How do I scan without causing firewall or router issues?

Modified on Thu, Apr 18 at 4:30 PM

The first thing to note is that you should not scan through a firewall or router if you can avoid it. Scanning through a firewall or router means you won’t get any MAC information from devices, which will tend to make matching up devices less reliable, particularly if you use DHCP on your network. It’s better to deploy an additional runZero Explorer on the other side of the device. (Note that there is no charge for deploying any number of additional Explorers needed to get full network coverage.)

If you have no choice but to scan through a firewall or router, try to pick a route which does not involve a stateful device. A stateful device will attempt to keep information in memory about every TCP probe the runZero Explorer sends. This can easily overload low powered devices, since the scanning process involves thousands of attempted connections.

  • Firewalls which perform data inspection (such as detecting malware) will be stateful.
  • Firewalls which simply block based on IP address and port information are less likely to get overloaded.
  • Routers which implement Network Address Translation (NAT) will be stateful.
  • Routers running in bridge mode with no NAT features will be more reliable. This is commonly an option for WiFi mesh systems.

Here are some other things you can do to make scanning through a firewall or router less likely to overload the device:

  • You can use subnet sampling. This will avoid the need to scan every IP address, dramatically reducing the total network load as well as speeding up scans.

  • You can adjust the settings for SYN TCP port scan on the Probes tab when setting up the task. You may find that reducing the value of syn-reset-sessions-limit improves the situation.

  • If tuning syn-reset-sessions-limit doesn’t help, you can try setting syn-reset-sessions to false to disable the feature. For most firewalls, having syn-reset-sessions active gives better results, but for some it causes high CPU usage. In that situation, turning it off can reduce firewall load. However, the tradeoff is that the firewall will then need more memory to keep session state information.

  • You can adjust the maximum host rate in the Advanced scan options to limit the speed packets are sent to any single IP address. This can help for networks with specific links that are that are low on bandwidth.

  • The maximum group size in the Advanced scan options can be used to limit the number of IP addresses scanned at once. This can help limit the number of connections the firewall attempts to keep track of.

  • The overall scan speed can be reduced. The default is slow enough that it should be safe for any network, but if particular network routers are having trouble it may be worth reducing the speed of scans carried out through those routers. This will give failed connections more time to expire and be cleared by the router or firewall before new ones are attempted.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article