1 Reply Latest reply on Mar 23, 2020 5:38 AM by Brice-Emmanuel Loiseaux

    Determining Actual 'No Access' Counts In a Messy Environment

    Chase Colvin
      Share This:

      Hey all,


      I've recently taken over control of a Discovery environment that was stood up and maintained by several others, over the course of the last several years. In short, after changing hands so many times before getting to me, it is a mess. As such, over the course of the past few months, I've been undertaking a large clean-up and optimization effort. Part of this, of course, includes addressing the No Access devices.


      Crawling through the No Access device list on the my consolidator, then comparing to the summed total reported from each of my scanners, I found there was quite a large discrepancy: The total count from the scanners were about 40% lower than what the consolidator reported. After crawling over the data for a bit, and wracking my brain, it occurred to me that (due to some of the mess I inherited) I had multiple scanners scanning the same subnets, but not all of those scanners had access to every host in the overlapping ranges.


      With this realization, I pulled together a pulled together a PowerShell script that leverages the API on each of my appliances to pull together a report. First, it pulls the No Access devices from my consolidator, and the the good access devices from each of my scanners. Then it checks each device in the consolidator's No Access list against each scanner's good access list, only returning the devices that were not in any of the scanner's good access list.


      This left me with the true list of devices that were not being successfully scanned from any scanner. I feel this is great, because it allows me to immediately start addressing these device access issues, without having to crawl through and optimize all of the scanned ranges on each of my scanners first. While that needs to be done, it will take much more time, and thus will not add value as soon as being able to address all those hosts does.


      I have attached the powershell script that I leveraged to do this, as well as the module it depends on, in a zip file. If you aim to use this to address the same problem for yourself, please note the following:

      • Before running it, you will need to modify it slightly by adding/modifying the following:
        • The hostname of your consolidator in the single quotes after "$primaryConsolidator"
        • The hostnames of your scanners, one each, in the empty single quotes below "$appliances"
        • The destination + filename of the csv it generates in the single quotes after "$reportPath"
      • By default it only looks at hosts, but this can be modified to pull any kind of device by modifying the query under "$noAccessHostsQuery"
      • The directory structure in the zip file needs to be maintained, as the script locates the included module it needs by relative path.


      I hope this can help others as much as it helped me. I also plan to further expand my powershell module for simplifying the use of the Discovery API, and will share that out at a future time.