Edit a scan

Before you begin

  • Have the name of the scan you want to edit.
  • Administrator or manager privileges are required.

Edit scan

  1. In your CertCentral account, in the sidebar menu, select Discovery > Manage Discovery.

  1. On the Manage scans page, select the Scan you want to edit.

  1. Discovery location settings

    On the Scan name page, on the Discovery location tab, update the scan location information as needed.

    1. Scan name
      Name your scan so you can easily identify it (names become more important when you have multiple scans).
    2. Division
      Choose the division with the sensor you want to use for the scan. During installation, you assign the sensor to a division. You only see the sensors assigned to the selected division.
      Note: If you are not using divisions in your account, you will see your organization name instead.
    3. Ports
      Specify the ports you want to use to scan your network for SSL/TLS certificates.
      Use All to include all ports in a specified range.
      Use Default to include ports commonly used for SSL/TLS certificates: 80, 443, 389, 636, 22, 143, 110, 465, 8443, 3389.
    4. Enable SNI (Optional)
      If you are using Server Name Indication (SNI) to serve multiple domains from a single IP address, enable SNI scanning for the scan (limited to max 10 ports per server).
      Note: An SNI scan may not have IP information as part of the results.
    5. Sensor
      Choose the sensor you want to use for the scan. You will only see the sensors assigned to the division you selected.
      Note: If you are not using divisions in your account, you will see the sensors assigned to your organization.
    6. FQDNs / IP to scan
      Include FQDNs and IP addresses:
      Add the FQDNs and IP addresses you want to include in the scan and select Include. You can include single IP addresses (10.0.0.1), a range of IP addresses (10.0.0.1-10.0.0.255), or an IP range in CIDR format (10.0.0.0/24).
      Exclude FQDNs and IP addresses:
      Enter the IP address you want to exclude from a range of IP addresses and select Exclude. You can exclude a single IP address (10.0.0.1), a range of IP addresses (10.0.0.1-10.0.0.255), or an IP range in CIDR format (10.0.0.0/24).
    7. Remove an IP address, a range of IP addresses, or an FQDN from the scan
      In the list of IP/FQDNs included in the scan, select the delete icon (trash can) for the IP address, range of IP addresses, or FQDN you want to delete.
    8. When you are finished
      If you are done editing the scan, select Save. The next time the scan runs the results will reflect your changes.
      To continue editing the scan, select Next.
  1. Scan settings

    On the Scan name page, on the Scan settings tab, update the scan settings as needed.

    1. When to scan
      Configure your scan to run now or schedule it.
      To set a limit for how long an unfinished scan should run before you stop it, select Stop if scan time exceeds and select a maximum run time.
    2. Settings
      The optimized scan provides basic SSL/TLS certificate and server information along with any discovered critical TLS/SSL server issues. (Heartbleed, Poodle [SSLv3], FREAK, Logjam, DROWN, RC4, and POODLE [TLS], Cross-site scripting, SQL injection, Cross-domain policy, and CSRF).
      Choose what to scan
      To customize the information included in your scan results, select Choose what to scan. Customize the scan to fit your needs.
      For example, if you want to specify which TLS/SSL server issues are scanned for, such as POODLE (TLS) or BEAST, select Choose what TLS/SSL server issues to scan for.
      Adding more scan options increases the scan’s impact on network resources as well as how long it takes to complete it.
    3. Advanced settings: Scan performance
      Use the Scan performance options to configure how quickly the scan is completed or to limit the scan's impact on network resources.
      Aggressive scans
      Have a higher impact on network resources. Send out a large number of scan packets to the network. Discovery caps how many packets are sent to prevent an unintended number of packets from being sent.
      Note: Using the aggressive setting can set off false alarms on Intrusion Detection System (IDS) or Intrusion Prevention System (IPS).
      Slow scans
      Limit the impact of the scan on network resources and reduce the number of IDS or IPS false alarms. Send a few scan packets at a time and waits for a response before sending more packets.
    4. Advanced settings: More settings
      Reduce firewall alarms by restricting TLS/SSL server checks
      Use this option with the understanding that it may limit the effectiveness of your scan, as it may result in missed TLS/SSL server issues.
      To identify TLS/SSL server issues (for example, Heartbleed), scans sometimes emulate a TLS/SSL server issue to make sure that the server is secure. Such emulations might trigger false firewall alarms on your network. To avoid such alarms, you can restrict the TLS/SSL server checks.
      Specify ports to scan and verify host availability
      The ports you specify here are used to verify the host availability.
      The first step in the scan process pings the host to verify its availability.
      If Internet Control Message Protocol (ICMP) pings are disabled on a host, use this setting to specify the ports that can be scanned to verify host availability. The fewer ports specified, the faster your scan will be.
  1. Save /Save and run

    When you are done, you will need to save your edits.

    • To save your changes, select Save.
    • To save your settings and run a scan, select Save and run.

What's next

If you saved your changes without running a scan: The next time the scan runs, the scan results will reflect your changes.

If you saved and ran your scan: To view scan details, go to the scan's details page, (on the Scans page, select the scan name).