Set maximum concurrent scans per engine

This solution details the concurrentScanLimit Scan Engine property and how to configure it in your scanning deployment.

Heavy scanning periods (usually caused by crowded scan schedules, large sites, and content-rich scan templates) often lead to single Scan Engines assuming responsibility for multiple scan jobs simultaneously. These overloaded Scan Engines can crash due to resource constraints, which prevents any of the in-progress scan jobs from completing. Currently, the Security Console is not able to warn you about this condition before it becomes an issue.

Solution

To mitigate against this scenario, you can now configure each of your Scan Engines with a concurrent scan job limit. You can implement this custom limit by adding the concurrentScanLimit property to each of your Scan Engines.

Configuring this property ensures that your Scan Engine will not take on any additional scan jobs beyond the limit you specify. Scans that initiate while the Scan Engine is at capacity will remain queued until the Scan Engine can take on another scan job. The Scan Engine queues scan jobs in order according to the time they were initiated.

TIP

The Scan Engine does not consider the size of the scan job when ordering the queue.

Queued scan jobs will still appear in the “Current Scans For All Sites” table on the Home page of your Security Console, but will now display a “Queued” scan status. As soon as the Scan Engine completes an in-progress scan job, it will pick up and run the next queued scan.

How to Set the concurrentScanLimit Property

IMPORTANT

Take care when configuring custom properties like concurrentScanLimit. If you are not familiar with custom properties, then we recommend contacting Rapid7 Support for assistance.

To set the concurrentScanLimit property on a local or distributed Scan Engine:

  1. Access the host machine of the Scan Engine using SSH or your preferred method.

    • If you want to set the property on the local Scan Engine, access the Security Console host itself.
  2. Locate the CustomEnvironment.properties file within the Scan Engine installation directory. Default locations for this directory are as follows:

    • Linux - /opt/rapid7/nexpose/nse
    • Windows - C:\Program Files\rapid7\nexpose\nse

    TIP

    If the CustomEnvironment.properties file does not exist, create it with a text editor.

  3. Append the concurrentScanLimit property to the CustomEnvironment.properties file as a new line according to this example:

    1
    com.rapid7.nexpose.scan.scanManager.concurrentScanLimit=1

    In this example, the Scan Engine will only be allowed to run one scan at a time.

  4. Save and close the CustomEnvironment.properties file when finished.

Recommendation

Before deciding on a concurrent scan limit, we advise that you research resource availability on your Scan Engine hosts first. This solution does not guarantee that your Scan Engines will no longer run into resource usage issues. However, it does allow you to more appropriately manage your scanning load based on your available resources if you configure concurrent scan limits properly.