Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


External Scanning FAQs

Scan the assets in your DMZ or network perimeter by using an JSA hosted external scanner. Run uncredentialed scans from outside your network to give you an added defense in protecting your assets from an external attack.

You must have the correct license capabilities to perform the following scanning operations. If you need assistance to obtain a new or updated license key, contact your Juniper Customer Support.

What Information do You Need to Provide?

You must email to Juniper Networks with the following information:

  • Your organization's external IP address.

  • If you use load balancers, you must provide the IP addresses that are used by the load balancers.

  • The IP address range of the assets in your DMZ.


You must have a local installation of JSA Vulnerability Manager.

Does the JSA Team Verify the CIDR Range That is Provided?

The CIDR range is checked and ownership is verified before any scanning starts.

What is the Impact Of the External Scan on Servers Such As Web Servers?

The scan is not intrusive but it places some load on your systems. Run the scan when the servers are not highly active.

Do Your Need to Use an Internal Scanner to Scan the DMZ in Addition to the External Scanner?

Most network attacks come from the outside, so the external scanner targets all external attack surfaces from the perspective of an outsider.

It is good practice to run external scanning and internally-authenticated scanning in your DMZ because firewalls might restrict access to certain vulnerabilities, ports, services, and hosts.

If you use a load balancer for inbound traffic, the external scanner might have access to only one of the servers that are connected to the load balancer. In this case, you might need to configure an access route so that the external scanner can scan all of the servers. Alternatively, you can use an internal scanner to scan these servers in your DMZ.