Compliance : Vulnerability scans : Running vulnerability scans
 
Running vulnerability scans
In order to run a vulnerability scan, you must apply a schedule (if any) to a profile of settings, as well as providing a few additional details.
A vulnerability scan policy defines the scheduling type of scan (an immediate scan or a scheduled scan), the profile to use, the file format of the report, and recipients.
To configure a web vulnerability scan policy
1. Configure a vulnerability scan profile. See “Configuring vulnerability scan settings”.
2. If the scan will run by a schedule instead of being manually initiated, create a vulnerability scan schedule. See “Scheduling web vulnerability scans”.
3. Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy.
Field
Description
Status
Indicates whether the scan is idle (the status indicator is solid green) or running (the status indicator is flashing red and yellow).
Start/Stop
The Start/Stop icon appears only if the policy is configured as Run Now. If so, the icon changes depending on the current status of the scan:
Stop — The scan associated with the policy is in progress.
Start — The scan associated with the policy is not in progress.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see “Permissions”.
4. Click Create New.
A dialog appears.
5. Configure these settings:
Setting name
Description
Name
Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
Type
Select the scheduling type, either:
Run Now — The scan can be manually started at any time by the user. See “Manually starting & stopping a vulnerability scan”.
Schedule — The scan is performed according to the schedule defined in Schedule.
Schedule
Select the predefined schedule to use for the scan. See “Scheduling web vulnerability scans”.
This option appears only if the Type is Schedule.
Profile
Select the profile to use when running the vulnerability scan. See “Configuring vulnerability scan settings”.
Report Format
Enable one or more file formats for the vulnerability scan report:
HTML
MHT (MIME HTML, which can be included in email)
PDF
RTF (Rich Text Format, which can be opened in word processors such as OpenOffice or Microsoft Word)
TXT (plain text)
Email
Select the email settings, if any, to use in order to send results of the vulnerability scan. See “Configuring email settings”.
6. Click OK.
If Type is Run Now, the scan begins immediately. Otherwise, it begins at the time that you configured in Schedule. Time required varies by the network speed and traffic volume, load of the target hosts (especially the number of request timeouts), and your configuration of Delay Between Each Request.
When the scan is complete, FortiWeb generates a report based on the scan results. See “Viewing vulnerability scan reports”.
See also
Preparing for the vulnerability scan
Configuring vulnerability scan settings
Scheduling web vulnerability scans
Manually starting & stopping a vulnerability scan