Set maximum concurrent scans per engine
This solution details the concurrentScanLimit
Scan Engine property and how to configure it in your scanning deployment.
Heavy scanning periods (usually caused by crowded scan schedules, large sites, and content-rich scan templates) often lead to single Scan Engines assuming responsibility for multiple scan jobs simultaneously. These overloaded Scan Engines can crash due to resource constraints, which prevents any of the in-progress scan jobs from completing. Currently, the Security Console is not able to warn you about this condition before it becomes an issue.
Solution
To mitigate against this scenario, you can now configure each of your Scan Engines with a concurrent scan job limit. You can implement this custom limit by adding the concurrentScanLimit
property to each of your Scan Engines.
Configuring this property ensures that your Scan Engine will not take on any additional scan jobs beyond the limit you specify. Scans that initiate while the Scan Engine is at capacity will remain queued until the Scan Engine can take on another scan job. The Scan Engine queues scan jobs in order according to the time they were initiated.
TIP
The Scan Engine does not consider the size of the scan job when ordering the queue.
Queued scan jobs will still appear in the “Current Scans For All Sites” table on the Home page of your Security Console, but will now display a “Queued” scan status. As soon as the Scan Engine completes an in-progress scan job, it will pick up and run the next queued scan.
How to Set the concurrentScanLimit Property
IMPORTANT
Take care when configuring custom properties like concurrentScanLimit
. If you are not familiar with custom properties, then we recommend contacting Rapid7 Support for assistance.
To set the concurrentScanLimit
property on a local or distributed Scan Engine:
Access the host machine of the Scan Engine using SSH or your preferred method.
- If you want to set the property on the local Scan Engine, access the Security Console host itself.
Locate the
CustomEnvironment.properties
file within the Scan Engine installation directory. Default locations for this directory are as follows:- Linux -
/opt/rapid7/nexpose/nse
- Windows -
C:\Program Files\rapid7\nexpose\nse
TIP
If the
CustomEnvironment.properties
file does not exist, create it with a text editor.- Linux -
Append the
concurrentScanLimit
property to theCustomEnvironment.properties
file as a new line according to this example:1com.rapid7.nexpose.scan.scanManager.concurrentScanLimit=1In this example, the Scan Engine will only be allowed to run one scan at a time.
Save and close the
CustomEnvironment.properties
file when finished.
Recommendation
Before deciding on a concurrent scan limit, we advise that you research resource availability on your Scan Engine hosts first. This solution does not guarantee that your Scan Engines will no longer run into resource usage issues. However, it does allow you to more appropriately manage your scanning load based on your available resources if you configure concurrent scan limits properly.