Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Scan Policies

 

A scan policy provides you with a central location to configure specific scanning requirements.

You can use scan policies to specify scan types, ports to be scanned, vulnerabilities to scan for and scanning tools to use. In JSA Vulnerability Manager, a scan policy is associated with a scan profile and is used to control a vulnerability scan. You use the Scan Policies list on the Details tab of the Scan Profile Configuration page to associate a scan policy with a scan profile.

You can create a new scan policy or copy and modify a pre-configured policy that is distributed with JSA Vulnerability Manager.

Pre-configured Scan Policies

The following pre-configured scan policies are distributed with JSA Vulnerability Manager:

  • Full scan

  • Discovery scan

  • Database scan

  • Patch scan

  • PCI scan

  • Web scan

A description of each pre-configured scan policy is displayed on the Scan Policies page.

Scan Policy Automatic Updates for Critical Vulnerabilities

As part of JSA Vulnerability Manager daily automatic updates, you receive new scan policies for tasks such as detecting zero-day vulnerabilities on your assets.

Use scan policies that are delivered by automatic update to create scan profiles to scan for specific vulnerabilities. To view all scan policies on your system, go to Administrative >Scan Policies on the Vulnerabilities tab.

You must not edit scan policies that are delivered by automatic update as your changes might be overwritten by later updates. You can create a copy and edit it.

If you delete a scan policy that is delivered by automatic update, it can be recovered only by Juniper Customer Support.

Modifying a Pre-configured Scan Policy

In JSA Vulnerability Manager, you can copy a pre-configured scan policy and modify the policy to your exact scanning requirements.

  1. Click the Vulnerabilities tab.
  2. In the navigation pane, select Administrative >Scan Policies.
  3. On the Scan Policies page, click a pre-configured scan policy.
  4. On the toolbar, click Edit.
  5. Click Copy.
  6. In the Copy scan policy window, type a new name in the Name field and click OK.
  7. Click the copy of your scan policy and on the toolbar, click Edit.
  8. In the Description field, type new information about the scan policy.Note

    If you modify the new scan policy, you must update the information in the description.

  9. To modify your scan policy, use the Port Scan, Vulnerabilities, Tool Groups, or Tools tabs.Note

    Depending on the Scan Type that you select, you cannot use all the tabs on the Scan Policy window.

Configuring a Scan Policy

In JSA Vulnerability Manager, you can configure a scan policy to meet any specific requirements for your vulnerability scans. You can copy and rename a preconfigured scan policy or you can add a new scan policy. You can't edit a preconfigured scan policy.

  1. Click the Vulnerabilities tab.
  2. In the navigation pane, select Administrative >Scan Policies.
  3. On the toolbar, click Add.
  4. Type the name and description of your scan policy.

    To configure a scan policy, you must at least configure the mandatory fields in the New Scan Policy window, which are the Name and Description fields.

  5. From the Scan Type list, select the scan type.
  6. To manage and optimize the asset-discovery process, click the Asset Discovery tab.
  7. To manage the ports and protocols that are used for a scan, click the Port Scan tab.
  8. To include specific vulnerabilities in your patch scan policy, click the Vulnerabilities tab.Note

    The Vulnerabilities tab is available only when you select a patch scan.

  9. To include or exclude tool groups from your scan policy, click the Tool Groups tab.Note

    The Tool Groups tab is available only when you select a zero-credentialed or full-scan policy.

  10. To include or exclude tools from a scan policy, click the Tools tab.Note

    The Tools tab is available only when you select a zero-credentialed or full-scan policy.

    Note

    If you do not modify the tools or tool groups, and you select the Full option as your scan type, then all the tools and tool groups that are associated with a full scan are included in your scan policy.

  11. Click Save.