- play_arrow What's New for Users in JSA Vulnerability Manager 7.4.0
- play_arrow Installations and Deployments
- Installations and Deployments
- Vulnerability Backup and Recovery
- Ports Used for Communication Between JSA and JSA Vulnerability Manager Managed Hosts
- Options for Moving the Vulnerability Processor in Your JSA Vulnerability Manager Deployment
- Options for Adding Scanners to Your JSA Vulnerability Manager Deployment
- JSA Vulnerability Manager High-availability Scans
- Extending the JSA Vulnerability Manager Temporary License Period
- JSA Vulnerability Manager High-availability Scans
- play_arrow Overview Of JSA Vulnerability Manager
- play_arrow Vulnerability Scanning Strategy and Best Practices
- Vulnerability Scanning Strategy and Best Practices
- Scan Policy Types
- Scan Duration and Ports Scanning
- Tune Your Asset Discovery Configuration
- Tune Your Asset Discovery Performance
- Web Application Scanning
- Scanner Placement in Your Network
- Dynamic Scanning
- Network Bandwidth for Simultaneous Asset Scans
- Network Interface Cards on Scanners
- Vulnerability Management for Asset Owners
- Vulnerability Scan Notifications
- Triggering Scans of New Assets
- Configuring Environmental Risk for an Asset
- External Scanning FAQs
- play_arrow False Positives Management
- play_arrow Authenticated Patch Scans
- play_arrow Scanning on Windows-based Assets
- Scanning on Windows-based Assets
- Configuring an Authenticated Scan Of the Windows Operating System
- Remote Registry
- Enabling Remote Registry Access to Assets on the Windows Operating System
- Assigning Minimum Remote Registry Permissions
- Configuring WMI
- Setting Minimum DCOM Permissions
- Setting DCOM Remote Access Permissions
- Administrative Shares
- Enabling Administrative Shares
- Disabling Administrative Shares
- Manually Configuring NTLMv2 Authentication to Prevent Scan Failures
- play_arrow Vulnerability Exception Rules
- play_arrow Scan Investigations
- Scan Investigations
- Searching Scan Results
- Including Column Headings in Asset Searches
- Managing Scan Results
- Republishing Scan Results
- Asset Risk Levels and Vulnerability Categories
- Asset, Vulnerability, and Open Services Data
- Viewing the Status Of Asset Patch Downloads
- Vulnerability Risk and PCI Severity
- Troubleshooting Scan Issues
- Emailing Asset Owners When Vulnerability Scans Start and Stop
- play_arrow Management Of Your Vulnerabilities
- Management Of Your Vulnerabilities
- Common Vulnerability Scoring System (CVSS)
- Investigating Vulnerability Risk Scores
- Custom Risk Classification
- Searching Vulnerability Data
- Vulnerability Instances
- Network Vulnerabilities
- Asset Vulnerabilities
- Open Service Vulnerabilities
- Investigating the History Of a Vulnerability
- Reducing the Number Of False Positive Vulnerabilities
- Investigating High Risk Assets and Vulnerabilities
- Prioritizing High Risk Vulnerabilities by Applying Risk Policies
- Configuring Custom Display Colors for Risk Scores
- Identifying the Patch Status Of Your Vulnerabilities
- Removing Unwanted Vulnerability Data
- Configuring Vulnerability Data Retention Periods
- play_arrow Vulnerability Remediation
- play_arrow Vulnerability Reports
- play_arrow Scanning New Assets That Communicate with the Internet
- Scanning New Assets That Communicate with the Internet
- Creating an Asset Saved Search for New Assets
- Creating an On-demand Scan Profile
- Creating a Policy Monitor Question to Test for Internet Communication
- Monitoring Communication Between New Assets and the Internet
- Configuring an Offense Rule to Trigger a Scan
- play_arrow Security Software Integrations
- play_arrow IBM Security SiteProtector Integration
- play_arrow Vulnerability Research, News, and Advisories
- play_arrow JSA Vulnerability Manager Engine for OpenVAS Vulnerability Tests
Dynamic Vulnerability Scans
In JSA Vulnerability Manager, you can configure a scan to use certain vulnerability scanners for specific CIDR ranges in your network. For example, your scanners might have access only to certain areas of your network.
During a scan, JSA Vulnerability Manager determines which scanner to use for each CIDR, IP address, or IP range that you specify in your scan profile.
You must have the correct license capabilities to perform the following scanning operations. If you need assistance to obtain a new or updated license key, contact your Juniper Customer Support.
Dynamic Scanning and Domains
If you configured domains in the Domain Management window on the Admin tab, you can associate scanners with the domains that you added.
For example, you might associate different scanners each with a different domain, or with different CIDR ranges within the same domain. JSA dynamically scans the configured CIDR ranges that contain the IP addresses you specify on all domains that are associated with the scanners on your system. Assets with the same IP address on different domains are scanned individually if the CIDR range for each domain includes that IP address. If an IP address is not within a configured CIDR range for a scanner domain, JSA scans the domain that is configured for the Controller scanner for the asset.
Setting Up Dynamic Scanning
To use dynamic scanning, you must do the following actions:
Add vulnerability scanners to your JSA Vulnerability Manager deployment. For more information, see Options for Adding Scanners to Your JSA Vulnerability Manager Deployment.
Associate vulnerability scanners with CIDR ranges and domains.
Configure a scan of multiple CIDR ranges and enable Dynamic server selection in the Details tab of the Scan Profile Configuration page.
Associating Vulnerability Scanners with CIDR Ranges
In JSA Vulnerability Manager, to do dynamic scanning, you must associate vulnerability scanners with different segments of your network.
You must add extra vulnerability scanners to your deployment. For more information, see Options for Adding Scanners to Your JSA Vulnerability Manager Deployment.
Click the Vulnerabilities tab.
In the navigation pane, select Administrative >Scanners.
Note:By default, the Controller scanner is displayed. The Controller scanner is part of the JSA Vulnerability Manager processor that is deployed on either your JSA Console or on a dedicated JSA Vulnerability Manager processing appliance. You can assign a CIDR range to the Controller scanner, but you must deploy extra scanners to use dynamic scanning.
Click a scanner on the Scanners page.
On the toolbar, click Edit.
Note:You cannot edit the name of the scanner. To edit a scanner name, click Admin >System and License Management >Deployment Actions >Manage Vulnerability Deployment.
In the CIDR field, type a CIDR range or multiple CIDR ranges that are separated by commas.
Click Save.
Scanning CIDR Ranges with Different Vulnerability Scanners
In JSA Vulnerability Manager, you can scan areas of your network with different vulnerability scanners.
You must configure your network CIDR ranges to use the different vulnerability scanners in your JSA Vulnerability Manager deployment. For more information, see Options for Adding Scanners to Your JSA Vulnerability Manager Deployment.
Click the Vulnerabilities tab.
In the navigation pane, select Administrative >Scan Profiles.
On the toolbar, click Add.
Click the Dynamic server selection check box.
If you configured domains in the Admin >Domain Management window, you can select a domain from the Domain list. Only assets within the domain you selected are scanned.
Optional: Add more CIDR ranges.
Click Save.
Click the check box on the row that is assigned to your scan on the Scan Profiles page and click Run.
