クラウドスキャンを有効にする
Before you begin
The Cloud Discovery feature must be enabled for your account. For help verifying or enabling this feature, contact your DigiCert account representative.
To configure cloud scans, you need the Manager user role for Trust Lifecycle Manager or a custom role with the Network scans
Managepermission. To learn more, see Users and access.Gather needed information for configuring the scan:
Scan targets (public FQDNs or IP addresses) to scan.
The business unit to use for managing the discovered certificates and the scan itself.
To automatically assign metadata (tags and owners) to discovered certificates, configure metadata assignment rules to use with the scan.
スキャン設定
Start by creating the scan and configuring basic properties for it.
Trust Lifecycle Manager アカウントで、左のメインメニューから[ディスカバリーおよび自動化ツール]>[ネットワークスキャン]に進みます。
[ネットワークスキャン]ページで、[スキャンの追加]を選択します。
[一般情報]ページで、新しいスキャンについて以下の基本プロパティを設定します。
[スキャン名]: スキャンの記述的な名前を入力します。
[事業部門]: このスキャンが属する事業部門を選択します。
[スキャンタイプ]:
Cloud scanを選択します。このオプションは、発行認証局(CA)にかかわらず、パブリック接続 TSL/SSL 証明書の IP アドレス/FQDN をスキャンするために使用します。注記
[センサースキャン]オプションは、プライベート IP/FQDN のスキャンに使用されるセンサーベースのスキャンシステムです。詳細については、「ネットワークスキャン」を参照してください。
[次へ]を選択します。
このセクションでは、クラウドスキャンを使用してスキャンするターゲットリソースを指定できます。クラウドスキャンでは、HTTPS トラフィックに一般的に使用されるポート 443 のみがチェックされます。
Under IP addresses/FQDNs, add targets to include and exclude:
Include FQDNs and IP addresses: Enter targets and select Include. You can include a single IP address (8.8.8.8), a range (8.8.8.1-8.8.8.254), or a CIDR block (8.8.8.0/24).
Exclude FQDNs and IP addresses : Enter targets and select Exclude. You can exclude a single IP address, a range, or a CIDR block.
Optionally, import targets from a CSV file to include or exclude IP addresses and FQDNs.
重要
Private IP addresses and wildcard domains are not supported in cloud scans. If these are included in the uploaded CSV, they are automatically excluded, and you will receive an alert.
Optionally, adjust the Included and Excluded lists:
Exclude IPs/FQDNs moves selections from Included to Excluded.
Include IPs/FQDNs moves selections from Excluded to Included.
Delete removes selections from either list.
Select Next.
On the Scan options screen, select what information the scan collects and how it assigns metadata to discovered certificates.
暗号スイートや HTTP ヘッダー、TLS/SSL 拡張プロトコルの詳細などの追加データを含めるには、[ディープスキャンの有効化]チェックボックスを選択します。これにより、スキャン時間が長くなる可能性があります。
Business unit: (Optional) Assign a business unit to the discovered certificates. If selected, only admins in that business unit can manage the certificates.
Certificate assignment rules: (Optional) Select rules to automatically assign metadata (tags and owners) to the discovered certificates. This helps identify and manage the certificates in inventory.
[次へ]を選択して設定プロセスを続行します。
On the Schedule screen, choose whether to run the scan now or schedule it for later:
Select one of the following options:
To finalize the scan, select one of the following:
次の手順
Your scan runs now or as scheduled. Scan completion time depends on network size and the scan performance settings selected during set up.
Certificates found through the scan are added to Inventory > Certificates and included in your dashboard.
When the scan run is complete, results appear in the scan listing on the Discovery & automation tools > Network scans page. Select the links in the Scan results column to view the discovered certificates.
Results are cached for up to 8 hours to optimize performance. After 8 hours, scan data expires and is no longer available in the UI.
For example: If you perform a scan at 10:00 AM, the results will remain accessible in the UI until 6:00 PM. After 6:00 PM, the scan data will expire, and you’ll need to run a new scan to view updated results.
To learn more about scan results, see スキャンの詳細と結果を表示する.