Create Network Scan Policies

Network Management › Network Scan Policies › Create Network Scan Policy

Create Network Scan Policy

You can create the Network Scan policies to configure the discovery methodology, and then define options to locate servers and software components on your networks.

Follow these steps:

Click the Management link and then click the Network tab.
Click the Network Scan Policies link.
On the Network Scan Policies page, select Create Policy from the Table Actions drop-down list.
On the Create Network Scan Policy wizard Policy page, enter the following information and then click Next.

Name

Defines the policy name.

Description

Describes the policy purpose and usage.
On the Discovery Engine page, select a discovery engine (for example, DNS or PingSweep), and then complete the fields for the selected option.

DNS

Specifies that the scan uses the Domain Name System (DNS) of hierarchical naming and numbering. DNS locates servers, services, or other network-connected resources.

Complete the following fields:

DNS Server IP Address

Defines the IP address of the server that provides the DNS name resolution for the domain and the name servers of any subordinate domains.

Domains

Defines the domains that the profile is responsible for scanning. Enter a domain name in the Add New Domain field, and then click the right-facing arrow to move it to the Selected Domains field.

Retries

Defines how many Simple Network Management Protocol (SNMP) queries the product makes to an IP address before it fails while attempting to classify the operating system.

Default: 1

Timeout (in milliseconds)

Defines how many milliseconds the SNMP query waits for a response before it fails.

Default: 1000

Note: Configure your DNS server so it allows Zone Transfers from the designated NDG server.

PingSweep

Sends ICMP ECHO requests to determine which in a range of IP addresses maps to live hosts. If a specified address is live, the request returns an ICMP ECHO reply. The scan uses the reply to identify servers, services, or other network-connected resources.

Complete the following fields:

Engine Instances

Defines how many discovery engine instances run during the discovery.

Default: 10

Burst Size

Defines how many packets the product sends each second to the IP address.

Default: 32

Retries

Defines how many times the discovery pings an IP address before it fails.

Default: 1

Timeout (in milliseconds)

Defines how many milliseconds a request waits for a response before it fails.

Default: 2000

SNMP Classification Specifications

Defines the properties for monitoring the network devices and their functions.

Complete the following fields:

Retries

Defines how many SNMP queries the product makes to an IP address before it fails while attempting to classify the operating system.

Default: 1

Timeout (in milliseconds)

Defines how many milliseconds the SNMP query waits for a response before it fails.

Default: 1000

TCP Connect Scan

Determines the port availability through a TCP handshake connection. The scan uses an available port to identify network-connected servers, services, or other resources.

Complete the following fields:

Engine Instances

Defines how many discovery engine instances run during the discovery.

Default: 10

Retries

Defines how many SNMP queries the product makes to an IP address before it fails while attempting to classify the operating system.

Default: 1

Timeout (in milliseconds)

Defines how many milliseconds the SNMP query waits for a response before it fails.

Default: 1000

ARP Cache

Specifies whether the scan uses SNMP to interrogate the ARP Cache of routers. The ARP Cache of routers locates servers, services, or other network-connected resources.

Complete the following fields:

Engine Instances

Defines how many discovery engine instances run during the discovery.

Default: 10

Gateway IP Address

Defines the IP address of the computer that is the gateway for translating communication protocols.

Discover Router Information Only

Specifies whether to restrict the discovery process to the ARP Cache of routers.

Selected: The product only discovers the ARP Cache of routers.

Cleared: The product discovers the ARP Cache of all network resources.

Retries

Defines how many SNMP queries the product makes to an IP address before it fails while attempting to classify the operating system.

Default: 1

Timeout (in milliseconds)

Defines how many milliseconds the SNMP query waits for a response before it fails.

Default: 1000

Packet Analyzer

Analyzes packet data on the network, passively collects the IP traffic relationships, and identifies servers, services, or other network-connected resources.

Complete the following fields:

Execution Time

Defines how many days, hours, and minutes the scan runs.

Default: 15 minutes

Engine Instances

Defines how many discovery engine instances run during the discovery.

Default: 10

Cache Purge Frequency (in hours)

Defines how many hours elapse before the scan operation clears the cache. This scan type maintains a cache of discovered servers so that it does not continuously rediscover recently discovered servers.

Default: 8

Collect Network Statistics

Specifies whether the scan collects packet count summaries for the discovered relationships. To indicate the relationship strength, the packet count summary determines whether the servers exchanged a few or thousands of packets.

Selected: The scan collects packet count summaries.

Cleared: The scan does not collect packet count summaries.

Default: selected

Statistics Reporting Interval (in minutes)

Defines how many minutes elapse between network statistics collection operations.

Default: 15 (if you selected the Collect Network Statistics check box).

Discover Relationships

Specifies whether the scan discovers the relationships between network resources.

Selected: The scan discovers the relationships between network resources.

Cleared: The scan does not discover the relationships between network resources.

Default: selected

Relationship Packet Threshold Count

Defines the minimum number of packets the product requires to determine whether a relationship exists.

Default: 10 (requires that the Discover Relationships check box is selected).

Retries

Defines how many SNMP queries the product makes to an IP address before it fails while attempting to classify the operating system.

Default: 1

Timeout (in milliseconds)

Defines how many milliseconds the SNMP query waits for a response before it fails.

Default: 1000

NetFlow

Passively collects the IP traffic relationships and identifies servers, services, or other network-connected resources using the data feed from a NetFlow-enabled router.

Complete the following fields:

Execution Time

Defines how many days, hours, and minutes the scan runs.

Default: 15 minutes

Listen Port

Defines the NetFlow discovery engine port number.

Default: 9991

Note: Configure your router so it sends the NetFlow feed to the specified port on the designated NDG server.

Cache Purge Frequency (in hours)

Defines how many hours elapse before the scan operation clears the cache, and how often the operation rediscovers servers. This scan type maintains a cache of discovered servers so that it does not continuously rediscover recently discovered servers.

Default: 8

Discover Relationships

Specifies whether the scan discovers the relationships between network resources.

Selected: The scan discovers the relationships between network resources.

Cleared: The scan does not discover the relationships between network resources.

Default: selected

Relationship Packet Threshold Count

Defines the minimum number of packets the product requires to determine whether a relationship exists.

Default: 10 (requires that the Discover Relationships check box is selected).

Aggregate Records

Specifies whether the product collects network statistics for a discovered relationship in a single record.

Selected: The product collects network statistics in a single record.

Cleared: The product does not collect network statistics in a single record.

Default: cleared

Aggregation Interval

Specifies for how many minutes the product aggregates network statistics.

Default: 10 (requires that the Aggregate Records check box is selected).

Retries

Defines how many SNMP queries the product makes to an IP address before it fails while attempting to classify the operating system.

Default: 1

Timeout (in milliseconds)

Defines how many milliseconds the SNMP query waits for a response before it fails.

Default: 1000

Local Link

Discovers the servers on the local network segment using IPv6.

Complete the following fields:

Retries

Defines how many times the scan attempts to locate an IP address before it fails.

Default: 1

Timeout (in milliseconds)

Defines how many milliseconds the scan waits for a response before it fails.

Default: 2000

SNMP Retries

Defines how many SNMP queries the product makes to an IP address before it fails while attempting to classify the operating system.

Default: 1

SNMP Timeout (in milliseconds)

Defines how many milliseconds the SNMP query waits for a response before it fails.

Default: 1000
Click Next.
On the Discovery Options page, complete the following fields so the NDG can scan ports explicitly:

VMware Web Services Port

Defines the port that communicates with the VMware server.

Default: 443

Microsoft SCVMM Port

Defines the port that communicates with the Microsoft System Center Virtual Machine Manager (SCVMM) server.

Default: 8100
Select the Perform Soft Agent Probe check box if you want the agent-based discovery benefits without deploying an agent.
The Soft Agent Probe uses supplied credentials to access the WMI services on Windows computers. The Soft Agent Probe uses SSH on UNIX and Linux target computers.

If you select Perform Soft Agent Probe for Linux or UNIX, edit the ssh_config file to include the following parameter:
```
PasswordAuthentication yes
```
By default, the ssh_config file is installed in the following locations:
HPUX
```
/etc/opt/ssh
```
Linux, Solaris, and AIX
```
/etc/ssh
```
If you select the Perform Soft Agent Probe check box, complete the following fields:
Network Configuration

Specifies whether to discover network configuration settings.

Applications

Specifies whether to discover application configuration settings.

Virtual Environment

Specifies whether to discover servers and configuration settings for virtualized environments.

Restrict Discovery to Targeted Servers for Communications Relationships

Specifies whether to exclude the servers that the product discovers in the communication relationships. When you select this option, the product discovers the servers included in the network profile inclusion list.

Hardware

Specifies whether to discover hardware components.

Network Connections

Specifies whether to discover established network connections and open ports.

Select the checkbox, then click the Port Mapping to include or exclude specific ports during a network discovery.

Inclusions tab: In the left pane, double-click a mapped port to include it during a network scan.

Exclusions tab: In the left pane, double-click a mapped port to exclude it during a network scan.

Discover SAN Infrastructure and Relationships

Specifies whether to discover storage devices and storage managers and their relationships.

Enable use of Telnet

Lets you use Telnet to run a network discovery for UNIX and Linux server access when SSH-based discovery fails. Telnet discovery uses the same credentials as SSH discovery.

Note: Because the Telnet standards do not include encryption, the product communicates the user credentials from the credential vault in clear text.

Enable use of sudo
Specifies whether you can access and gather information from the remote UNIX and Linux servers with the sudo command. The sudo command lets the users that are defined in the /etc/sudoers configuration file run commands as if they had different (often unlimited, as for the root user) permissions.

If you enable sudo, comment the Default requiretty entry in the /etc/sudoers file as follows:
```
# Default requiretty
```
For more information, see Configuring sudo for UNIX and Linux Softagent Discovery.
SSH Port

Specifies the port that the product uses for the SSH communications.

SSH Mode
Species one of the following modes:
- SSH with Credentials
- SSH with Key File and Credentials
  Note: If you select this option and SSH key file authentication fails, the product continues scanning with the UNIX credentials from the Credential Vault.
User Name

Defines the user that the product uses for the key file authentication.

Private Key File

Defines the private key file for the SSH authentication. Create the public and private key files with puttygen.exe or a similar utility. Copy the private key to the NDG Server that your CA Configuration Automation Server uses for discovery.

Note: For more information, see Create an SSH Key-based Network Scan Policy.

Public Key File

Defines the public key file for the SSH authentication. Create the public and private key files with puttygen.exe or a similar utility. Copy the public key to the NDG Server that your CA Configuration Automation Server uses for discovery.

Note: For more information, see Create an SSH Key-based Network Scan Policy.

Passphrase

Defines an optional key file protection passphrase. Associate this passphrase with the key files when you create them.

Enable user of SSH Proxy

Specifies the use of SSH Proxy.

Complete the following SSH Proxy fields:

Proxy Server

Defines the proxy server name or IP address.

Proxy Port

Defines the proxy server listening port.
Click Finish.
The product creates the policy and adds it to the Network Scan Policies table.