Scanning Large Ranges with Discovery

saadit · ‎03-11-2019

Is there any guidance on the maximum number of IP's to scan per schedule? In the past, the rule of thumb I was told by ServiceNow was not to scan anything larger than a /20 i.e. /19 and below. Does this still hold?

Before the glide.discovery.max_range_size default value was 100K for the total number of IP's that can be scanned by a Schedule, I've noticed now that the default value is much higher and the London documentation does not even make reference to the property anymore. Wondering if that's an indication we are OK with scanning large networks now?

I have a client that has all their IPs broken into /16's or /14's and before I go down the path of breaking them into smaller chunks I wanted to get the communities feedback.

Thanks in advance.

robertgeen · ‎03-12-2019

So I am going to give you my best practice on this and that is anyone giving you a /14 or a /16 is being lazy and doesn't want to put the effort into giving you proper range sets. There are numerous issues that come from doing such a large range (e.g. Long running discovery times, security flagging on failed login attempts on unintended devices such as desktop/laptop, and discovery of unintended dynamic ranges to name a few). I will almost always 100% push back on a requirement to put a large range like that in. Try to stick to nothing bigger then /22 and if the organization is really struggling to tell you the ranges you can always run the Network discovery and pull them back from the routers (just a warning though this should be done as a 1 time activity and not on a daily frequency as it tends to cause a load on devices in my experience).

The other thing you could do is if they give you a large range is break it down into smaller ranges and prove out which ranges don't have anything of value. Hope this helps.