Option Profile Title Tab Scan Tab Map Tab System Authentication Tab Additional Tab 

VM Option Profile: Additional

The Additional tab is where you can make additional settings that affect both scans and maps, including the ports to scan during host discovery, and the ability to ignore certain types of TCP packets sent at scan time. 

Jump to a section below:

Host Discovery

Blocked Resources

Packet Options

Host Discovery

Important - These settings should only be customized under special circumstances. For example, to add ports that are not included in the Standard port list, remove probes that will trigger your firewall/IDS, or only discover live hosts that respond to an ICMP ping.

Select which probes are sent and which ports are scanned during host discovery. The service pings every target host using ICMP, TCP, and UDP probes and then analyzes the packets sent in response to determine which hosts are "alive". 

By changing the default settings the service may not detect all live hosts and hosts that go undetected cannot be scanned for vulnerabilities.

Destination ports in the TCP SYN packets

During host discovery, in addition to the TCP SYN packets that are sent to the following ports: 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 443, 445 and 5631, by default, the service also sends:

- TCP ACK packet with a source port of 80 and a destination port of 2869

- TCP ACK packet with a source port of 25 and a destination port of 12531

- TCP SYN+ACK packet with a source port of 80 and a destination port of 41641

If you don't want these packets sent, select the "Do not send TCP ACK or SYN-ACK packets during host discovery" check box under Packet Options on the Additional tab in the option profile. See Packet Options.

Blocked Resources

Worried about triggering your IDS? Tell us the ports that are blocked and the IP addresses that are protected by your firewall/IDS. 

If our scan triggers your IDS, then it will likely be firewalled and we won't be able to continue our search for vulnerabilities on your network. Therefore, we need to know which IPs you have protected and which ports are blocked.

Consider these other options: 

1) Add hosts that you don't want scanned to the global excluded hosts list under Scans > Setup > Excluded Hosts.

2) Add our scanner IP addresses to the allow list or exception list in your firewall/IDS configuration. You can view a current list of IP addresses for our cloud external scanners on the About page (Help > About). Refer to your firewall/IDS documentation for specific details on how to configure an exceptions list.

3) Are you using Watchguard? If yes, add our scanner IP addresses to the "Blocked Sites Exception" list. This list is configured in the System Configuration for the WatchGuard Firebox Vclass series, and in the Policy Manager for the WatchGuard Firebox System series. Note: The "WatchGuard default blocked ports" option is only applicable to the WatchGuard Firebox System series. Setting this option is not necessary if you added our scanner IP addresses to the WatchGuard exception list.

Packet Options

Ignore certain packets by enabling these packet options:

Ignore firewall-generated TCP RST packets

When enabled, we will try to identify firewall-generated TCP RESET packets and ignore them. Note, however, that it is not always possible to determine whether a RESET packet is firewall generated but we will make a best effort. Some firewall-generated RESET packets could still be misidentified as generated by live host(s) and in this case they will not be ignored.

If the target for a scan or map is a range larger than a class B, we will not attempt to figure out whether RESET packets are firewall generated; instead we ignore all RESET packets. This is because the scan time or the map time will be very long.

Ignore all TCP RST packets (maps only)

When enabled, we will ignore all TCP RESET packets, including firewall-generated RESET packets and live-host-generated RESET packets. This option is available to find hosts with one or a few selected ports open. It can also be used for cases in which there are firewall-generated RESET packets but we fail to identify and ignore them when Ignore Firewall-Generated TCP RST Packets is selected, resulting in many phantom hosts being reported as live hosts.

Typical use cases for choosing this option:

Use Case 1: You want to find hosts with at least one of the selected TCP ports open and you don't care about any other live hosts. This is a rather specific use case. For example you want to find hosts and only hosts with TCP port 1433 or TCP port 1434 open and you don't want to see any other live hosts in the map results.

To implement a solution for this use case you must:

1) Enable this option to ignore all TCP RESET packets.

2) Disable ICMP and UDP for host discovery and also restrict TCP ports for host discovery to the selected ports (on the Additional tab). 

3) Select the option to ignore hosts that are discovered via DNS and only via DNS (select "Exclude Hosts Only Discovered via DNS" on the Map tab in the profile).

Use Case 2: You have firewall generated TCP RESET packets which were not successfully identified (even after you selected the option to ignore firewall-generated RESET packets). Consequently, you'll see many dead hosts in the map results.

To implement a solution for this use case you must:

1) Enable this option to ignore all TCP RESET packets.

2) Since you still want to find all live hosts, you need to enable other host discovery methods (ICMP, TCP and UDP with a default list of TCP/UDP host discovery ports).

Ignore firewall-generated SYN-ACK packets

Some filtering devices, such as firewalls, may cause a host to appear "alive" when it isn't by sending TCP SYN-ACK packets using the host's IP address. When enabled, we attempt to determine if TCP SYN-ACK packets are generated by a filtering device and ignore all SYN-ACK packets that appear to originate from such devices.

Do not send ACK or SYN-ACK packets during host discovery

Some firewalls are configured to log an event when out of state TCP packets are received. Out of state TCP packets are not SYN packets and do not belong to an existing TCP session. If your firewall is configured in this manner and you do not want such events logged, then you can enable this option to suppress the service from sending out of state ACK and SYN-ACK packets during host discovery for map and scan tasks.

If you enable this option and you also enable the "Perform 3-way handshake" option in the Scan section of your profile, then the "Perform 3-way handshake" option takes precedence and this option is ignored.