Configuring discovery settings

TCP ports to use for initial scan

Enter the TCP ports that will be scanned on a first scan. Use this setting to prevent scanning of any ports that you want to avoid.
The default is to use ports: 21, 22, 23, 80, 135, 443, 513, 902 and 3940.
See notes on #Order of Operations and #TCP and UDP ports to use for initial scan below.
Older versions included port 514, which can now be removed from upgraded systems.

UDP ports to use for initial scan

Enter the UDP ports that will be scanned on a first scan. Use this setting to prevent scanning of any ports that you want to avoid. The default is port 161.
See notes on #Order of Operations and #TCP and UDP ports to use for initial scan below.

SSH Ports

The default is port 22. Enter any custom ports to scan in a comma separated list in the Change To column.

RLogin Ports

The default is port 513. Enter any custom ports to scan in a comma separated list in the Change To column.

Windows Ports

The default is port 135. Enter any custom ports to scan in a comma separated list in the Change To column.

Telnet Ports

The default is port 23. Enter any custom ports to scan in a comma separated list in the Change To column.

FTP Ports

The default is port 21. Enter any custom ports to scan in a comma separated list in the Change To column.

SNMP Ports

The default is port 161. Enter any custom ports to scan in a comma separated list in the Change To column.

HTTP Ports

The default is port 80. Enter any custom ports to scan in a comma separated list in the Change To column.

HTTPS Ports

The default is port 443. Enter any custom ports to scan in a comma separated list in the Change To column.

VMware Authentication Daemon Ports

The only supported port is 902. Enter any custom ports to scan in a comma-separated list in the Change To column.

Mainframe Host Server Ports

The default is port 3940. Enter any custom ports to scan in a comma separated list in the Change To column.

Valid Port States

When nmap runs port scans, it returns a result of open, closed or filtered. Using the check boxes you can choose which states are valid to investigate further.
• open|filtered: discover a device that should be accessible but isn't. It might be open, or filtered.
• filtered: this port is open but you still cannot connect to it. It must be filtered.
A port for which a result of open is returned is always considered valid.

Check port 135 before using Windows access methods

Port 135 is usually open on Windows computers. Selecting Yes for this option means that nmap checks whether port 135 is open before a Windows proxy is used to discover an IP device. This is the default.
You should select No in firewalled environments where a ping may be filtered by a firewall, but the Windows proxy may be able to connect to the target (for example, it is part of the same Workgroup).

Use Last Login Method

Discovery uses the discovery method recorded as having been used successfully for an IP address.

Use SNMP SysDescr to Identify OS

Discovery attempts to query the host's SNMP service for the "SysDescr" value to determine the operating system.

Always try public SNMP community

Discovery attempts to use the public SNMP community to query the host's SNMP service if no credential is available for that host. In this case, only device classification is possible.

Use Host Server to Identify Mainframes

Discovery attempts to connect to the host server port to determine whether the discovery target is a mainframe computer.

Use Telnet Banner to Identify OS

Discovery makes a telnet connection to a host and uses the telnet "welcome" banner to determine host and operating system information.

Use HTTP(S) HEAD Request to Identify OS

Discovery attempts to connect to port 80 or 443 of the host and perform an HTTP or HTTPS HEAD request to determine the host and operating system.

Use FTP Banner to Identify OS

Discovery starts an FTP session with the host and use the FTP "welcome" banner to determine host and operating system information.

Use vSphere API to Identify OS

Discovery makes a TCP connection to examine the header and ensure that the VMware authentication deaemon is really on port 902 (or the specified port). When confirmed discovery makes a webservices request. This requires an open VMware Authentication Daemon and HTTPS port, and a valid vSphere credential.

Use IP Fingerprinting to detect OS

This option controls whether or not discovery will use IP fingerprinting to determine the operating system, if the previous methods have been unsuccessful.
The network ports scanned during this phase of discovery can be configured. See Setting Up Ports For OS Fingerprinting.
The process of IP fingerprinting can cause instability in some legacy systems, and may trigger intrusion detection systems. This option is enabled by default.

Use Open Ports to Identify OS

This option controls whether or not open ports are used to identify the operating system.

Session Line Delay

A delay of 10 ms is introduced between each line sent by Discovery. This avoids problems where remote shells are unable to cope with rapid command sequences. Select one of the following from the list:
• 1, 2, 5, 10 (the default), 15, 20, 25, 50, 100 milliseconds.

Session Login Timeout

The length of time for the discovery script to wait for a login prompt. If this is exceeded the attempt is abandoned.
• Use default timeout.
• 10, 20, 30, 60, 90, 120, or 180 seconds.

Maximum search window size

The amount of data to examine when detecting the shell command prompt. The default value is 512 bytes. Changing the default value may cause significant degradation of appliance performance. Do not change this value unless directed by Customer Support.

Authorised Prompt

Certain systems require an authorization step after logging in. At the command line you are prompted to enter session details. The required response is usually a user name, and some other information.
In the Authorised Prompt field, enter the text of the prompt.

Authorised Response

Where an Authorised Prompt has been entered, you must enter the expected response (that you would enter at the command line) in the Authorised Response field.

Authorized Scanning Levels

Select the scanning levels that you want to permit. Choose one or more levels from the following:
• Sweep Scan: Performs a sweep scan, trying to determine what is at each endpoint in the scan range. Discovery attempts to log in to a device to determine the device type. In particular, it executes the getDeviceInfo discovery script on each platform. See Managing the discovery platform scripts for more information about platform scripts.
• Full Discovery: Retrieves all the default information for hosts, and complete full inference.
Scanning levels are described in #Scanning and Data Processing Levels.

Default Scan Level

Select the default scan level for this appliance from the list. The choices available are those selected in the Authorized Scanning Levels row above.

Ping hosts before scanning

If this option is disabled, then all hosts are discovered, but discovery of empty IP ranges will be slower. The default is to allow discovery to ping the host first.
If you enable this option, Discovery pings hosts before it starts a scan. Discovery will scan more quickly on empty IP ranges, although hosts might be missed if there are firewalls configured to reject pings. In this situation you should specify IP ranges behind firewalls that you do not want to ping. See the following Exclude ranges from ping option.
Note that this option only affects scanning of networks other than the one on which the appliance is physically located.
If you are using ICMP filtering, you should set this option to No.
See note on #Order of Operations below.

Use TCP ACK ping before scanning

Ping addresses with TCP ACK packets to determine which hosts are actually up. You should use this option when scanning networks that do not permit ping packets. You can specify multiple ports in a comma-separated list.
This option is only available if the ping hosts before scanning option is set to Yes.
• See note on #Order of Operations below.
If Use TCP ACK ping before scanning in your discovery settings is set to Yes, BMC Atrium Discovery may report a device which does not exist on the network rather than dark space (NoResponse) under the following conditions:
• BMC Atrium Discovery pings an IP address where there is no device, and
• Some firewall in your environment is configured to respond for that IP address
To avoid this, it is recommended to either alter such firewall configurations or not to enable TCP ACK ping.

Use TCP SYN ping before scanning

Ping addresses with TCP SYN packets to determine which hosts are actually up. You should use this option when scanning networks that do not permit ping packets. You can specify multiple ports in a comma-separated list.
This option is only available if the ping hosts before scanning option is set to Yes.
• Note that TCP SYN pings are likely to trigger IDS and firewall blocks as they are often regarded as ping floods.
• Also see note on #Order of Operations below.
If Use TCP SYN ping before scanning in your discovery settings is set to Yes, BMC Atrium Discovery may report a device which does not exist on the network rather than dark space (NoResponse) under the following conditions:
• BMC Atrium Discovery pings an IP address where there is no device, and
• Some firewall in your environment is configured to respond for that IP address
To avoid this, it is recommended to either alter such firewall configurations or not to enable TCP SYN ping.

Exclude ranges from ping

Enter a list of IP addresses or IP ranges that you do not want to ping. For example, you may want to scan IPs which are behind a firewall that blocks ICMP packets. If BMC Atrium Discovery pings an IP address and receives no response, it makes no further attempt to scan that IP address. Excluding a range from pinging enables you to scan IPs behind such firewalls.
Note this option only affects scanning of networks other than the one on which the appliance is physically located.

Scan retries

Number of retries to be attempted on each host. The system will only retry for machines on which the operating system cannot be determined.
The Scan retries and Default OS options work together in sequence to help locate host machines.

Scan timeout

Timeout (in minutes) that applies when BMC Atrium Discovery uses nmap to determine open ports or performs OS fingerprinting. It is not used to limit the time to scan devices. See also the credential timeout for the sessions.

Minimum time before end of window to avoid starting new scheduled discovery operations

A discovery run may take some time to complete. If it is started too close to the end of a Discovery window, it does not complete before the end of the window. To prevent this, you can specify a period in which discovery runs will not be started. The default is 30 minutes, meaning that no discovery runs will be started within 30 minutes of the end of a discovery window. Select the period from the following values in the list:
• 5, 10, 15, 20, 25, 30, 35, 40, and 45 minutes.

Allow scans even if no window defined

Enables you to permit scanning outside permitted discovery windows. The default is no. If you change this option you must restart the tideway service.

Discover neighbor information when scanning network devices

Cause discovery to retrieve MAC and port information from neighboring scanned network devices. The default is Yes. Only select No if you do not want to collect any edge connectivity information.

Timeout to establish a connection

The timeout for establishing a connection to the database. Select the timeout period in seconds from the following values in the list:
• 5, 10, 30 (the default), 60, 90, 120, and 180.

Maximum connections held open

Specifies the number of connections to databases that can be held open after they would otherwise be closed. Higher values can reduce connection delays but will consume extra resources. The default is unlimited. If you change this option you must restart the tideway service. Select the number of connections from the following values in the list:
• 0, 10, 20, 30, 40, 50, and Unlimited.

Maximum time to hold an unused connection open

Specifies the maximum time to hold an unused database connection open. Higher values can reduce connection delays but will consume extra resources. The default is 2 minutes. If you change this option you must restart the tideway service. Select the timeout period in minutes from the following values in the list:
• 2, 4, 6, 8, and 10.

Timeout to establish a connection

The timeout for establishing a connection to the database. Select the timeout period in seconds from the following values in the list:
• 30, 60, 90, 120 (the default), 180, and 300.

Recording Mode

Record and playback modes are intended for diagnostic support and testing. Select the discovery mode from the list, it may be one of the following:
• Off: the normal type of discovery in which the appliance scans IP ranges on the network, runs scripts on targets, and uses Reasoning to processes the results. In this mode, pool data is not created. This is the default.
• Record: record mode is the same as Normal mode but in addition, the raw discovered data is stored on the appliance so that it can be used in Playback mode. In this mode pool data is created in addition to record data. Creating record and pool data imposes considerable overhead on the system and is rarely needed.
• Playback: in Playback mode, data that has been recorded in Record mode is used to replay discovery. In this mode, Discovery does not scan any targets on the network.

Number of processing engines

The number of processing engines used. The maximum is based on the number of CPUs. On a four CPU computer, the settings available are 1, 2, 3, 4 or automatic. Leave this set to automatic unless advised by Customer Support.
You must restart Discovery for any changes to take effect.

Maximum concurrent discovery requests per engine

Specifies the maximum number of concurrent discovery requests permitted per processing engine. The maximum value and available range of settings is calculated for optimum performance depending on the appliance. Values shown in the list depend upon the number of processing engines. The base values in the list are:
• 30 (default), 60, 90, 120, or 150.
Values shown will be the base values multiplied by the number of processing engines.
If you change this option you must restart the tideway service.
You should leave this setting at its default unless you are experiencing many discovery commands timing out. As a general rule, for more discovery requests permitted concurrently, you increase network traffic, and the absolute time for discovering a single host increases. However, with the interleaving of discovery processing, total throughput may be improved.

Maximum retries to process event

When Reasoning writes to the datastore and is unable to get a lock on a node it needs to update then it cannot perform the update. Reasoning will attempt to write the data up to a maximum number of times. Specify the number of retries from the list:
• 3 (the default), 4, 5, 6, 7, 8, or 9.

Minimum Windows Proxy Version

The minimum version of the Windows proxy that the appliance will use for Windows Discovery. You can enter a new minimum Windows proxy version in this field. Ensure that you do not include any whitespace in the version number. The version number of a Windows proxy corresponds to the version number of BMC Atrium Discovery that the Windows proxy was released with (for example, 8.1).
Note: You must stop scanning to change the minimum Windows proxy version or release.

Enable running of arbitrary commands

This option controls whether or not arbitrary commands can be run or not. Disabling this option prevents many patterns retrieving information needed to build SIs and BAIs.

Enable Automatic Grouping

Automatic Grouping is the automatic grouping of hosts into logical groups called Automatic Groups. This is primarily intended to help in baselining. By default it is enabled. Select this option to enable Automatic Grouping. Disabling Automatic Grouping may improve scanning performance.

Scanner File Polling Interval

Scanner files are used to simulate discovery of inaccessible hosts. Discovery polls for new scanner files periodically. Select the polling interval from the following values in the list:
• Every minute, Every hour, and Every day.
If you change this option you must restart the tideway service.

Discover Desktop Hosts

Use this option to permit or prevent discovery of desktop hosts. The default is No, that is, do not discover desktop hosts. When the option is set to No, if a Windows or Mac OS host is determined to be desktop then the host is skipped. A Windows host is determined to be a desktop or server depending on the OS version or edition string. If this cannot be determined, then the host is assumed to be a server. This can only be determined after logging into the target system. A Mac OS host is always considered a desktop. When a host is skipped, the device_type attribute on the Device Info Node is set to Desktop, no inferred host is created, and the corresponding DiscoveryAccess result is shown as "Skipped (Desktop host discovery has been disabled)".