| Field Name |
Details |
| Scanning Depth Level |
Select the scanning level that you want to use. Enable one or more levels from the following:
• Sweep Scan – This will do a sweep scan, simply asserting that there is an IP device at each endpoint in the scan range.
• Host Identification – Retrieve sufficient information to build a host and its interfaces. Usually this will involve getting the hostinfo and the interfaces for the endpoint.
• Host Information – Retrieve all the default informaton for hosts, but do not do any inference.
• Full Discovery – Retrieve all the default information for hosts, and complete full inference.
You can also select the default scan level for this appliance from the drop-down list. Scanning levels are described in Scanning and Data Processing Levels. |
| Recording Mode |
Select the discovery mode from the drop down list. This may be one of the following:
• Off – the normal type of discovery in which the appliance scans IP ranges on the network, runs scripts on targets, and uses Reasoning to processes the results. This is the default.
• Record – record mode is the same as Normal mode but in addition, the raw discovered data is stored on the appliance so that it can be used in Playback mode.
• Playback – in Playback mode, data that has been recorded in Record mode is used to replay discovery. In this mode, Discovery does not scan any targets on the network. This mode is primarily intended for testing. |
| Valid Port States |
When nmap runs port scans, it returns a result of open, closed or filtered. Using the check boxes you can choose which states are valid to investigate further.
• open|filtered – discover a device that should be accessible but isn't. It might be open, or filtered.
• filtered – this port is open but you still cannot connect to it. It must be filtered.
A port for which a result of open is returned is always considered valid. |
| Check port 135 before using Windows access methods |
Port 135 is usually open on Windows machines. Selecting Yes for this option means that nmap checks whether port 135 is open before a slave is used to discover an IP device. This is the default.
You should select No in firewalled environments where a ping may be filtered by a firewall, but the slave may be able to connect to the target (for example, it is part of the same Workgroup). |
| Session Line Delay |
A delay of 10 ms is introduced between each line sent by Discovery. This avoids problems where remote shells are unable to cope with rapid command sequences. Select one of the following from the drop-down list:
• 1, 2, 5, 10 (the default), 15, 20, 25, 50, 100 milliseconds. |
| Session Login Timeout |
The length of time for the discovery script to wait for a login prompt. If this is exceeded the attempt is abandoned.
• Use default timeout.
• 10, 20, 30, 60, 90, 120, or 180 seconds. |
| Maximum Concurrent Discovery Requests |
Specifies the maximum number of concurrent discovery requests permitted. The maximum value and available range of settings is calculated for optimum performance depending on the appliance. Select one of the following from the dropdown list:
• 30, 60, 90, 120, or 150.
This value is for a system with one ECA engine. For a system with two ECA engines the values are multiplied by two, and so on.
You must restart Discovery for any changes to take effect.
You should leave this setting at its default unless you are experiencing many discovery commands timing out. As a general rule, for more discovery requests permitted concurrently, you increase network traffic, and the absolute time for discovering a single host increases. However, with the interleaving of discovery processing, total throughput may be improved. |
| Maximum retries to process event |
When Reasoning writes to the data store and is unable to get a lock on a node it needs to update then it cannot perform the update. Reasoning will attempt to write the data up to a maximum number of times. Specify the number of retries from the drop-down list:
• 3 (the default), 4, 5, 6, 7, 8, or 9. |
| Authorised Prompt |
Certain systems require an authorization step after logging in. At the command line you are asked something like "Enter session details:". The required response is usually a user name, and some other information.
In the Authorised Prompt field, enter the text of the prompt. |
| Authorised Response |
Where an Authorised Prompt has been entered, you must enter the expected response (that you would enter at the command line) in the Authorised Response field. |
| NetFlow Collector |
NetFlow enabled routers generate records of connection source, destination, protocol, and amount of data transmitted. These records are sent over UDP to the IP address of a NetFlow collector. This IP address must be configured on the router. Tideway Foundation has an experimental feature to act as a NetFlow collector and create or update NetFlow nodes in the data store from NetFlow records. NetFlow nodes are only created for known hosts, based on IP addresses. A pattern to create Network Connections from NetFlow nodes is available on Configipedia.
Note: This is an experimental feature. Before considering its use, contact Customer Support for further information. |
| NetFlow Port (UDP) |
The port on which to listen for NetFlow records. In the NetFlow Port (UDP) field, enter the port number. The default is 9995. |
| NetFlow Batch Interval |
NetFlow nodes are stored in files and processed at intervals. Select the interval between processing batched NetFlow records from the drop-down list:
• 1, 2, 3, 4, 5 (the default), 10, 15, or 30 minutes. |
| Minimum Slave Version |
The minimum version of the slave that the appliance will use for Windows Discovery. You can enter a new minimum slave version in this field. Ensure that you do not include any whitespace in the version number. The version number of a slave corresponds to the version number of Tideway Foundation that the slave was released with, for example, 7.1. Note: You must stop scanning to change the minimum slave version or release. |
| Minimum Slave Release |
the minimum release number of slave that the appliance will use for Windows Discovery. You can enter a new minimum slave release in this field. Ensure that you do not include any whitespace in the version number. The release number is a large integer such as 23236. Note: You must stop scanning to change the minimum slave version or release. |
| Use Last Login Credentials |
Discovery will use the login credential recorded as having been used successfully for a host to log in to that host. |
| Use Last AD/WG Slave |
Discovery will use the Active Directory or Workgroup slave recorded as having been used successfully for a host to log in to that host. |
| Use Last Slave Credentials |
Discovery will use the login credential for the last slave recorded as having been used successfully for a host to log in to that host. |
| Use Last SNMP Credentials |
Discovery will use the SNMP credential recorded as having been used successfully for a host to log in to that host. |
| Use Telnet Banner to Identify OS |
Discovery will telnet to a host and use the telnet "welcome" banner to determine host and operating system information. |
| Use SNMP SysDescr to Identify OS |
Discovery will attempt to query the host's SNMP service for the "SysDescr" value to determine the operating system. |
| Always try public SNMP community |
Discovery will attempt to use the public SNMP community to query the host's SNMP service if no credential is available for that host. In this case, only device classification is possible. |
| Use HTTP HEAD Request to Identify OS |
Discovery will attempt to connect to port 80 of the host and perform an HTTP HEAD request to determine the host and operating system. |
| Scanning Rate |
This drop-down list controls the rate at which the network scanner sends out packets. By default this is set to Fast, but you may wish to adjust this according to the network environment. |
| Ping hosts before scanning |
If this option is disabled, then all hosts will be discovered, but discovery of empty IP ranges will be slower. The default is to allow discovery to ping the host first.
If you enable this option, discovery will ping hosts before scanning. Discovery will be more rapid on empty IP ranges though hosts may be missed if there are firewalls configured to reject pings. In this situation you should specify IP ranges behind firewalls that you do not want to ping. See the "Exclude ranges from ping" option below.
Note this option only affects scanning of networks other than the one on which the appliance is physically located.
If you are using ICMP filtering, you should set this option to No.
See note on Order of Operations below. |
| Use TCP ACK ping before scanning |
Cause Discovery to ping addresses with TCP ACK packets to determine which hosts are actually up. You should use this option when scanning networks that do not permit ping packets. You can specify multiple ports in a comma-separated list.
This option is only available if the ping hosts before scanning option is set to Yes.
See note on Order of Operations below. |
| Use TCP SYN ping before scanning |
Cause Discovery to ping addresses with TCP SYN packets to determine which hosts are actually up. You should use this option when scanning networks that do not permit ping packets. You can specify multiple ports in a comma-separated list.
This option is only available if the ping hosts before scanning option is set to Yes.
See note on Order of Operations below. |
| Exclude ranges from ping |
Enter a list of IP addresses or IP ranges that you do not want to ping. For example, you may want to scan IPs which are behind a firewall that blocks ICMP packets. If Foundation pings an IP address and receives no response, it makes no further attempt to scan that IP address. Excluding a range from pinging enables you to scan IPs behind such firewalls.
Note this option only affects scanning of networks other than the one on which the appliance is physically located. |
| TCP ports to use for initial scan |
Enter the TCP ports that will be scanned on a first scan. Use this setting to prevent scanning of any ports that you want to avoid scanning.
The default is to use ports: 22,23,80,135, and 513.
See notes on Order of Operations and TCP and UDP ports to use for initial scan below.
Older versions included port 514, which can now be removed from upgraded systems. |
| UDP ports to use for initial scan |
Enter the UDP ports that will be scanned on a first scan. Use this setting to prevent scanning of any ports that you want to avoid scanning.
See notes on Order of Operations and TCP and UDP ports to use for initial scan below. |
| Randomize port scan sequence |
By default, the system randomizes the port scan. However, if the random scan is triggering intruder detection systems, you should disable this option. |
| Scan retries |
Number of retries to be attempted on each host. The system will only retry for machines on which the operating system cannot be determined.
The Scan retries and Default OS options work together in sequence to help locate host machines. |
| Scan timeout |
Timeout (in minutes) that applies to the scan operation on each host. |
| Use IP Fingerprinting to detect OS |
This option controls whether or not discovery will use IP fingerprinting to determine the operating system, if the previous methods have been unsuccessful.
The network ports scanned during this phase of discovery can be configured. See Setting Up Ports For OS Fingerprinting.
This option can cause instability in some legacy systems, and may trigger intrusion detection systems. This option is enabled by default. |
| Default OS |
Specify the default operating system if the Scan retries option fails to determine your host machines after retrying.
The Scan retries and Default OS options work together in sequence to help locate host machines. |
| Use Open Ports to Identify OS |
This option controls whether or not open ports are used to identify the operating system. |
| Enable running of arbitrary commands |
This option controls whether or not arbitrary commands can be run or not. Discabling this option will prevent many patterns retrieving information needed to build SIs and BAIs. |
| Minimum time before end of window to avoid starting new scheduled discovery operations |
A discovery run may take some time to complete. If it is started too close to the end of a Discovery window, it will not complete before the end of the window. To prevent this you can specify a period in which discovery runs will not be started. The default is 30 minutes. That is, no discovery runs will be started within 30 minutes of the end of a discovery window. Select the period from the following values in the drop-down list:
• 5, 10, 15, 20, 25, 30, 35, 40, and 45 minutes. |
| Allow scans even if no window defined |
Enables you to permit scanning outside permitted discovery windows. The default is no. |
| Create additional SessionResults for software credential matching |
This option controls whether or not extra SessionResults are created for software credential matching. SessionResults are created on an unsuccessful discovery attempt and the additional ones for software credential matching show the reason that a credential is rejected from a request (for example which regex/IP range fails to match). This enables you to debug the process of selecting a credential for a request from a pattern. |
| SQL integration: Timeout to establish a connection |
The timeout for establishing a connection to the database. Select the timeout period in seconds from the following values in the drop-down list:
• 5, 10, 30 (the default), 60, 90, 120, and 180. |
| SQL integration: Maximum connections held open |
Specifies the number of connections to databases that can be held open after they would otherwise be closed. Higher values can reduce connection delays but will consume extra resources. The default is unlimited. If you change this option you must restart the tideway service. Select the number of connections from the following values in the drop-down list:
• 0, 10, 20, 30, 40, 50, and Unlimited. |
| SQL integration: Maximum time to hold an unused connection open |
Specifies the maximum time to hold an unused database connection open. Higher values can reduce connection delays but will consume extra resources. The default is 2 minutes. If you change this option you must restart the tideway service. Select the timeout period in minutes from the following values in the drop-down list:
• 2, 4, 6, 8, and 10. |
| Enable Automatic Grouping |
Automatic Grouping is the automatic grouping of hosts into logical groups called Automatic Groups. This is primarily intended to help in baselining. By default it is enabled. Select this option to enable Automatic Grouping. Disabling Automatic Grouping may improve scanning performance. |
| Scanner File Polling Interval |
Scanner files are used to simulate discovery of inaccessible hosts. Discovery polls for new scanner files periodically. Select the polling interval from the following values in the drop-down list:
• Every minute, Every hour, and Every day.
If you change this option you must restart the tideway service.
Note: When set to Every day, the polling time is at midnight UTC time. Daylight saving time is not considered. |
Tideway Blog