Additional options affect how the service performs host discovery and how the service interacts with your firewall/IDS configuration. The initial settings are best practice in most cases. These settings should be customized only under special circumstances. These options appear on the Additional tab when you create or edit a compliance option profile.
Additional Options: Host Discovery | Blocked Resources | Packet Options
Specify which probes are sent and which ports are scanned during host discovery. This option affects scan tasks. The service pings every target host using ICMP, TCP, and UDP probes and then analyzes the packets sent in response to determine which hosts are "alive".
By changing the default settings the service may not detect all live hosts and hosts that go undetected cannot be scanned. These settings should only be customized under special circumstances. For example, to add ports that are not included in the Standard port list, remove probes that will trigger your firewall/IDS, or only discover live hosts that respond to an ICMP ping.
TCP Ports. Select which TCP ports are scanned during host discovery. Specify up to 20 TCP ports to be scanned. Your options are: Standard Scan and Additional. To see a list of the ports included in a standard scan, click View list next to Standard Scan. To specify additional ports, select the Additional check box and enter the port numbers in the field provided. (Initial Setting: TCP Ports - Standard Scan)
UDP Ports. Select which UDP ports are scanned during host discovery. Specify up to 6 UDP ports to be scanned. Your options are: Standard Scan and Custom. To see a list of the ports included in a standard scan, click View list next to Standard Scan. To specify a custom port list, click Custom and then select the port numbers from the list provided. (Initial Setting: UDP Ports - Standard Scan)
ICMP. Select to send ICMP messages during host discovery. (Initial Setting: Enabled)
Specify ports that are blocked and IP addresses that are protected by your firewall/IDS. If the scanning process triggers your IDS, then it will likely be firewalled and we won't be able to continue our search for compliance data. Therefore, we need to know which IPs you have protected and which ports are blocked. This will help us prevent triggering your IDS.
Optionally, if you don't want a host to be scanned at all, then add the host's IP address to the excluded hosts list. No scanning traffic, including ICMP, TCP and UDP probes, will be sent to excluded hosts. See Excluding Hosts for more information.
Another method for allowing our scanning engine to probe your network without triggering your firewall/IDS is to add our scanner IP addresses to your firewall/IDS configuration. This list of friendly IPs is commonly known as a white list or exception list. For example, if you are using WatchGuard, add our scanner IP addresses to the "Blocked Sites Exception" list. This list is configured in the System Configuration for the WatchGuard Firebox Vclass series, and in the Policy Manager for the WatchGuard Firebox System series. Refer to your firewall/IDS documentation for specific details on how to configure an exceptions list. You can view a current list of IP addresses for the service's external scanners on the About page (Help > About).
Note that the "WatchGuard default blocked ports" option is only applicable to the WatchGuard Firebox System series. Setting this option is not necessary if you added our scanner IP addresses to the WatchGuard exception list. Initial Setting: Disabled.
Ignore RST packets. Some filtering devices, such as firewalls, may cause a host to appear "alive" when it isn't by sending TCP Reset packets using the host's IP address.
When enabled, all TCP Reset packets are ignored for scan tasks and TCP Reset packets generated by one or more filtering devices are ignored for map tasks. In other words, hosts will not be detected as being "alive" if the only responses from them are TCP Reset packets that seem to have originated from a filtering device. (Initial Setting: Disabled)
Ignore firewall-generated SYN-ACK packets. Some filtering devices, such as firewalls, may cause a host to appear "alive" when it isn't by sending TCP SYN-ACK packets using the host's IP address.
When enabled, the service attempts to determine if TCP SYN-ACK packets are generated by a filtering device and ignores all SYN-ACK packets that appear to originate from such devices. (Initial Setting: Disabled)
Do not send ACK or SYN-ACK packets during host discovery. Some firewalls are configured to log an event when out of state TCP packets are received. Out of state TCP packets are not SYN packets and do not belong to an existing TCP session. If your firewall is configured in this manner and you do not want such events logged, then you can enable this option to suppress the service from sending out of state ACK and SYN-ACK packets during host discovery for map and scan tasks. If you enable this option and you also enable the "Perform 3-way handshake" option on the Scan tab, then the "Perform 3-way handshake" option takes precedence and this option is ignored. (Initial Setting: Disabled)