Jun 1, 2023

Running Scans with Atlas Discovery

Running Scans with Atlas Discovery

Atlas Discovery allows you to run both external and internal network scans to populate your Certificate inventory and dashboard. These scans, once configured, run automatically and then every 24 hours thereafter. External scans can be configured to include subdomains, internal scans require the download of an agent.

The status of the scan and when it was last run are also displayed on this page. Note that internal scan statuses will remain “not started” until the agent is properly downloaded and activated.

Here’s what you can do with scan profiles:

• A scan profile can take up to 5 separate targets. Enter an FQDN or IPv4 address or range into the scan target field.
• Even though scans run every 24 hours, you can choose to run the scan at any time by clicking the “Run” action button for that scan.
• Once a scan profile is created, you can make changes to the profile or delete it.

External Scans

External network scans allow users to scan specific domains and subdomains to detect, observe, and manage TLS Certificates. Enter a FQDN or public IPv4 address or range into a target field to enable scanning of that domain or web server.

Note that for subdomains, the current implementation looks at the top 200 most commonly used subdomains. We are planning to expand this in future releases.

1. In Atlas, navigate to Discovery and then to the Scan Profiles page. Click to create a new scan profile.
2. Name the profile and choose the “external” scan profile type.
3. Enter the domain name or a public IPv4 address or range. Toggle to include subdomains of this domain if you wish.
4. Set the port that you want to scan. The default is port 443. You can only enter one port per target.
5. Save your changes, and then the scan job will begin. It may take several minutes for your inventory or dashboard to populate with the results.

Internal Scans

Internal network scans allow users to scan network ports to detect, observe, and manage TLS certificates by a chosen IPv4 address or range. For the internal scan to successfully run, you need to create an agent, which is a lightweight network utility that will monitor your internal network and send the results to Atlas Discovery.

Agents are available for Windows, Linux, and Darwin (macOS). The Windows agent is codesigned with a GlobalSign Codesigning Certificate.
 

1. In Atlas, navigate to Discovery and then to the Scan Profiles page. Click to create a new scan profile.
2. Name the profile and choose the “agent” scan profile type.
3. Enter the domain name, private IPv4 address, or range.
4. Set the port that you want to scan. The default port is 443. You can only enter one port per target.
5. Save the profile. The page will reveal further onscreen instructions.
6. Choose your operating system, and then download the agent.
7. Open a command line in the directory where the agent was installed. Don't try to open the agent itself; nothing will happen.
8. Copy the provided token from Atlas Discovery and paste it into the command line to activate the agent. The agent is defaulted to run every 24 hours, but you can adjust this by modifying the “-frequency” parameter. You can also add the “-verbose” parameter, which will display polling information from the agent.
9. Close the scan configuration window in Atlas Discovery.

For Linux and Darwin implementations, change the agent's executable permissions using the command chmod a+x.

To run the agent for Darwin implementations,

1. On the security pop-up, click Cancel.
2. Go to the System Preferences > Security & Privacy > General tab. Click “Allow Anyway” where it says that the app was blocked.
3. Run the agent again, and on the next pop-up, click Open.
    

The activation token is good for one year. If you lose it and need to reactivate the agent, you can get a new token by clicking the “Reset Token” button in the scan configuration screen. 

What is the IP address for the internal scanning agent?

Atlas Discovery has a downloadable agent through which you can send discovered internal Certificates to your Discovery inventory. The Windows version of the agent has been codesigned with a GlobalSign Certificate.

To send Certificates to Atlas Discovery, the agent consumes public APIs hosted on the AWS API Gateway. In most implementations, the agent will work simply by downloading and activating it via the portal instructions. In some implementations, however, the public IP address needs to be allowlisted prior to agent activation. This list contains a list of possible IP Address ranges into which the external IP can fall. You will have to allow all of them in order for the agent to communicate with Atlas. We will deploy a change in a future release that will eliminate the need for this list.