What are the general requirements and practices for scanning large networks?


With Holm Security, you have the option to scan up to /16-networks (Class B) in one schedule.

When selecting a network scan target larger than a /20 network to perform a scan against, the system will automatically identify this and split up the scan into several runs for optimal performance, where scans will be run in parallel from different scanner appliances.

A scanner appliance can under normal circumstances handle a scan on its own for 4096 IP addresses.

If you are to exceed this amount of potential targets, it's recommended to install more scanner appliances and connect them through a group. That way multiple scanner appliances can share the workload and handle larger networks, in separate runs.

Requirements for scanning large networks:
If you are performing an internal scan on a larger network - you need to have the correct number of scanner appliances to support the scans, the minimum requirement is one appliance per 4096 addresses in a group to be able to split the load among all of these and get the best performance on your scan.  

You can find information on how to configure a group here:

Best practices and examples:

Depending on what you are trying to scan there could be several options to consider. Below we provide some examples of targets that are typical for many environments.

Example /16:

  • You choose a network scan target that includes a /16 network.
  • The system identifies this as a larger IP network and performs automatic analysis to split it up into several scans. 
  • From the initial /16 network, there will be a total of 16 scan jobs running against /20 networks, based on the initial target /16 network. 
  • The 16 scan jobs will be executed in parallel for optimal performance and return results when finished per each /20 network
  • This means that if you are targeting a /16 network you should have 16 appliances working together(Class B = 65536 divided by 16 = 4096).

Example /20:

  • You choose a network scan target that includes a /20 network.
  • If you run a scan on a probe group, and the scanned network is /20 or smaller, it will be run on a single probe from that group, one that is least loaded.
  • On the other hand, if we would manually divide that /20 network to for example 2 /21 networks or 4 /22 networks and run these as 2 or 4 separate scans on a scan group, the execution will be much more efficient as these will be separate scans and as such, they will be distributed between probes within a group

If you wish to increase the efficiency of a scan or individual runs of your large network scans, you can consider adding more cores and RAM (cores being a priority for performance) to each scanner appliance, after that you can also increase the scan profiles scan intensity to High. 


Have more questions? Submit a request


Please sign in to leave a comment.