Edit a scan

Before you begin

  • Have the name of the scan you want to edit
  • Be an administrator or manager in the CertCentral account

Edit scan

  1. In your CertCentral account, in the sidebar menu, click Discovery > Manage Discovery.

  1. On the Manage scan page, click the Scan name link for the scan you want to edit.

  1. Discovery location settings

    On the Scan name page, on the Discovery location tab, update the scan location information as needed.

    1. Scan name
      Name your scan so you can easily identify it (names become more important when you have multiple scans).
    2. Division
      Choose the division with the sensor you want to use for the scan. During installation, you assign the sensor to a division. In the Sensor dropdown, you can only see the sensors assigned to the selected division.
      Note: If you aren't using divisions in your account, you'll see your organization name.
    3. Ports
      Specify the ports you want to use to scan your network for SSL/TLS certificates.
      Use All to include all ports in a specified range
      Use Default to include ports commonly used for SSL/TLS certificates: 80, 443, 389, 636, 22, 143, 110, 465, 8443, 3389.
    4. Enable SNI*
      Are you using Server Name Indication (SNI) to serve multiple domains from a single IP address? Check this box to enable SNI scanning for the scan (limited to max 10 ports per server).
      Note: An SNI scan may not have IP information as part of the results.
    5. Sensor
      Choose the sensor you want to use for the scan. In the dropdown, you can only see the sensors assigned to the division you selected in the Division dropdown.
      Note: If you aren't using divisions in your account, you will see the sensors assigned to your organization.
    6. FQDNs / IP to scan
      Include FQDNs and IP addresses:
      Add the FQDNs and IP addresses you want to include in the scan and click Include.You can include single IP addresses (10.0.0.1), a range of IP addresses (10.0.0.1-10.0.0.255), or an IP range in CIDR format (10.0.0.0/24).
      Exclude FQDNs and IP addresses:
      Enter the IP address you want to exclude from a range of IP address and click Exclude. You can exclude a single IP address (10.0.0.1), a range of IP addresses (10.0.0.1-10.0.0.255), or an IP range in CIDR format (10.0.0.0/24).
    7. Remove an IP address, a range of IP addresses, or an FQDN from the scan
      In the list of IP/FQDNs included in the scan, click the delete icon (trash can) for the IP address, range of IP addresses, or FQDN you want delete.
    8. When you are finished
      If you are done editing the scan, click Save. The next time the scan runs the results will reflect your changes.
      To continue editing the scan, click Next.
  1. Scan settings

    On the Scan name page, on the Scan settings tab, update the scan settings as needed.

    1. When to scan
      Configure your scan to run now or schedule it.
      To set a limit for how long an unfinished scan should run before you stop it, check Stop of scan time exceeds and select a maximum run time.
    2. Settings
      The optimized scan provides basic SSL/TLS certificate and server information along with any discovered critical TLS/SSL server issues. (Heartbleed, Poodle [SSLv3], FREAK, Logjam, DROWN, RC4, and POODLE [TLS]).
      Choose what to scan
      To customize the information included in your scan results, select Choose what to scan. Then, customize the scan to fit your needs. For example, if you want to specify which TLS/SSL server issues are scanned for, such as POODLE (TLS) or BEAST, select Choose what TLS/SSLserver issues to scan for.
      Adding more scan options increases the scan’s impact on network resources as well has how long it takes to complete it.
    3. Advanced settings: Scan performance
      Use the Scan performance options to configure how quickly the scan is completed or to limit the scans impact on network resources.
      Aggressive scans
      Have a higher impact on network resources. Sends out a large number of scan packets to the network. Discovery caps how many packets are sent to prevent an unintended number of packets from being sent.
      Note: Using the aggressive setting may set off false alarms on Intrusion Detection System (IDS) or Intrusion Prevention System (IPS).
      Slow scans
      Limit the impact of the scan on network resources and reduce the number of IDS or IPS false alarms. Sends a few scan packets at a time and waits for a response before sending more packets.
    4. Advance settings: More settings
      Reduce firewall alarms by restricting TLS/SSL server checks
      Use this option with the understanding that it may limit the effectiveness of your scan, as it may result in missed TLS/SSL server issues.
      To identify TLS/SSL server issues (for example, Heartbleed), scans sometimes emulate a TLS/SSL server issue to make sure that the server is secure. Such emulations might trigger false firewall alarms on your network. To avoid such alarms, you can restrict the TLS/SSL server checks.
      Specify ports to scan to verify host availability
      The ports you specify here are only used to verify the host availability.
      The first step in the scan process pings the host to verify its availability.
      If Internet Control Message Protocol (ICMP) pings are disabled on a host, use this setting to specify the ports that can be scanned to verify host availability. The fewer ports specified, the faster your scan.
  1. Save /Save and run

    When you're done, you'll want to save your edits.

    • To save your changes, click Save.
    • To save your settings and run a scan, click Save and run.

What's next

If you saved your changes without running a scan, the next time the scan runs, the scan results will reflect your changes.

If you saved and ran your scan, to view scan details, go to the scan's details page, (on the Scans page, click the scan name link).