Create and Run Scans
When you first start using Fortra VM, it typically runs a host discovery scan primarily to identify the resources on your network and create an initial baseline in Active View. This scan uses the default Host Discovery scan policy, which only checks to identify if an active host is present and determines its fingerprint (e.g., hostname, operating system). It does not, however, check for vulnerabilities.
Once the initial Fortra VM scan is complete, you can create your own scans.
![Closed](../../../Skins/Default/Stylesheets/Images/transparent.gif)
- Complete your scan information in the fields of the General Settings panel.
- Scan name: Select the field to begin entering the name.
- Repeat: Enable to make the scan recurring. If you select ON for the Recurrence Schedule, a dialog box opens and lets you specify when the scan should occur. Recurring scans should be set in accordance with the scan frequency stated in your service agreement (e.g., quarterly, monthly).
- Schedule: Select the date, time, and time zone for the scan. If you set up a recurring scan, this field disappears and instead displays Established Schedule, which you can change by selecting the schedule link.
- Add to Active View: Enabled by default. Turn OFF if you do not want the scan results to display in Active View.
- Auto-generate Reports: Turned OFF by default. Enable to automatically generate an Executive Summary and a Vulnerability Details report upon scan completion.
- Extra email notification: Enable to add users who do not receive automatic scan notifications. If enabled, enter email addresses and select to add them. Your additional scan notification recipients are listed in the Recipients field. Users who have set their account not to receive automatic Fortra VM notifications will get a notification for this scan.
TIP: Use faster scan speeds with caution. Generally, your default setting should be normal. -
Complete your scan information in the fields of the Business Group panel.
-
Selected group: Select the business group who should see the scan’s results (this cannot be updated after the scan is created). This panel displays only if business groups are enabled.
See related: Manage Business Groups
-
- Complete your scan information in the fields of the Scan Targets panel. This panel gives you options for defining what is scanned.
Asset Groups tab
Select the Asset Groups you want the scan to run against. The Preview icon next to an asset group gives you an overview of its rules (e.g., IP address range, scanner profiles, asset type).
See related: Manage Asset Groups
- Ad Hoc IPs Ports tab
Define the IP addresses and associated ports you want to scan. Select Add Rule to add each rule to your scan.Action: Choose whether to Include or Exclude a range of IP addresses and / or ports. If you choose Include, the Inclusion section appears.
- IP Addresses: Enter the IP addresses to be included or excluded from the asset group (separate multiple addresses with commas, or enter a range). (Example IP range: 192.168.2.1-192.168.2.255.)
Auto-Add IPs: If this is selected, IPs will automatically be added to the appropriate scanner profile.
Ports: Enter the ports you want included or excluded from the asset group (separate multiple ports with commas).
Inclusion: See if your IP addresses and ports are within the scanner profile’s range (you must first select an available scanner profile to see this information).
Available Scanner Profiles: Select the scanner profile to which you want to apply your rules. You can view a scanner profile’s existing IP address and port rules by performing the following:
From the navigation menu, select System > Scanner Management > Scanner Profiles.
Choose the scanner profile you want to view, then go to the IPs & Ports tab. Your scan rules display at the bottom of the tab. If you need to delete a rule, select next to it and the resulting check-mark to confirm.
- Ad Hoc Dynamic Asset tab
Define the assets you want to scan using conditional filters.- Choose an asset criteria (e.g., Asset: Type).
- Choose a comparison operator (options depend on the criteria you selected).
- Enter or select a value for the criteria (options depend on the criteria you selected).
- Select next to your rule to add it to your scan. (Select to delete a rule.) (Optional) Create additional asset rules for the scan.
- Ad Hoc Hostnames tab
Define the hostnames and associated ports you want to scan; select Save to add each rule to your scan.
See related: What is scanning by DNS hostname?- Action: Choose whether to Include or Exclude hostnames and / or ports.
- DNS Hostnames: Type the hostnames to be included or excluded from the asset group (separate multiple hostnames with commas). (Example: www.mysite.com.)
- Ports: Type the ports associated with the hostnames to be included or excluded from the asset group (separate multiple ports with commas).
- Available Scanner Profiles: Select the scanner profile to which you want to apply your rules. Your scan rules display at the bottom of the tab. If you need to delete a rule, select next to it and the resulting check-mark to confirm.
- Select Create and Run. If you do not want to run the scan immediately, make sure that the Start scan on or Schedule is set to a later time / date.
If you schedule the scan, you can view it on the Scheduled Scans page (located by selecting Scans > Scheduled Scans on the navigation menu).
If you did not schedule the scan, it initially appears on the Scheduled Scans page before displaying on the Scan Activity page (located by selecting Scan > Scan Activity on the navigation menu).
A web application scan should generally be performed on a staging environment as a part of testing. Web application scans submit forms with test data which may result in data loss or corruption. Do not scan a website without proper authorization. Ensure all relevant administrators are notified prior to performing a scan. A scan may cause the web application to crash and require a restart.
![Closed](../../../Skins/Default/Stylesheets/Images/transparent.gif)
- On the WAS site header, select + New , then Scan. You are on the Create New Scan page.
- Complete your scan information in the fields of the General Settings panel.
- Scan name: Select the field to begin entering the name.
- Repeat: Enable to make the scan recurring. If you select ON, the Recurrence Schedule, a dialog box opens and lets you specify when the scan should occur. Recurring scans should be set in accordance with the scan frequency stated in your service agreement (e.g., quarterly, monthly).
- Start scan on: Select the date, time, and time zone for the scan. If you set up a recurring scan, this field disappears and instead shows you the Established Schedule, which you can change by selecting the schedule link.
- Add to Active View: Enabled by default. Turn OFF if you do not want the scan results to display in Active View.
- Auto-Generate Reports: Turned OFF by default. Enable to automatically generate an Executive Summary and a Vulnerability Details report upon scan completion.
- Extra Email Notification: Enable to add users who do not receive automatic scan notifications. If enabled, enter email addresses and select to add them. Your additional scan notification recipients are listed in the Recipients field. Users who have set their account not to receive automatic Fortra VM notifications will get a notification for this scan.
- Complete your scan information in the fields of the Scanning Options panel.
- Audit policy: Select an audit policy to specify the type of vulnerability checks and allowances for the scan (options include WAS default policies and user-created ones). See related:
- Full Scan: Full scan audit policy with recommended settings for performing all tests required for high, medium and low severity vulnerabilities.
- Light Weight: Light weight audit policy with recommended settings for gentle auditing of web applications.
- Crawling Only: Crawling only audit policy with recommended settings for generating site maps of web applications, but does not perform vulnerability testing.
- SQL Injection: SQL injection audit policy with recommended settings for locating SQL injections flaws in web applications.
- Easily Guessable Credentials: Easily guessable credentials audit policy with recommended settings to locate easily guessable and default credentials in web applications.
- Cross-site Scripting: Cross-site Scripting (XSS) audit policy with recommended settings to locate XSS flaws in web applications.
- Tuning Policy: Select a tuning policy to specify how a scan is performed. See related:
- Audit policy: Select an audit policy to specify the type of vulnerability checks and allowances for the scan (options include WAS default policies and user-created ones). See related:
- Complete your scan information in the fields of the Targets panel. This panel gives you options for defining which web applications or websites are scanned.
- Add targets: Select an existing web app or web app group.
- New target: Select to create a new web application target. See related: Web Apps and Groups
- Select Create and run.
If you schedule the scan, you can view it on the Scheduled Scans page (located by selecting Scans > Scheduled Scans on the navigation menu).
If you did not schedule the scan, it initially appears on the Scheduled Scans page before displaying on the Scan Activity page (located by selecting Scan > Scan Activity on the navigation menu).