Configuring discovery settings

You can configure Discovery settings by using the Discovery Settings page.

Related topics

To configure Discovery settings

From the main menu, click the Administration icon. The Administration page opens.
In the Discovery section, click an icon corresponding to the settings you want to configure.

The following icons are described in more in-depth topics:

- Platforms - see Managing the discovery platform scripts
- SNMP Devices - see Supported SNMP devices
- Storage Devices - see Viewing storage
- Sensitive Data Filters - see Masking sensitive data
- Event Sources - see Event driven model updates
Make any required changes to the settings on the page and click Apply.
To cancel any of your changes, click Reset To Defaults.

Ports

This section contains settings related to the ports that BMC Helix Discovery uses.

Field Name	Details
TCP ports to use for initial scan	Enter the TCP ports that will be scanned on a first scan. Use this setting to prevent scanning of any ports that you want to avoid. The default is to use ports 21, 22, 23, 80, 135, 443, 513, 902, 3940, 5988 and 5989. See the notes about Order of operations and TCP and UDP ports to use for initial scan. Older versions included port 514, which can now be removed from upgraded systems.
UDP ports to use for initial scan	Enter the UDP ports that will be scanned on a first scan. Use this setting to prevent scanning of any ports that you want to avoid. The default is port 161. See the notes about Order of operations and TCP and UDP ports to use for initial scan.
SSH ports	The default is port 22. Enter any custom ports to scan in a comma-separated list in the Change To column.
RLogin ports	Only the default port 513 is supported so must be empty or 513.
Windows ports	Only the default port 135 is supported so must be empty or 135.
Telnet ports	The default is port 23. Enter any custom ports to scan in a comma-separated list in the Change To column.
FTP ports	The default is port 21. Enter any custom ports to scan in a comma-separated list in the Change To column.
SNMP ports	The default is port 161. Enter any custom ports to scan in a comma-separated list in the Change To column.
HTTP ports	The default is port 80. Enter any custom ports to scan in a comma-separated list in the Change To column.
HTTPS ports	The default is port 443. Enter any custom ports to scan in a comma-separated list in the Change To column.
VMware Authentication Daemon ports	Only the default port 902 is supported so must be empty or 902.
Mainframe z/OS Agent ports	The default is port 3940. Enter any custom ports to scan in a comma-separated list in the Change To column.
WBEM HTTP ports	The default is port 5988. Enter any custom ports to scan in a comma-separated list in the Change To column.
WBEM HTTPS ports	The default is port 5989. Enter any custom ports to scan in a comma-separated list in the Change To column.
PowerShell HTTP ports	The default is port 5985. Enter any custom ports to scan in a comma-separated list in the Change To column.
PowerShell HTTPS ports	The default is port 5986. Enter any custom ports to scan in a comma-separated list in the Change To column.
Valid Port States	When nmap runs port scans, it returns a result of open, closed, or filtered. Using the check boxes, you can choose which states are valid to investigate further. • open\|filtered—Discover a device that should be accessible but is not. It might be open or filtered. • filtered—This port is open, but you still cannot connect to it. It must be filtered. A port for which a result of open is returned is always considered valid.
Check port 135 before using Windows access methods	On Windows computers, port 135 is usually open. Selecting Yes for this option means that nmap checks whether port 135 is open before a Windows proxy is used to discover an IP device. The default is open. In firewalled environments where a ping might be filtered by a firewall but the Windows proxy might be able to connect to the target (for example, it is part of the same Workgroup), select No.

Device identification

This section contains settings related to the methods that discovery uses to identify devices.

Field Name	Details
Use last login method	Discovery uses the discovery method recorded as having been used successfully for an IP address.
Use SNMP SysDescr to identify OS	Discovery attempts to query the host's SNMP service for the SysDescr value to determine the OS.
Always try "public" SNMP community when using SNMP to identify OS	Discovery attempts to use the public SNMP community to query the host's SNMP service if no credential is available for that host. In this case, only device classification is possible.
Use Mainframe z/OS Agent to identify mainframes	Discovery attempts to connect to the z/OS Agent to determine whether the discovery target is a mainframe computer.
Use Telnet banner to identify OS	Discovery makes a Telnet connection to a host and uses the Telnet "welcome" banner to determine host and OS information.
Use HTTP(S) HEAD request to identify OS	Discovery attempts to connect to port 80 or 443 of the host and perform an HTTP or HTTPS HEAD request to determine the host and OS.
Use FTP banner to identify OS	Discovery starts an FTP session with the host and uses the FTP "welcome" banner to determine host and OS information.
Use vSphere API to identify OS	Discovery makes a TCP connection to examine the header and ensure that the VMware authentication daemon is really on port 902 (or the specified port). When confirmed, Discovery makes a webservices request. This type of request requires an open VMware authentication daemon and HTTPS port, and a valid vSphere credential.
Use WBEM queries to identify Storage devices	Discovery attempts WBEM queries to determine whether the discovery target is a storage device.
Use Web API queries to identify devices	Discovery attempts Web API queries to try and determine the type of device.
Use REST API queries to identify devices	Discovery attempts WBEM queries to try and determine the type of device.
Use IP Fingerprinting to identify OS	This option controls whether discovery will use IP fingerprinting to determine the OS if previous methods have been unsuccessful. You can configure the network ports scanned during this phase of discovery. The process of IP fingerprinting can cause instability in some legacy systems and might trigger intrusion detection systems. This option is enabled by default.
Use open ports to identify OS	This option controls whether open ports are used to identify the OS.

Discovery Sessions

This section contains settings related to the way in which discovery uses sessions to log in and run commands.

Field Name	Details
Session line delay	A delay of 10 ms is introduced between each line sent by Discovery. This avoids problems where remote shells are unable to cope with rapid command sequences. Select one of the following from the list: 1, 2, 5, 10 (the default), 15, 20, 25, 50, 100 milliseconds.
Session login timeout	The length of time for the discovery script to wait for a login prompt. If the timeout is exceeded, the attempt is abandoned. • Use the default timeout. • 10, 20, 30, 60, 90, 120, or 180 seconds.
Maximum search window size	The amount of data to examine when detecting the shell command prompt. The default value is 512 bytes. Warning: Changing the default value may cause significant degradation of appliance performance. Do not change this value unless directed by Customer Support.
Authorised prompt	Certain systems require an authorization step after login. At the command line, you are prompted to enter session details. The required response is usually a user name and some other information. In the Authorised Prompt field, enter the text of the prompt.
Authorised response	Where an Authorised Prompt has been entered, you must enter the expected response (that you would enter at the command line) in the Authorised Response field.

Scanning

This section contains settings related to any scanning that discovery undertakes.

Field Name	Details
Ping before scanning	If this option is disabled, then all hosts are discovered, but the discovery of empty IP address ranges will be slower. The default is to allow discovery to ping the host first. If you enable this option, Discovery pings hosts before it starts a scan. Discovery will scan more quickly on empty IP address ranges, although hosts might be missed if there are firewalls configured to reject pings. In this situation, specify IP address ranges behind firewalls that you do not want to ping. See the Exclude ranges from the ping option. This option affects scanning only on networks other than the one on which the appliance is physically located. If you are using ICMP filtering, set this option to No. See the note about Order of operations.
Use TCP ACK 'ping' before scanning	Ping addresses with TCP ACK packets to determine which hosts are actually up. Use this option when scanning networks that do not permit ping packets. You can specify multiple ports in a comma-separated list. This option is available only if the Ping hosts before the scanning option is set to Yes. • See the note about Order of operations. If Use TCP ACK ping before scanning in your discovery settings is set to Yes, BMC Discovery might report a device that does not exist on the network, rather than dark space (NoResponse) under the following conditions: • BMC Discovery pings an IP address for which there is no device, and • A firewall in your environment is configured to respond to that IP address To avoid this issue, we recommend that you either alter such firewall configurations or not enable TCP ACK ping.
Use TCP SYN 'ping' before scanning	Ping addresses with TCP SYN packets to determine which hosts are actually up. Use this option when scanning networks that do not permit ping packets. You can specify multiple ports in a comma-separated list. This option is available only if the Ping hosts before the scanning option is set to Yes. • TCP SYN pings are likely to trigger IDS and firewall blocks because they are often regarded as ping floods. • See the note about Order of operations. If Use TCP SYN ping before scanning in your discovery settings is set to Yes, BMC Discovery may report a device that does not exist on the network rather than dark space (NoResponse) under the following conditions: • BMC Discovery pings an IP address where there is no device • A firewall in your environment is configured to respond for that IP address To avoid this issue, we recommend that you either alter such firewall configurations or not enable TCP SYN ping.
Exclude ranges from ping	Enter a list of IP addresses or IP address ranges that you do not want to ping. For example, you might want to scan IP addresses that are behind a firewall that blocks ICMP packets. If BMC Discovery pings an IP address and receives no response, it makes no further attempt to scan that IP address. Excluding a range from pinging enables you to scan IP addresses behind such firewalls. This option affects scanning only of networks other than the one on which the appliance is physically located.
Scan retries	Number of retries to be attempted on each host. The system will retry only for machines on which the OS cannot be determined. The Scan retries and Default OS options work together in sequence to help locate host machines.
Scan timeout	Timeout (in minutes) that applies when BMC Discovery uses nmap to determine open ports or performs OS fingerprinting. Scan timeout is not used to limit the time to scan devices. See also the credential timeout for the sessions.
Minimum time before end of window to avoid starting new scheduled discovery operations	A discovery run can take some time to complete. If it is started too close to the end of a Discovery window, it does not finish before the end of the window. To prevent this issue, you can specify a period in which discovery runs are not started. The default is 30 minutes, meaning that no discovery runs are started within 30 minutes of the end of a discovery window. Select the period from the following values in the list: 5, 10, 15, 20, 25, 30, 35, 40, and 45 minutes.
Discover Desktop Hosts	Use this option to permit or prevent the discovery of desktop hosts. The default is No; that is, do not discover desktop hosts. When this option is set to No, if a Windows or Mac OS host is determined to be the desktop, the host is skipped. An SMB query is used to determine whether the endpoint is a Windows desktop. See Dark space scans for more information. When a host is skipped, the device_type attribute on the Device Info node is set to Desktop, no inferred host is created, and the corresponding DiscoveryAccess result is shown as "Skipped (Desktop host discovery has been disabled)."
Attempt to detect desktops during prescan	Use this option to attempt to detect which devices are desktop hosts during the prescan part of the discovery operation. The default is Yes; that is, do detect desktop hosts during the prescan.
Discover neighbor information when scanning network devices	Causes discovery to retrieve MAC and port information from neighboring scanned network devices. The default is Yes. Select No only if you do not want to collect any edge connectivity information.
Restore Scan Status	If enabled, scanning is enabled and you have a vault with either no passphrase or a saved passphrase the system will restart scanning when services are restarted. In all other cases restarting services will result in scanning being disabled.
Detect Cloud based Hosts	If enabled, the default setting in the add new discovery run dialog is to detect cloud based hosts. Select No for the default setting to be do not discover cloud based hosts.

Other Settings

This section contains other discovery settings.

Field Name	Details
Recording mode	Record and playback modes are intended for diagnostic support and testing. Select one of the following discovery modes from the list: • Off—The normal type of discovery in which the appliance scans IP address ranges on the network, runs scripts on targets, and uses Reasoning to process the results. In this mode, pool data is not created. This mode is the default. • Record—Record mode is the same as Normal mode, but in addition, the raw discovered data is stored on the appliance so that it can be used in Playback mode. In this mode, pool data is created in addition to record data. Creating record and pool data imposes considerable overhead on the system and is rarely needed. • Playback—In Playback mode, data that has been recorded in Record mode is used to replay discovery. In this mode, Discovery does not scan any targets on the network.
Maximum concurrent discovery requests per engine	Specifies the maximum number of concurrent discovery requests permitted per processing engine. The maximum value and available range of settings are calculated for optimum performance depending on the appliance. Values shown in the list depend on the number of processing engines. The base values in the list are 30 (default), 60, 90, 120, and 150. The values shown are the base values multiplied by the number of processing engines. If you change this option, you must restart scanning for the changes to take effect. Leave this setting at its default unless you have many discovery commands timing out. As a general rule, for more discovery requests permitted concurrently, you increase network traffic, and the absolute time for discovering a single host increases. However, total throughput might be improved with the interleaving of discovery processing.
Trade discovery performance with interactivity	Scanning IP addresses, consolidation, and manual pattern execution can place a heavy load on the system. During such times, the UI can become unresponsive. You can choose to delay these tasks to provide additional resources for the UI. Doing so provides better interactivity with the system, but at a cost in raw discovery performance. You can choose from the following options: • Prefer discovery—The default and the behavior of previous versions of BMC Helix Discovery. • Balance both • Prefer interactivity If you change this option, you must restart scanning for the changes to take effect.
Enable Automatic Grouping	Automatic grouping is the automatic grouping of hosts into logical groups called Automatic Groups. This is primarily intended to help in baselining. By default, it is enabled. Select this option to enable Automatic Grouping. Disabling Automatic Grouping might improve scanning performance.
Enable Restricted Organizations	Specifies if you want to enable (Yes) or disable (No) the option to restrict an Outpost to specific organizations for a discovery run. The default is No (disabled). An organization is configured in BMC Helix Portal. A BMC Helix Discovery user can be a member of one or more organizations. For every Outpost installed for an instance, you can restrict its use to members of one or more organizations. For more information, see Outposts restricted by organizations. If you configure the parameter to Yes, the Add a New Run dialog displays an additional list, Restrict by Organization. The options in this list are limited to the organizations of which the logged-in user is a member. The scope via list displays only those Outposts that are linked to one or more organizations of which the logged-in user is a member. If you configure the parameter to No, the Add a New Run dialog does not display the Restrict by Organization list. The scope via list displays the available Outposts for the instance. Important After you set this option to Yes and restrict one or more Outposts to multiple organizations, if you want to revert to disabling this option, you must first set all Outposts to unrestricted, and then disable this option.

Implicit Scans

This section contains settings related to implicit scans

Field Name	Details
Maximum concurrent requests against vCenter	The maximum number of concurrent requests that will be made against individual vCenter servers. Select the maximum number from the following values in the list: 1, 3, 5,7, 10, 15, 20 (the default), 25, and 30.
VMware Guest Scanning	If enabled, the default setting in the add new discovery run dialog is to discover guest hosts that are managed by vCenter. Select No for the default setting to be do not discover VMware guest hosts.
Maximum number of AWS Systems Manager Session requests	Maximum number of concurrently active AWS Systems Manager Sessions permitted each second, for each account, for each region. AWS imposes a limit on this, and if you raise the value, you might encounter dropped connections and reduced performance.
Maximum concurrently active AWS Systems Manager Sessions	Maximum number of concurrently active AWS Systems Manager Sessions, for each account, for each region. AWS imposes a limit on this, and if you raise the value, you might encounter dropped connections and reduced performance.
Minimum AWS SSM Agent version (for Windows Powershell scans only)	Specify the minimum AWS SSM Agent version to use when scanning using Windows Powershell. Enter the minimum version number. The default is 3.1.1188.0.
Maximum concurrently active Google Identity-Aware Proxy Sessions	Maximum number of concurrently active Google Identity-Aware Proxy Sessions permitted. The default is 50.

Scanning and data processing levels

The Discovery Engine and the Reasoning Engine (collectively the discovery process) cooperate to:

Scan selected ranges
Process data
Create a detailed data model

The data model defines all discovered objects and the relationships between them and is defined in the system taxonomy.

The processing that the discovery process uses to create this complex, detailed, and interrelated data model is considerable. You can control the level of processing used, and consequently the accuracy, complexity, and detail in the data model, giving performance benefits at the cost of model accuracy. You might find that by reducing the level of processing used, you speed the rollout of BMC Discovery throughout your organization.

The following levels are available:

Sweep Scan—Performs a sweep scan, trying to determine what is at each endpoint in the scan range. Sweep scan attempts to log in to a device to determine the device type.
Full Discovery—Retrieves all the default information for hosts, and complete full inference.

Order of operations

Where selected, these groups of operations are carried out in the following order:

Ping hosts before scanning
Use TCP ACK "ping" before scanning
Use TCP SYN "ping" before scanning
TCP ports to use for initial scan
UDP ports to use for initial scan
Use IP Fingerprinting to Identify OS

TCP and UDP ports to use for initial scan

The initial port scan is an important part of discovery. If you remove a port from the initial port scan, that port is effectively removed from discovery. For example, if you remove port 22, you will effectively disable SSH access.

The Use Last Login settings override any settings made in ports for use for initial scan. For example, if you disable port 23 using this feature, but a host has previously been discovered using Telnet, this host is still discovered using Telnet, because it is listed as the last login for the host.