⚠️ If you use Cloudflare, please follow these instructions for allowlisting
If you have geo-fencing in place, please note that all plans are subject to scans from the following IP ranges:
UK-based: *203.12.218.0/24
US-based: *64.52.19.0/24
To ensure optimal scanning, both ranges must be able to reach your target.
Full list of Intruder's scanning IPs
If you are on Essential or Cloud, you only need to allowlist two IP ranges:
UK-based: 203.12.218.0/24
US-based: 64.52.19.0/24
Scan region | IP Ranges |
Asia Pacific (Tokyo) | *
|
Asia Pacific (Singapore) | *
|
Asia Pacific (Sydney) | *
|
Asia Pacific (Mumbai) | *
|
Canada (Central) | *
|
Europe (Ireland) | *
|
Europe (London) | *
|
Europe (Frankfurt) | *
|
South America (São Paulo) | *
|
US West | *
|
US East | *
|
Updating your scan region
The above IPs can also be found in the portal: Settings > Scans > Scan location. To view them, just select the region, but to ensure that the scans originate from there, you must hit Save scan region.
WAF detection
If we detect a WAF is present, we'll flag it in three places:
Scan settings page (under scan location, see above)
Target's detail page:
Targets overview page > WAF Interference Detected
FAQs
Where should I add these IPs?
You should add the appropriate IPs to any WAF, IPS or IDS you have enabled.
Some cloud providers might also ask you for the source IPs from which our scans will be originating. You should also consider if you have any additional DDoS Protection Systems, or Web Application Firewalls or Content Delivery Networks that could be applying IPS/IDS technology, for example some edge routers now include this as standard.
Should I add your IPs to my perimeter firewall?
We recommend you add our scanning IPs to the allowlist in any IPS, IDS or WAFs you have enabled; but do not to give us access straight through the perimeter firewall – we don't need to see your internal systems if they aren't normally exposed – we just need to see what's normally accessible from the internet.
What about Imperva?
Imperva WAF is designed to interfere with vulnerability scanning, and this behaviour cannot be turned off with allowlisting the scanner. As such, your scan may not complete as expected or may be long running. In this scenario, we recommend cancelling the scan, restricting scanning to ports 80 and 443 only (this can be configured in advanced settings on the scans page) and running the scan again.
What if I have assets in more than one region?
We'd recommend selecting the region where most of your targets are hosted. Don't worry though, it's not an exact science; so long as you allow the IPs for the scan region selected, you'll be fine.
What is the purpose of an allowlist?
Our scans rely on checking you for tens of thousands of possible weaknesses - and we do it in as short a space of time as possible (that said, there's no quick way of checking for tens of thousands of things, it still takes a while).
Because of this, our approach to testing is very obvious to any Intrusion Protection System and it's highly likely that if our scanner encounters one, we'll be blocked.
The problem with this is that if we're blocked, we're unable to detect any weaknesses, which could leave you exposed to sneaky attackers who fly under IPS radars by only checking for a single weakness at a time.
Do I need to allowlist IPs for internal targets?
Typically there aren't controls in place that would necessitate allowlisting for internal targets, but if there are in your environment, then please note that any scans running on internal targets require communication with *.cloud.tenable.com, which resolves to the following IP ranges:
162.159.129.83/32 (US)
162.159.130.83/32 (US)
162.159.140.26/32 (US)
172.66.0.26/32 (US)
It is therefore advised to allow the agents installed on your targets to reach out to these IPs.