β οΈ If you use Cloudflare, please follow these instructions for allowlisting
If you are on Essential, only one range needs to be allowlisted: 203.12.218.0/24
If you have geo-fencing in place, please note:
203.12.218.0/24
is a UK-based scanning range we use for all network scanning and web-app/API scanning.64.52.19.0/24
is a US-based scanning range we use for all scanning across all plans.
β
To ensure optimal scanning, both ranges must be able to reach your target.
Full list of Intruder's scanning IPs
If you haven't updated your scan region in the portal (we explain how to do that below), then for:
Customers pre-May 2023 π default regions are London and Frankfurt
Customers post-May 2023 π we run a geo-IP check on the first person to log in, and set the scan region based on that, though the first user can amend this during onboarding.
If you need it, below is a list of all our scanner IPs, organised by region (for Essential users, you just need to allow one range: 203.12.218.0/24
).
Any scans running on Internal targets typically require communication with *.cloud.tenable.com
, which resolves to the following IP ranges:
162.159.129.83/32 (US)
162.159.130.83/32 (US)
162.159.140.26/32 (US)
172.66.0.26/32 (US)
It is advised to allow the agents installed on your targets to reach out to these IPs.
Scan region | IP Ranges |
Asia Pacific (Tokyo) | *
|
Asia Pacific (Singapore) | *
|
Asia Pacific (Sydney) | *
|
Asia Pacific (Mumbai) | *
|
Canada (Central) | *
|
Europe (Ireland) | *
|
Europe (London) | *
|
Europe (Frankfurt) | *
|
South America (SΓ£o Paulo) | *
|
US West | *
|
US East | *
|
Updating your scan region
The above IPs can also be found in the portal: Settings > Scans > Scan location. To view them, just select the region, but to ensure that the scans originate from there, you must hit Save scan region
.
β
WAF detection
If we detect a WAF is present, we'll flag it in three places:
Scan settings page (under scan location, see above)
βTarget's detail page:
Targets overview page > WAF Interference Detected
FAQs
Where should I add these IPs?
You should add the appropriate IPs to any WAF, IPS or IDS you have enabled.
Some cloud providers might also ask you for the source IPs from which our scans will be originating. You should also consider if you have any additional DDoS Protection Systems, or Web Application Firewalls or Content Delivery Networks that could be applying IPS/IDS technology, for example some edge routers now include this as standard.
Should I add your IPs to my perimeter firewall?
We recommend you add our scanning IPs to the allowlist in any IPS, IDS or WAFs you have enabled; but do not to give us access straight through the perimeter firewall β we don't need to see your internal systems if they aren't normally exposed β we just need to see what's normally accessible from the internet.
What about Imperva?
Imperva WAF is designed to interfere with vulnerability scanning, and this behaviour cannot be turned off with allowlisting the scanner. As such, your scan may not complete as expected or may be long running. In this scenario, we recommend cancelling the scan, restricting scanning to ports 80 and 443 only (this can be configured in advanced settings on the scans page) and running the scan again.
What if I have assets in more than one region?
We'd recommend selecting the region where most of your targets are hosted. Don't worry though, it's not an exact science; so long as you allow the IPs for the scan region selected, you should be fine.
What is the purpose of an allowlist?
Our scans rely on checking you for tens of thousands of possible weaknesses - and we do it in as short a space of time as possible (that said, there's no quick way of checking for tens of thousands of things, it still takes a while).
Because of this, our approach to testing is very obvious to any Intrusion Protection System and it's highly likely that if our scanner encounters one, we'll be blocked.
The problem with this is that if we're blocked, we're unable to detect any weaknesses, which could leave you exposed to sneaky attackers who fly under IPS radars by only checking for a single weakness at a time.
Can scan regions help with geo-fencing?
Yes! All you need to do is select a compatible scan region, hit save
and add the required IPs to your allowlist. No longer will our Infrastructure scanners be blocked from reaching your targets.
As above, it's worth noting that our authenticated web application scans originate from a UK-based *203.12.218.0/24
range. If you are running API and/or authenticated web app scans, you will need to ensure that UK-based traffic from this specific IP range, will be able to reach your target.