Scanner Placement in Your Network
Scan operations are more efficient when scanners have good connectivity to the assets that are scanned and are not obstructed by firewalls, or other devices that impact the flow of the scan data. You can deploy an unlimited number of scanners in your network, but you must have a software license for every JSA managed host that you deploy as a scanner.
Consider the following factors before you place scanners in your network:
Avoid scanning assets through firewalls for the following reasons:
Firewalls slows the scan, and block some ports that are required to complete the scan.
When you scan assets through a firewall, events are created in JSA and the EPS numbers (events per second) are increased, which can impact your EPS license.
Stateful firewalls can cause JSA to create assets erroneously. Stateful firewalls respond to out-of-sequence TCP packets and that can make the scanner think that a host exists.
Do not scan over low-bandwidth WAN connections.
If the ping time from the scanner to the asset is over 40 ms, place the scanner closer to the asset.
Don't scan through a load balancer because it's more difficult for the scanner to manage the scan when the network traffic is load balanced to different servers.
Avoid configuring your scanner to scan IP address ranges that you know are not used. During the discovery phase of a scan, it takes longer for a scanner to determine that an IP address is not in use than it does to determine whether an IP address is active.
Deploy more scanners rather than run several concurrent scans from the same scanner. As you add more concurrent scans to the same scanner, resources become stretched and each scan takes much longer.