Enable network scans
Before you begin
You need an active DigiCert sensor on your network with visibility of the systems to target in the scan. See Deploy and manage sensors.
The Network Discovery feature must be enabled for your account. For help verifying or enabling this feature, contact your DigiCert account representative.
To configure network scans, you need the Manager user role for Trust Lifecycle Manageror a custom user role that includes the
Network scans"Manage" permission. To learn more, see Users and access.Gather needed information for configuring the scan:
Scan targets (FQDNs or IP addresses) and ports to scan.
The business unit to use for managing the discovered certificates and the scan itself.
To automatically assign metadata (tags and owners) to discovered certificates, configure metadata assignment rules to use with the scan.
Set up a network scan
Start by creating the scan and selecting the sensor that will run it.
In the Trust Lifecycle Manager menu, go to Discovery & automation tools > Network scans.
On the Network scans page, select Add scan.
On the General information screen, configure the basic scan properties:
Scan name: Name your scan so you can identify it.
Business unit: Select the scan’s business unit. Only users assigned to this business unit can manage the scan.
Scan type: If this option appears, select
Sensor scanto securely scan your internal network using a local DigiCert sensor.Sensor : Select the sensor to use for this scan. The sensor must have visibility of the target systems and port numbers you plan to scan.
Select Next.
On the Scan targets screen, define which ports to inspect and which targets to include or exclude.
Configure the Port numbers to scan:
All to include all ports in a specified range.
Default to include ports commonly used for TLS/SSL certificates: 110, 143, 389, 443, 465, 636, 3389, 8443.
Custom to include ports of your choice.
If you use SNI to serve multiple domains from a single IP address, enable Server Name Indication (SNI). SNI scanning is limited to a maximum of 10 ports per server. An SNI scan may not include IP information in the results.
If you want to discover certificates on Microsoft SQL Server or SAP/Sybase ASE, enable TDS protocol scanning. Configure the default TDS port (1433) or select Custom and enter a custom TDS port.
Under IP addresses/FQDNs, add targets to include and exclude:
Include FQDNs and IP addresses: Enter targets and select Include. You can include a single IP address (10.0.0.1), a range (10.0.0.1-10.0.0.255), or a CIDR block (10.0.0.0/24).
Exclude FQDNs and IP addresses : Enter targets and select Exclude. You can exclude a single IP address, a range, or a CIDR block.
Optionally, import targets from a CSV file to include or exclude IP addresses and FQDNs.
重要
Make sure targets are valid and not duplicated. Wildcard domains are not supported.
Optionally, adjust the Included and Excluded lists:
Exclude IPs/FQDNs moves selections from Included to Excluded.
Include IPs/FQDNs moves selections from Excluded to Included.
Delete removes selections from either list.
Select Next.
On the Scan options screen, select what information the scan collects and how it assigns metadata to discovered certificates.
Under Discovery settings, select one of the following options:
Optimize for best performance to collect standard TLS/SSL certificate and server information.
Choose what to scan to scan for custom information. Make selections for the following:
Configured cipher suites and TLS/SSL protocols: Discover the cipher suites and TLS/SSL protocols configured on your server for establishing secure client-server communications.
Handshake TLS/SSL protocols: Check whether the SSLv2, SSLv3, TLSv1.0, and TLSv1.1 protocols are enabled for handshaking.
Don't follow HTTP redirects: Enable this option to prevent Trust Lifecycle Manager from following HTTP redirects during a network scan (for example, an HTTP 301 redirect response). By default, Trust Lifecycle Manager follows redirects and scans the target hosts specified in the redirect response.
Host IP addresses: Update the host's IP addresses each time you scan. Recommended if the host's IP addresses change frequently.
You can also select the OS and server application options here for updated information about:
Operating system
Server type
Server application
Application version
重要
Adding more scan options increases the scan’s burden on network resources, resulting in a longer scan time.
Business unit: (Optional) Assign a business unit to the discovered certificates. If selected, only admins in that business unit can manage the certificates.
Certificate assignment rules: (Optional) Select rules to automatically assign metadata (tags and owners) to the discovered certificates. This helps identify and manage the certificates in inventory.
Under Advanced settings, select one of the following scan type options or keep the default (balanced scan). For more details, see Types of scans.
Aggressive (high network traffic): Run a fast network scan.
Balanced (default): Balance speed and scan accuracy.
Slow (low network traffic): Ensure complete accuracy on high-latency networks, and when there aren't any real-time constraints.
(Optional) Configure miscellaneous options under Additional settings:
Specify ports to scan to verify host availability: The first step in the scan process is to ping the host to verify it's reachable. If Internet Control Message Protocol (ICMP) pings are disabled on hosts, use this setting to specify which ports can be scanned to verify host availability. The fewer ports specified, the faster the scan.
Select Next.
On the Schedule screen, choose whether to run the scan now or schedule it for later:
Select one of the following options:
Stop if time exceeds: (Optional) Set a time limit in hours or days for how long an unfinished scan should run before the system terminates it.
To finalize the scan, select one of the following:
Types of scans
Aggressive scans
Use this scan when you need to run a fast network scan. These scans place a larger burden on network resources by increasing parallelism and sending out a large number of probes resulting in high network traffic. These scans also help in reducing timeouts when waiting for a response. This may result in faster scans with reduced accuracy attributed to latency in the target network.
Aggressive scans are generally three to four times faster than slow scans and can sometimes take longer depending on the network ability to handle traffic. Using this setting might set off false alarms on Intrusion Detection System (IDS) or Intrusion Prevention System (IPS).
Balanced scans (default)
Use this scan when you want to optimize speed and scan accuracy. These scans aren’t as fast as aggressive scans, but put less burden on network resources.
Slow scans
Use this scan when you want to ensure complete accuracy on high-latency networks, and when there aren't any real-time constraints. These scans operate at a low speed and limit the impact of the scan on network resources. The scan sends a few probes at a time and waits longer for an acknowledgment, before sending more probes.
What’s next
Your scan runs now or as scheduled. Scan completion time depends on network size and the scan performance settings selected during set up.
Certificates found through the scan are added to Inventory > Certificates, and the associated endpoint data for those certificates is added to Inventory > Endpoints.
When the scan run is complete, results appear in the scan listing on the Discovery & automation tools > Network scans page. Select the links in the Scan results column to view the discovered certificates.
To learn more about scan results, see View scan details and results.