Network Scan

A network certificate discovery scan is used to identify and analyze digital certificates within a network or infrastructure. These certificates can include SSL/TLS certificates used for secure website communication, code signing certificates, client authentication certificates, and other types of digital certificates.

By performing regular network certificate discovery scans, organizations can maintain an up-to-date record of their certificates, manage them efficiently, and proactively address any security concerns or compliance issues.

Initiating a Network Discovery Scan

  1. Go to (Menu) > CERT+ > CERTIFICATE DISCOVERY > Discovery > Network Scan.
    The Discovery : Network Scan : Add Discovery page is displayed.
  2. To initiate a network certificate discovery scan, enter the Discover Details.
    1. To specify the frequency at which the certificate discovery scan will be triggered, select the Discovery Run Type.
      Table 1. Discovery run type options
      Field Description
      On-demand Network certificate discovery scan will be triggered manually by the user as and when required.
      Scheduled Network certificate discovery scan will be triggered automatically at the specified time and date.
    2. Enter the details for initiating an on-demand network certificate discovery scan.
      Table 2. Field descriptions for on-demand discovery
      Field Description
      Discovery Instance Name Enter a name for the discovery instance.
      Description Enter additional details related to the discovery option.
      Note: Character limit: 2000 characters

      OR

      Enter the details for initiating a scheduled network certificate discovery scan.

      Table 3. Field descriptions for scheduled discovery
      Field Description
      Discovery Instance Name Enter a name for the discovery instance.
      Description Enter additional details related to the discovery option.
      Note: Character limit: 2000 characters
      Occurrence Type
      From the dropdown list, from the following options, select an occurrence frequency:
      • Daily
      • Weekly
      • Monthly
      • Yearly
      *Repeat On
      Note: This field is displayed only when Occurrence Type = Weekly.
      Select the checkbox corresponding to the day of the week on which you want the discovery occurrence to repeat.
      *Starts On Click (Calendar widget) to select a date to start the scheduled discovery.
      *Ends From the following options, select when the scheduled discovery is to end:
      • Never: Discovery never stops.
      • After: Discovery stops after the number of occurrences specified in the text field.
      • On: Discovery stops on the date selected using (Calendar widget)
      Summary Displays a summary of the selections made for scheduled discovery
      *: Mandatory fields
  3. In the Discover By section, from the Discovery From dropdown list, select the source for the certificate discovery.
    • Network
      Table 4. Field descriptions for discovering certificates from Network
      Field Decription
      Network List From the dropdown list, select the network(s) you want to include in the discovery.

      This list is populated based on the networks added to the network inventory in CERT+.
      SNI Hostname(s) To discover certificates from SNI protected websites that share the same IP and port number with another web application, enter the hostname in this field.

      You can also enter a comma-separated list of hostnames.
      Auto Onboard Devices Enable this option to automatically onboard devices into the device management inventory during a network scan.
      Note: This field is enabled when the Auto Onboard ACF Role is configured.
    • IP Range
      Table 5. Field descriptions for discovering certificates from IP range
      Field Description
      *Start IP Enter the IPv4 address from which the network scan should start.
      *End IP Enter the IPv4 address till which the network scan should run.
      Note: Ensure that the End IP value is greater than the Start IP value,
      *IPs per Batch of Discovery Enter the number of IP addresses that should be scanned in one batch.
      Note:
      • A batch can include a maximum of 256 IP addresses.
      • Batching IP addresses for scanning in one go can be useful for throttling scan traffic.
      *Scan Ports From the dropdown list, from the following options, select which ports have to be scanned:
      • All Ports
      • Standard Ports

        To get a list of the standard ports, click Download here from below the dropdown menu.

      • Custom Ports
      Add More Ports
      Note: This field is displayed only when Scan Ports = Standard Ports.
      To scan ports other than the standard ports, enter a comma-separated list of port numbers in this field.

      You can enter a hyphenated range of ports, as well as a comma-separated list of port ranges.
      *Add Ports
      Note: This field is displayed only when Scan Ports = Custom Ports.
      Enter a comma-separated list of port numbers to be scanned from between 0 to 65535. You can also enter a hyphenated range of ports, as well as a comma-separated list of port ranges.

      For example: 444-666, 888-999.
      Select Node to Trigger Scan From Select the CLM node from where the discovery scan will be performed.
      Note: Select a node close to the network entered and avoid traffic through firewalls when possible.
      SNI Hostname(s) To discover certificates from SNI protected websites that share the same IP and port number with another web application, enter the hostname in this field.

      You can also enter a comma-separated list of hostnames.
      *TLS version(s) From the dropdown list, select the required TLS version.
      Add Click Add to add the network details entered.

      The entered details are displayed in the table shown after the Select a File field.
      Select a File You can specifying the entries for all the above fields in a .xlsx or .csv file and upload it in this field.
      Note: To download a sample file, click Download Sample Template. You can fill in your details in this downloaded template.
      1. Click Upload and navigate to the location of your file.
      2. Click Open.
      Execute Batches Sequentially To execute the discovery operation on the specified batches sequentially, select this checkbox.
      *Interval Between Batches If Execute Batches Sequentially is selected, enter an interval duration in this field. The sequential execution of the batches is spaced according to the interval value entered here.
      Scanning Intensity If Execute Batches Sequentially is not enabled, select a scanning intensity for the discovery operation.

      A higher scanning intensity means a higher scanning speed and a larger network load. Maximum connections from a discovery engine will be chosen based on the Scanning Intensity.
      Skip Full Scan Enabling this field will skip a full scan and restrict the discovery operation to sources (IP addresses and port numbers) from which certificates were discovered previously.
      *Device discovery From the dropdown list, from the following options, select your device discovery requirement:
      • Do not discover devices

        Existing certificate scanning alone carried for the configured IPs. On completion, the batches and certificate tabs displayed.

      • Discover devices along with their operating system
        AppViewX scans for the device and certificates for the configured IPs. On completion, the batches, Certificates, and Devices tabs are displayed.
        Note: To discover the operating system version, AppViewX requires sudo access.
      *: Mandatory fields
    • Subnet
      Table 6. Field descriptions for discovering certificates from a subnet
      Field Description
      *Network Enter the subnet/mask in the field. For example: 192.168.1.1/24.
      *Subnets per Batch of Discovery Based on the value entered, the provided subnet will be split into multiple batches for the discovery process.
      *Scan Ports From the dropdown list, from the following options, select which ports have to be scanned:
      • All Ports
      • Standard Ports

        To get a list of the standard ports, click Download here from below the dropdown menu.

      • Custom Ports
      Add More Ports
      Note: This field is displayed only when Scan Ports = Standard Ports.
      To scan ports other than the standard ports, enter a comma-separated list of port numbers in this field.

      You can enter a hyphenated range of ports, as well as a comma-separated list of port ranges.
      *Add Ports
      Note: This field is displayed only when Scan Ports = Custom Ports.
      Enter a comma-separated list of port numbers to be scanned from between 0 to 65535. You can also enter a hyphenated range of ports, as well as a comma-separated list of port ranges.

      For example: 444-666, 888-999
      Select Node to Trigger Scan From Select the CLM node from where the discovery scan will be performed.
      Note: Select a node close to the network entered and avoid traffic through firewalls when possible.
      SNI Hostname(s) To discover certificates from SNI protected websites that share the same IP and port number with another web application, enter the hostname in this field.

      You can also enter a comma-separated list of hostnames.
      *TLS version(s) From the dropdown list, select the required TLS version.
      Add Click Add to add the network details entered.

      The entered details are displayed in the table shown after the Select a File field.
      Select a File You can specifying the entries for all the above fields in a .xlsx or .csv file and upload it in this field.
      Note: To download a sample file, click Download Sample Template. You can fill in your details in this downloaded template.
      1. Click Upload and navigate to the location of your file.
      2. Click Open.
      Execute Batches Sequentially To execute the discovery operation on the specified batches sequentially, select this checkbox.
      *Interval Between Batches If Execute Batches Sequentially is selected, enter a interval duration in this field. The sequential execution of the batches is spaced according to the interval value entered here.
      Scanning Intensity If Execute Batches Sequentially is not enabled, select a scanning intensity for the discovery operation.

      A higher scanning intensity means a higher scanning speed and a larger network load. Maximum connections from a discovery engine will be chosen based on the Scanning Intensity.
      Skip Full Scan Enabling this field will skip a full scan and restrict the discovery operation to sources (IP addresses and port numbers) from which certificates were discovered previously.
      *Device discovery From the dropdown list, from the following options, select your device discovery requirement:
      • Do not discover devices

        Existing certificate scanning alone carried for the configured IPs. On completion, the batches and certificate tabs displayed.

      • Discover devices along with their operating system
        AppViewX scans for the device and certificates for the configured IPs. On completion, the batches, Certificates, and Devices tabs are displayed.
        Note: To discover the operating system version, AppViewX requires sudo access.
      *: Mandatory fields
    • URL
      Table 7. Field descriptions for discovering certificates from a URL
      Field Description
      *URL Enter the HTTPS URL for discovering the associated certificate.
      *Ports to Scan
      Note: This field is disabled if the Scan All Ports field is selected.
      Enter a comma-separated list of port numbers in this field.

      You can also enter a hyphenated range of ports, as well as a comma-separated list of port ranges.
      Scan All Ports
      Note: Enabling this field will disable the Ports to Scan field is enabled.
      Select the Scan All Ports checkbox to scan all the HTTPS-enabled ports.

      This is particularly useful if the number of HTTPS-enabled ports is significantly large or is unknown.

      Select Node to Trigger Scan From Select the CLM node from where the discovery scan will be performed.
      Note: Select a node close to the network entered and avoid traffic through firewalls when possible.
      Add Click Add to add the network details entered.

      The entered details are displayed in the table shown after the Select a File field.
      Select a File You can specifying the entries for all the above fields in a .xlsx or .csv file and upload it in this field.
      Note: To download a sample file, click Download Sample Template. You can fill in your details in this downloaded template.
      1. Click Upload and navigate to the location of your file.
      2. Click Open.
      Execute Batches Sequentially To execute the discovery operation on the specified batches sequentially, select this checkbox.
      *Interval Between Batches If Execute Batches Sequentially is selected, enter a interval duration in this field. The sequential execution of the batches is spaced according to the interval value entered here.
      Scanning Intensity If Execute Batches Sequentially is not enabled, select a scanning intensity for the discovery operation.

      A higher scanning intensity means a higher scanning speed and a larger network load. Maximum connections from a discovery engine will be chosen based on the Scanning Intensity.
      Skip Full Scan Enabling this field will skip a full scan and restrict the discovery operation to sources (IP addresses and port numbers) from which certificates were discovered previously.
  4. In the Discovery Rules section, from the Associate Rule dropdown list, select a rule that will be used to filter the discovered certificates.
    A set of filters is combined to create a rule, from the Rules menu. The selection of rules will apply respective filters on discovered certificates.
  5. Configure the After Discover settings.
    Table 8. Field descriptions for the After Discover section
    Field Description
    *Move Certificate to Inventory with Status Select from one of the following options:
    • Do not move: The newly discovered certificates and their objects will not be moved to the inventory.
    • Managed: The newly discovered certificates and their objects will be moved to the inventory with the status set to Managed.
    • Monitored: The newly discovered certificates and their objects will be moved to the inventory with the status set to Monitored.
    Use Access Control Rule To apply the rule configured using Access Control, select this checkbox.
    Note: If this checkbox is enabled, the certificate group will be associated automatically by the rule in access control.
    *Certificate Group From the dropdown list, select a certificate group to which the discovered certificates will be associated.

    Based on the group association, a policy will also be applied to these certificates, which will help ascertain compliance or non-compliance.

    Auto Onboard Devices Enable this option to automatically onboard devices into the device management inventory during a network scan.
    Note: This field is enabled when Discovery From is set to IP Range or Subnet and Device Discovery is selected as Discover devices along with their operating system.
    *Onbording Group Select the desired onboarding group. Available options are,
    • Auto Detect - Allows the system to automatically compare devices against all group rules and assign them to the appropriate group.
    • Manual - When assigned manually, this onboarding group is applied to devices regardless of the rules defined in other onboarding groups.
    Note: This field is enabled when Discovery From is set to IP Range or Subnet and Device Discovery is selected as Discover devices along with their operating system.
    *Select Onboarding Group Select the desired onboarding group.
    Note: This field is enabled only when Onboarding Group is set to Manual.
    *: Mandatory fields
  6. Click Discover/Schedule to trigger the on-demand/scheduled discovery, respectively.
What to do next: To view the Discovery Status and manually onboard devices refer the Discovery Status > Manual Onboarding of Discovered Devices.