< Home

network-scan start

Function

The network-scan start command starts asset scanning.

The network-scan stop command stops asset scanning.

Format

network-scan start

network-scan stop

Parameters

None

Views

Asset scanning view

Default Level

2: Configuration level

Usage Guidelines

Application Scenarios

When an enterprise has a large number of assets, it takes a long time to manually record assets. The FW provides the proactive scanning function to scan the assets on the network and automatically record the assets in the asset list.

The scanned asset information includes the IP address, MAC address, asset type, operating system, and vendor. The asset information can be modified based on the scanning result, and the asset owner, asset location, and asset group to which the asset belongs can be manually set.

The enterprise network administrator can learn about the assets on the network and configure intrusion prevention functions based on the asset list.

Prerequisites

The target-ip command has been used to set the IP network segment to be scanned.

The asset is online and the FW and asset are reachable.

If a Layer 3 device is deployed between the FW and assets, the FW cannot obtain the actual MAC addresses of the assets during scanning. In this case, configuring across-Layer-3 MAC identification is required.

Precautions

The asset scanning start/stop operation is a one-time operation, and the command is not saved in the configuration file.

The FW must use a Layer 3 interface to initiate detection packets on the target network segment for asset scanning. When the FW uses Layer 2 interfaces to transparently access the network, asset scanning cannot be performed through service interfaces.

To simplify configuration, the FW automatically generates a security policy named top_netscan_rule whose source security zone is local, destination security zone is any, and action is permit when asset scanning is started. After the scanning is finished, the security policy is automatically deleted.

Do not start the next scan when the current scan task is not complete. You can run the display network-scan state command to check whether scanning is complete.

Follow-Up Task

By default, the asset scanning result belongs to the scanResult_ReservedBySystem asset group. After the administrator confirms the asset scanning result, you can run the parent-group command to move the asset to an appropriate asset group.

If scanning tasks are performed multiple times and information about an asset changes, the asset information will be updated. If information about an asset is manually modified by the administrator, the manual modification takes priority by default. That is, the manually modified asset information will not be updated by subsequent scanning. If you want the manually modified asset information to be updated by subsequent scanning, run the auto-update enable command to enable the automatic update function.

Example

# Start asset scanning. 

<sysname> system-view
[sysname] network-scan
[sysname-network-scan] network-scan start
Parent Topic: Security Situation Awareness Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >