Discovery Schedule / Pattern Separation Best Practices?

Scott Braden
Tera Contributor

‎07-10-2024 06:55 AM

Just curious how others are / would handle the following situation. 

 

In our environment when we initially set up Discovery our Network team asked that we create targeted scans for hitting our F5 Load Balancer(s), that were separate from our larger Discovery Scans. There concern was that they didn't want Discovery to hit all of the IP's on load balancers instead they wanted to ensure we hit just one IP per device.  To facilitate this we created a separate scan, and range set with an HTTP only behavior. 

 

The above has been working for us without issue. We've done some testing recently where adding the F5's back to our larger scan doesn't appear to cause any issues that the Network team initially was worried about. The question we have for the community is simply:

 

"Is there really a use case for keeping the scans separate?" Or is there a best practice recommendation where this would make sense? 

 

Thanks!

0 Helpfuls
  • 383 Views
1 REPLY 1

David104
Tera Guru

‎07-10-2024 04:31 PM

Hi,

 

I can't answer that question definitively, but I would suggest a little testing to observe the behaviour to help make that call. I'd see if you can work with the F5 admins to identify one of the IPs that they are concerned about hitting, and see what happens. In theory, if you hit a virtual IP on the F5, it's going to re-direct you to one of the hosts in the load balancer pool, which might not give you consistent discovery results. But to be honest, I'm not sure if it would only redirect if you hit that VIP on the right port etc. Best way to see what would happen is to test one or two of the devices to see how they go. Once you understand that behaviour, you should find it easier to work out your strategy around scanning IPs related to that F5

 

I haven't come across any orgs using F5 that have asked to isolate discovery for F5s as you described, so I don't think it would cause any problems.

 

Sorry, that's probably not super helpful in terms of providing an answer, but might help you reach a conclusion.

 

Regards,

David

0 Helpfuls