into a system. Aggressive scan configurations such as Full and very deep ultimate include VTs that can disrupt services, cause shutdowns, or trigger a denial of service. Only scan hosts you own or have explicit written authorization to test, and use safe configurations against production systems. See section 11 for the obstacles and side effects to plan for.
1. Using the Task Wizard for a first scan​
The Task Wizard can configure and start a basic scan with minimal input (§10.1). There are three variants: a simple wizard, an advanced wizard, and a wizard that modifies an existing task.
1.1 Simple Task Wizard​
Scans > Tasks > (hover the wizard icon) > Task Wizard
-> enter IP address or host name
-> Start Scan
The wizard then automatically creates a new target, creates a new task, starts the task immediately, and shows the Tasks page. If you enter a DNS name, the appliance must be able to resolve it. Once the task is started you can watch progress on the Tasks page; clicking the bar in the Status column shows the report even before the scan finishes, and the full report is available once the status reaches Done.
1.2 Advanced Task Wizard​
The advanced wizard exposes more configuration options (§10.1.2). The input boxes correspond to the target and task fields described in sections 3 and 4 below.
Scans > Tasks > (hover the wizard icon) > Advanced Task Wizard
-> define the task
-> Create
If you enter an address in Email report to, an alert is created automatically that e-mails the report when the task completes (see section 13). The wizard starts the task immediately and shows the Tasks page.
1.3 Modify Task Wizard​
This wizard changes an existing task (§10.1.3).
Scans > Tasks > (hover the wizard icon) > Modify Task Wizard
-> select the task in the Task drop-down
-> Create Schedule (radio button) and set first date/time
-> Email report to (address)
-> Modify Task
2. Two ways to scan​
The appliance can scan a target with two approaches (§10.2):
- Simple scan - the target is probed only from the outside over the network.
- Authenticated scan using Local Security Checks (LSC) - the appliance also logs into the target with valid credentials and inspects it from the inside.
Configuring a scan manually is always three steps: create a target, create a task, start the task.
3. Creating a target​
A target defines what gets scanned (§10.2.1).
Configuration > Targets > (new icon) -> define -> Save
Key fields:
- Name / Comment - free text; choose a descriptive name (for example
Mailserver,DMZ,ClientNetwork). - Hosts - the systems to scan, comma-separated, imported from an ASCII file (commas or line breaks), or imported from the host asset database. Either an IP address or a resolvable host name is required, and the appliance must be able to connect to the system.
- Exclude Hosts - hosts to remove from the list above, same syntax as
Hosts. - Allow simultaneous scanning via multiple IPs - set to
Nofor fragile services (for example IoT devices) that can crash when reached over IPv4 and IPv6 at once. - Port list - the port list used for the scan (see section 8). A port list can be created on the fly.
- Alive Test - the method used to decide whether a target is reachable.
- Credentials -
SSH Credential,SMB Credential,ESXi Credential, andSNMP Credentialenable authenticated scans (see section 5). Each can be created on the fly. - Reverse Lookup Only / Reverse Lookup Unify - restrict scanning to addresses that resolve to a DNS name, and scan a name only once if several addresses resolve to it.
3.1 Host notation​
Hosts can be entered as single IPs, host names, ranges, or CIDR, mixed freely:
192.168.15.5 single IPv4
mail.example.com host name
192.168.15.5-192.168.15.27 IPv4 range, long form
192.168.55.5-27 IPv4 range, short form
192.168.15.0/24 IPv4 CIDR
fe80::222:64ff:fe76:4cea single IPv6
::12:fe5:fb50-::12:fe6:100 IPv6 range, long form
::13:fe5:fb50-fb80 IPv6 range, short form
fe80::222:64ff:fe76:4cea/120 IPv6 CIDR
The maximum configurable number of IP addresses is 4096 for most models (so the smallest IPv4 mask is /20 and the smallest IPv6 mask is /116 if no other hosts are configured). The Greenbone Enterprise 6500 allows up to 16777216 addresses and correspondingly larger subnets. With CIDR notation the network and broadcast addresses are not counted as usable and are not scanned; add them explicitly if they are real, scannable hosts.
3.2 Alive test​
The alive test method can be set per target (§10.2.1). Options range from Scan Config Default (which uses ICMP Ping) through ICMP Ping, TCP-ACK Service Ping, TCP-SYN Service Ping, several combinations with ARP, up to Consider Alive. The test sometimes needs local tuning: routers and firewalls may answer a TCP service ping with a TCP-RST even when the host is actually down, and Proxy-ARP devices may answer an ARP ping. See section 11 for the symptoms.
3.3 Elevated SSH privileges​
When SSH credentials are selected you can also store elevated credentials (for example root). A second drop-down appears for the elevated credentials. The appliance logs in with the default SSH credentials and then runs su - username; the elevated user is used for the scan itself.
This feature is experimental. The elevated user's rights must already be configured on the target, stty and unset must be available, and the user must be allowed to change the prompt via a prepended export PS1=. Default and elevated SSH credentials must not be identical. Elevated credentials are always used once configured, even if the scan configuration contains no relevant VTs, and they noticeably increase appliance load, the number of SSH connections, and scan duration - account for this in firewalls, IDS, and logging.
4. Creating and starting a task​
A task ties a target to a scan configuration and a scanner, and controls execution (§10.2.2).
Scans > Tasks > (hover New) > New Task -> define -> Save
Key fields:
- Name / Comment - free text.
- Scan Targets - a previously created target (or create one on the fly).
- Alerts - status changes can be communicated via e-mail, Syslog, HTTP, or a connector (see section 13).
- Schedule - run once or repeatedly at a set time (see section 12).
- Add results to Assets - feed the results into asset management. Required for CVE scans (see section 6).
Apply OverridesandMin QoDcontrol how results enter the asset database. - Alterable Task - allow target, scanner, and scan configuration to be edited even after reports exist. Consistency between reports can then no longer be guaranteed.
- Auto Delete Reports - optionally keep only a maximum number of reports; the factory setting keeps all reports.
- Scanner - by default the built-in
OpenVASandCVEscanners (see section 10). The options below apply only to the OpenVAS scanner; the CVE scanner has no options. - Scan Config - one of the predefined or custom configurations (see section 9). Exactly one per task.
- Order for target hosts -
Sequential,Random, orReverse.Randomis recommended because it improves progress estimation. The alive test is always random regardless. - Maximum concurrently executed NVTs per host / Maximum concurrently scanned hosts - the
maxchecksandmaxhostsspeed knobs. The defaults are sensible; raising them can strain the targets, the network, or the appliance. - Tag - link a previously configured tag to the task.
4.1 Starting the task​
In the task row, click the start icon. The task joins the waiting queue and the scanner begins. Scheduled tasks show an extra icon and start at their scheduled time. A task can occasionally stay in the queue. Click the Status bar to view the report; the full report appears when the status reaches Done.
5. Authenticated scans with Local Security Checks​
During an authenticated scan the appliance both probes the target over the network and logs in with a valid user to run local security checks (§10.3). The login is recorded in the target's own logs, but LSC VTs are minimally invasive: the appliance only determines risk and changes nothing on the target. The relevant VT families run only if the login succeeds.
The appliance uses different credentials depending on the target type:
| Method | Default port | Allowed credential types | Use |
|---|---|---|---|
| SMB | 445/tcp, 139/tcp | Username + Password | Microsoft Windows patch level and installed software |
| SSH | 22/tcp (configurable per target) | Username + Password, Username + SSH Key | Unix/Linux patch level |
| ESXi | per VMware KB 2039095 | Username + Password | VMware ESXi servers |
| SNMP | 161/udp | SNMP | Routers, switches, and other SNMP-aware components |
5.1 Advantages and disadvantages​
An authenticated scan is a whitebox approach: with inside access the appliance reads the registry, software versions, and patch levels, giving far more vulnerability detail than a remote-only scan. Local security checks are the gentlest scanning method. A remote-only scan is a blackbox approach that may provoke malfunctions to extract information and can have some impact even with safe checks.
Results depend heavily on the account's permissions. On Linux an unprivileged user is usually enough. On Microsoft Windows unprivileged users are very restricted (no access to the registry or the \windows system folder), so administrative or domain accounts yield far more results. Even with safe_checks=yes in a Full and fast scan, some VTs are invasive but safe - the Heartbleed VT, for example, runs because it does no harm even though it tests for memory leakage; the leaked data is discarded immediately.
5.2 Creating a credential​
Configuration > Credentials > (new icon) -> define -> Save
| Type | Required inputs |
|---|---|
| Username + Password | Username, Password (or auto-generate a random password) |
| Username + SSH Key | Username, Passphrase, Private Key; optional Certificate + Private Key |
| SNMP | Community (SNMPv1/v2c) or Username + Password + Privacy Password + Auth/Privacy algorithm (SNMPv3) |
| S/MIME Certificate | certificate file |
| PGP Encryption Key | public key file |
| Password only | Password |
Other notes: Allow insecure use permits unencrypted authentication methods. User names allow English alphanumerics plus - _ \ . @ only - German umlauts must be transliterated (ß to ss, ä to a, and so on). Because the SNMP credential is singular, the appliance always tries every SNMP version, so a scan can show both a successful and a failed SNMP login at once. A credential must be linked to at least one target before the scan engine can apply it.
5.3 Managing credentials​
List credentials under Configuration > Credentials. The list shows name, type, whether insecure use is allowed, and login. Per-credential actions are trashcan (only if unused), edit, clone, and export to XML. Depending on type, you can also download install packages that create the scan account and its permissions and reset them on uninstall:
- EXE package (Microsoft Windows) - for
Username + Password. - RPM package (Red Hat and derivatives) and DEB package (Debian and derivatives) - for
Username + SSH Key. - Public key download - for
Username + SSH Key.
If password auto-generation is enabled the install package must be used; otherwise it is optional. The details page adds Information, User Tags, and Permissions registers.
5.4 Per-OS requirements​
These summarize the requirements per target operating system (§§10.3.3 to 10.3.9). Reproduce the exact device commands from the manual rather than from memory.
| Target OS | Protocol | Account / setup needed |
|---|---|---|
| Microsoft Windows | SMB | Domain account with a domain policy granting local admin is strongly recommended (see below). Remote registry service started; file and printer sharing on; appliance firewall exception; WMI access allowed |
| Microsoft Windows (standalone) | SMB | LocalAccountTokenFilterPolicy = 1 registry DWORD on non-domain hosts |
| VMware ESXi | ESXi | Local user on each ESXi host (VCSA users are not known to the hosts); either admin role or a read-only role with the Global > Settings permission |
| Linux / Unix | SSH | Regular user is usually enough; root or wheel membership for policy tests; public-key auth must not be disabled in sshd_config |
| Cisco OS | SNMP or SSH | SNMPv1/v2c/v3; for SSH a least-privileged role-based user that can run show version |
| Huawei VRP | SNMP or SSH | SNMPv1/v2c/v3; for SSH a least-privileged user that can run display device, display version, display patch-information |
| Huawei EulerOS | SSH | Regular user; same SSH-key requirements as Linux/Unix; RPM install package available |
| GaussDB | SSH | Account must have GaussDB execute permission; specific requirements per account type (root, gaussdba, regular user, regular DB user gauss) |
Microsoft Windows. A domain account with a domain policy granting local administrator rights is the recommended approach: the policy is created once and reused, no local registry edits are needed, only a domain account can detect domain-related findings, and Kerberos plus a Deny log on locally / Deny log on through Remote Desktop Services policy reduce the attack surface. The manual walks through creating a Greenbone Local Scan security group, a Greenbone Local SecRights GPO, restricted-group membership, deny-logon settings, and optional read-only registry permissions.
The optional registry read-only restrictions are tattooing - they persist after the GPO is removed and are not simply reversible. Verify compatibility with your environment first. They also break two write-dependent VTs (Leave information on scanned Windows hosts, OID 1.3.6.1.4.1.25623.1.0.96171, and Windows file Checksums, OID 1.3.6.1.4.1.25623.1.0.96180). Building a GPO with no local admin rights at all is not recommended - the effort is huge and the changes cannot be cleanly reverted.
Linux / Unix and EulerOS. Authenticate with a password or a private SSH key. Keep sshd_config defaults MaxSessions: 10 and MaxAuthTries: 6 or higher. Supported key formats are PEM or OpenSSH; supported key types are Ed25519, ECDSA, RSA, and DSA. Install locate/mlocate to reduce expensive find calls. With root access a fixed set of read-only commands (bash, cat, dpkg, rpm, id, netstat, uname, and similar) is executed - this list is not static and grows with VTs and detected software.
Cisco OS / Huawei VRP. The default port list has no UDP ports, so 161/udp (SNMP) is not discovered and no SNMP check runs with Full and fast. Use a custom port list that includes the network-device ports (SSH, HTTP/S, SCCP, SIP/S, SNMP, NTP, and so on). For SNMP, constrain the appliance to the system-description subtree with an SNMP view and restrict it with an access list. For SSH, create a least-privileged role/view limited to the version commands. On Cisco, Full and fast also requires ssh server rate-limit 240.
GaussDB. The scanning user must have GaussDB execute permission. Scanning as root is not recommended. Requirements differ by account: root needs PermitRootLogin yes (or prohibit-password for key auth) and to be able to run zsql/zengine; the DB install user gaussdba, a regular user, or a regular DB user (gauss, configured in each scan configuration) each have their own narrower prerequisites.
6. CVE scans​
The CVE scanner forecasts likely security risks from existing scan data instead of running a fresh vulnerability scan (§10.4). It matches the CPEs of hosts in the latest report for the same IP address against the CVEs in the current SecInfo. Only reports from tasks with Add results to Assets enabled are considered. This is useful when most vulnerabilities have already been remediated and you want a quick prognosis.
1. Run a full scan (for example Full and fast) with "Add results to Assets" = Yes
2. Scans > Tasks > (hover New) > New Task
3. define the task, set Scanner = CVE, Save
4. start the task
5. Scans > Reports > open the report
Prerequisites and caveats:
- A CVE is only detected if it has a correct CPE assigned in the National Vulnerability Database (NVD); while the NVD page shows
Undergoing analysis, expect no results. - The asset database needs current data, so run a full scan first (authenticated scans increase what the CVE scan can find) and re-run it regularly.
- The CVE scanner can report false positives: it does not verify the vulnerability actually exists, and it cannot detect backported security fixes because the NVD does not track that fixed status.
Each detected CVE appears as a vulnerability in the report; the Detection Method section links to the VT it came from.
7. Container tasks​
A container task imports and serves reports created on other appliances (§10.5).
Scans > Tasks > (hover New) > New Container Task -> Name -> Save
(in the task row) Import icon -> Browse for the report XML
-> add to assets = Yes -> Import
Container tasks are flagged by a distinct icon in the Status column. List actions include import, trashcan, edit, clone, and export; the details page adds reports, results, notes, and overrides registers.
8. Managing targets​
List all targets under Configuration > Targets (§10.6). The list shows name, hosts, number of IPs, port list, and credentials. Per-target actions are trashcan (only if unused), edit, clone, and export to XML; multiple targets can be trashed or exported at once. The details page provides Information, User Tags, and Permissions registers and the usual create/clone/edit/trash/export actions.
9. Creating and managing port lists​
A port list defines which ports a scan probes (§10.7). If applications run on unusual ports, adapt or create a port list. Default port lists ship through the feed, update with each feed update, cannot be edited, and reappear after a feed update if deleted - permanently removing one requires the Feed Import Owner to delete it and then be set to (Unset).
9.1 Creating a port list​
Configuration > Port Lists > (new icon) -> define -> Save
Port Ranges are entered manually (comma-separated) or imported from an ASCII file (commas or line breaks). Each entry is a single port (7) or a range (9-11), optionally prefixed with a protocol specifier T: for TCP or U: for UDP - for example T:1-3, U:7, 9-11. Without a specifier, TCP is assumed.
9.2 Importing a port list​
Configuration > Port Lists > (import icon) -> Browse for the XML -> Import
9.3 Managing port lists​
The list shows name and the total, TCP, and UDP port counts. Actions are trashcan (only if unused; while in the trashcan it is not re-downloaded by a feed update), edit (only self-created, unused lists), clone, and export. The details page adds a Port Ranges register showing the first and last port and the protocol specifier of each range.
10. Managing tasks​
List all tasks under Scans > Tasks (§10.8). For each task the list shows name (with icons for alterable, remote-scanner, visible-to-others, or owned-by-another), status, number of reports, last report, highest severity, and trend.
The Status bar reflects the lifecycle: no runs, requested/queued, running (the percentage is based on VTs executed, not elapsed time), processing, Done, stop requested, stopped, resuming, deleting, and interrupted/error. Tasks that are requesting, processing, stopping, resuming, or deleting cannot be stopped, resumed, or deleted. Resuming re-scans every unfinished host from scratch while keeping fully scanned hosts.
Per-task actions are start, stop (discovered results are written to the database), show schedule (scheduled tasks only), resume, trashcan, edit, clone, and export. The details page provides Information, User Tags, and Permissions registers plus shortcuts to reports, results, notes, and overrides.
10.1 Granting task permissions​
Permissions can be granted per task so another user, group, or role can see it and access its reports (§10.8.1).
Scans > Tasks > (open task details) > Permissions register
-> (new icon) -> select permission type in Grant
-> choose User / Group / Role and the specific principal -> Save
By default a regular user cannot create permissions for others; doing so requires both the global and the specific get_users permission.
11. Scan configurations​
A scan configuration selects which VTs run and how (§10.9). The appliance ships with predefined configurations distributed via the feed; like default port lists they cannot be edited and reappear after a feed update unless permanently removed by the Feed Import Owner.
11.1 Default scan configurations​
| Configuration | What it does |
|---|---|
| Empty | Empty template, no VTs; clone it for a fully custom config (static VT families) |
| Base | Information-gathering only, no vulnerability detection; Ping Host plus OS info (static families) |
| Discovery | Information only; inventories ports, hardware, firewalls, services, software, certificates (dynamic families) |
| Host Discovery | Detects which hosts are alive via Ping Host; no vulnerability detection (static families) |
| System Discovery | Detects hosts plus OS and hardware; no vulnerability detection (static families) |
| Full and fast | Recommended starting point; almost all VTs, none that damage the target, tuned for a low false-negative rate (dynamic families) |
| Full and fast ultimate | Full and fast plus VTs that may disrupt services or cause shutdowns; higher false-positive rate (dynamic families) |
| Full and very deep | Like Full and fast but ignores port/service detection when selecting VTs; very slow (dynamic families) |
| Full and very deep ultimate | Full and very deep plus dangerous VTs; very slow, higher false-positive rate (dynamic families) |
"Dynamic" VT families pick up new VTs automatically after a feed update; "static" families do not.
11.2 Creating a scan configuration​
Configuration > Scan Configs > (new icon)
-> Name, choose a base (Base / Empty / Full and fast / a previous config) -> Save
-> (edit icon) on the new config
-> Edit Network Vulnerability Test Families: include new families automatically? select VT families/VTs
-> optionally edit scanner preferences and VT preferences
-> Save
Several OS-specific Local Security Check families (AIX, AlmaLinux, Amazon Linux, CentOS, Debian, Fedora, Red Hat, SuSE, Ubuntu, Huawei EulerOS, and others) cannot be edited. For the Notus Scanner to work, the VT Determine OS and list of installed packages via SSH login (OID 1.3.6.1.4.1.25623.1.0.50282) must be activated.
Any custom configuration with the scanner preference safe_checks set to no may be unreliable and produce more false positives, which can require manual analysis and overrides.
11.3 Importing a scan configuration​
Configuration > Scan Configs > (import icon) -> Browse for the XML -> Import
Only import configurations created with the current GOS version; other versions may error or behave unexpectedly. A numeric suffix is added if the name already exists. Edit the imported config as above.
11.4 Scanner preferences​
Scanner preferences are edited from the config's edit page under Edit Scanner Preferences (§10.9.4). Documenting all of them is out of scope and undocumented ones may be deprecated. The most important include: safe_checks (disables damaging VTs), optimize_test (only start VTs whose prerequisites are met), auto_enable_dependencies, max_sysload and min_free_mem (back off when the appliance is loaded), non_simult_ports, plugins_timeout and scanner_plugins_timeout, checks_read_timeout, alive_test_ports and test_alive_wait_timeout (Boreas alive scanner), unscanned_closed / unscanned_closed_udp, and the vhost preferences test_empty_vhost and expand_vhosts.
11.5 VT preferences​
VT preferences are edited per VT under Network Vulnerability Test Preferences (§10.9.5). The manual documents the Ping Host and Nmap (NASL wrapper) port-scanner VTs. Note that most Ping Host parameters are no longer supported under GOS 22.04 because they are incompatible with the Boreas alive scanner. The Nmap options map directly onto Nmap command-line flags (fragmenting packets, OS identification, service scan, RTT timeouts, retries, parallelism, source port, scan technique) and a Timing policy from Paranoid to Insane.
11.6 Managing scan configurations​
The list shows name, type, the number and trend of VT families, and the number and trend of VTs (the trend icons indicate whether new families/VTs are picked up automatically after a feed update). Actions are trashcan (only if unused), edit (only self-created, unused configs), clone, and export. The details page adds Scanner Preferences, NVT Families, NVT Preferences, User Tags, and Permissions registers and can also import a configuration.
12. Scheduled scans​
A schedule turns a task into an automatic scan that runs once or repeatedly (§10.10). The appliance provides no schedules by default.
12.1 Creating a schedule​
Configuration > Schedules > (new icon) -> define -> Save
Fields: Name, Comment, Timezone (default UTC±00:00; the appliance runs internally in UTC, so the chosen time zone matters - for example America/New_York for EST), First Run, Run Until (with an Open End checkbox; tasks with an end time cannot be started manually), Duration (a maximum run window; if the time expires the task is aborted and suspended until the next slot), and Recurrence (Once, Hourly, Daily, Weekly, Monthly, Yearly, Workweeks, or Custom).
12.2 Managing schedules​
The list shows name, first run, next run, recurrence, and duration. Actions are trashcan (only if unused), edit, clone, and export. The details page provides the usual registers and actions.
13. Creating and managing scanners​
The appliance ships with two scanners (§10.11): OpenVAS Default (the scan engine) and CVE (the forecast scanner from section 6). The scanner is chosen when creating a task. Creating a new scanner is only used to add a remote scanner (sensor).
List scanners under Configuration > Scanners. Actions are trashcan, edit, clone, and export (the first three only for self-created scanners), plus Verify (confirm the scanner is online and reachable with its certificates and credentials) and certificate / CA-certificate download (self-created scanners only). The details page provides the usual registers and actions.
14. Using alerts​
An alert ties an event to a condition and an action (§10.12). When the event fires and the condition is met, the action runs - for example, e-mail a report when a task finishes and a high-severity vulnerability was found.
14.1 Creating an alert​
Configuration > Alerts > (new icon) -> define -> Save
- Event - task status change, SecInfo added/updated (VTs, CVEs, CPEs, CERT-Bund and DFN-CERT advisories), or ticket assigned/edited.
- Condition -
Always, a severity threshold, a severity change, or a Powerfilter matching at least N more results than the previous scan. Options differ for task, SecInfo, and ticket alerts. - Report Content / Delta Report (task alerts) - limit the report with a Powerfilter and optionally produce a delta report.
- Method - one method per alert; create several alerts on the same event for several methods.
14.2 Alert methods​
| Method | What it does |
|---|---|
Sends the report (notice, included, or attached) to an address; needs the mailhub configured; supports S/MIME or PGP encryption and $-placeholders | |
| HTTP Get | Issues a URL as HTTP GET, for example an SMS gateway or issue-tracker entry |
| SCP | Copies the report to a host via Secure Copy Protocol with a credential, known-hosts key, and destination path |
| Send to host | Sends the report to a host/port over TCP |
| SMB | Copies the report to a UNC share path via SMB with a credential; supports %-placeholders and a Max Protocol version |
| SNMP | Sends an SNMP trap to an agent using a community string |
| Sourcefire Connector | Sends data to a Cisco Firepower Management Center |
| Start Task | Starts an additional task |
| System Logger | Sends the alert to a Syslog daemon (configured in the GOS admin menu) |
| verinice.PRO Connector | Sends data to a verinice.PRO installation |
| TippingPoint SMS | Uploads a CSV report to a TippingPoint Security Management System over an HTTPS API |
| Alemba vFire | Creates a ticket in vFire with the report attached |
The Email method requires To Address, From Address, and Content; encryption certificates must be PEM-encoded, X.509, issued for the recipient address, and valid. SCP requires Credential, Host, Known Hosts, Path, and Report (default port 22). SMB requires Credential, Share path (for example \\host\share, created beforehand), and File path.
14.3 Assigning and managing alerts​
Assign an existing alert by editing a task and selecting it in the Alerts drop-down; the task then appears on the alert's details page. List alerts under Configuration > Alerts showing name, event, condition, method, filter, and active state. Actions are trashcan (only if unused), edit, clone, export, and Test.
15. Obstacles while scanning​
The default values work for most environments but sometimes need tuning (§10.13):
- Hosts not found - by default the appliance pings first and treats non-responding hosts as dead. Local firewalls that suppress ping responses cause hosts to be skipped. Adjust the alive test (TCP ping, or ARP ping within the same broadcast domain) on the target or scan configuration.
- Long scan periods - against a firewall that drops packets the port scanner waits for each port to time out. Tune the port lists or the firewall; a firewall that rejects rather than drops avoids the timeout wait, which matters especially for UDP ports.
- VT not used - the default port list contains no UDP ports, so
161/udpis never discovered and SNMP VTs never run even thoughFull and fastincludes them. Add the needed UDP ports to a custom port list rather than enabling all ports, which would greatly slow scans. - Scanning vhosts - the scanner resolves host-name/IP relationships automatically and avoids duplicate results for virtual hosts. Two scanner preferences govern this:
test_empty_vhostandexpand_vhosts(see section 11.4).