Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Dynamic Vulnerability Scans

In JSA Vulnerability Manager, you can configure a scan to use certain vulnerability scanners for specific CIDR ranges in your network. For example, your scanners might have access only to certain areas of your network.

During a scan, JSA Vulnerability Manager determines which scanner to use for each CIDR, IP address, or IP range that you specify in your scan profile.

You must have the correct license capabilities to perform the following scanning operations. If you need assistance to obtain a new or updated license key, contact your Juniper Customer Support.

Dynamic Scanning and Domains

If you configured domains in the Domain Management window on the Admin tab, you can associate scanners with the domains that you added.

For example, you might associate different scanners each with a different domain, or with different CIDR ranges within the same domain. JSA dynamically scans the configured CIDR ranges that contain the IP addresses you specify on all domains that are associated with the scanners on your system. Assets with the same IP address on different domains are scanned individually if the CIDR range for each domain includes that IP address. If an IP address is not within a configured CIDR range for a scanner domain, JSA scans the domain that is configured for the Controller scanner for the asset.

Setting Up Dynamic Scanning

To use dynamic scanning, you must do the following actions:

  1. Add vulnerability scanners to your JSA Vulnerability Manager deployment. For more information, see Options for Adding Scanners to Your JSA Vulnerability Manager Deployment.

  2. Associate vulnerability scanners with CIDR ranges and domains.

  3. Configure a scan of multiple CIDR ranges and enable Dynamic server selection in the Details tab of the Scan Profile Configuration page.

Associating Vulnerability Scanners with CIDR Ranges

In JSA Vulnerability Manager, to do dynamic scanning, you must associate vulnerability scanners with different segments of your network.

You must add extra vulnerability scanners to your deployment. For more information, see Options for Adding Scanners to Your JSA Vulnerability Manager Deployment.

  1. Click the Vulnerabilities tab.

  2. In the navigation pane, select Administrative >Scanners.

    Note:

    By default, the Controller scanner is displayed. The Controller scanner is part of the JSA Vulnerability Manager processor that is deployed on either your JSA Console or on a dedicated JSA Vulnerability Manager processing appliance. You can assign a CIDR range to the Controller scanner, but you must deploy extra scanners to use dynamic scanning.

  3. Click a scanner on the Scanners page.

  4. On the toolbar, click Edit.

    Note:

    You cannot edit the name of the scanner. To edit a scanner name, click Admin >System and License Management >Deployment Actions >Manage Vulnerability Deployment.

  5. In the CIDR field, type a CIDR range or multiple CIDR ranges that are separated by commas.

  6. Click Save.

Scanning CIDR Ranges with Different Vulnerability Scanners

In JSA Vulnerability Manager, you can scan areas of your network with different vulnerability scanners.

You must configure your network CIDR ranges to use the different vulnerability scanners in your JSA Vulnerability Manager deployment. For more information, see Options for Adding Scanners to Your JSA Vulnerability Manager Deployment.

  1. Click the Vulnerabilities tab.

  2. In the navigation pane, select Administrative >Scan Profiles.

  3. On the toolbar, click Add.

  4. Click the Dynamic server selection check box.

    If you configured domains in the Admin >Domain Management window, you can select a domain from the Domain list. Only assets within the domain you selected are scanned.

  5. Optional: Add more CIDR ranges.

  6. Click Save.

  7. Click the check box on the row that is assigned to your scan on the Scan Profiles page and click Run.