How does the Administration -> Options: “Ports to use for initial scan” field correlate to the Administration -> Port Scan Settings list of ports?

I have an appliance that has all the default ports enabled under Administration -> Port Scan Settings, however under Administration -> Options the “Ports to use for initial scan” has been changed from the default and the number of ports reduced.

Does one override the other?

What happens in this case if you enable more ports under Administration -> Port Scan Settings but don’t change the Administration -> Options: “Ports to use for initial scan” field ?

The “Ports to use for initial scan” setting is the list the we will probe to see if they are open for our initial scan.

When we initially scan an endpoint the intent is to see which of the ports we could use to connect to the device are open, so we list things like 22(ssh), 23(telnet), 135(MicrosoftRPC).

We then use this to look up which credentials we have for those protocols and that endpoint to try and connect.

If we cannot connect then we fall back to trying to find as much out about the device as possible by other means. One of these things is to try and identify the TCP/IP stack to try and determine what operating system it might be. The “Port Scan Settings” page is the list of ports that we are allowed to scan when we do this.

The two settings do interact in that if you were to remove 23(telnet) from the “Port Scan Settings” page but left it in the “Ports to use for initial scan” setting then we wouldn’t connect.

If you remove ports from the “Ports to use for initial scan” setting then the system will not check them and will not use any related techniques. So if you remove 22(ssh) the system will not do any discovery via ssh.

You may wonder why port 80(http) is in the “Ports to use for initial scan” list. If you look elsewhere on that page you will see that we use both 80(http) and 23(telnet) to gain information about the system from the HEAD/Banner if we cannot connect.

Unless there is a strong reason to alter these settings you should leave them at their default.

Charles,

Many thanks for the explanation. Can i just clarify one of the items in your post.

You mention that the “Ports to use for initial scan” setting is the list the we will probe to see if they are open for our initial scan. We then use this to look up which credentials we have for those protocols and that endpoint to try and connect. If we cannot connect then you use the “Port Scan Settings” to identify the TCP/IP stack.

You then go on to say that The two settings do interact in that if you were to remove 23(telnet) from the “Port Scan Settings” page but left it in the “Ports to use for initial scan” setting then we wouldn’t connect.

Surely, if it is listed in the “Ports to use for initial scan” which is then used to lookup credentials for that protocal to try and connect – it should only matter if it’s been removed from the “Port Scan Settings” page if login fails and it tries to identify the host via other methods?

Or have i just completely misinterpreted that? :-)

Nik

If you tell the system not to scan port 23 in the “Port scan settings” page it will not scan that port in both the restricted initial scan nor the fallback IP stack scans. Regard the initial scan settings as a subset of the main port scan settings.

As I said before there should be no need to alter these settings as they are already at the minimum needed for effective operation of Foundation.

Many thanks for clearing that up.

Main reason for asking is that the site i’m on has amended the “Ports for Initial Scan” setting from the default but not altered the “Port Scan Settings” page, and i just wanted to make sure that it was working how they expected it to.

Rgds

I’m curious to know which ports they removed and why if you have a moment.

The port they have removed from the “Ports for initial scan” option is port 80.

This was apparantly done to pass internal security requirements. I’m awaiting further information from them. Will post here when available.