Scan duration and ports scanning

How you manage your network scanning configuration is influenced by the number of assets in your network, your network infrastructure, and the scan completion times.

You must have the correct license capabilities to perform the following scanning operations. If you need assistance to obtain a new or updated license key, contact your local sales representative or IBM® Customer Support (

It can take a long time to scan large network, so you need a scanning strategy that optimizes your scanning resources.

Tip: It is always good practice to use operational windows to perform scans at times that don't overlap with nightly backups or automatic updates.

Port scanning strategy

Your scanning strategy is influenced by the number of hosts that you want to scan, whether it's a class C network of 256 hosts, or a class B network of 65,536 hosts. Your overall scan time can be significantly impacted by increasing the number of hosts that you want to scan. To get the overall scan time to an acceptable range, and you can reduce the scan time per host.

For example, if you do a network discovery scan on a class B network and it takes 1 second for TCP port discovery, the following statements are true:

  • Scanning one port on 65536 hosts at 1 second per host takes 18 hours.
  • If you scan one extra port on each of the 65536 hosts and allow 1 second per host, it takes an extra 18 hours to scan that extra port.

From the example, you can see the impact of adding one extra scanning port on a large network. If you're scanning a large number of hosts, understand what services are important and are prone to high-risk vulnerabilities so that you can configure your scan policies appropriately at the discovery scan stage. Before you implement your scan policies, run test scans by using different scan polices, and estimate the timing and the resources that are required to complete these scans.

Tip: The default QRadar® discovery-scan policy runs a Nmap fast scan of TCP and UDP ports, and you can use it to scan a smaller number of hosts.

UDP port scanning takes longer that TCP port scanning because it's a connectionless protocol. Scanning all UDP ports can take a long time and is resource-intensive. Consider whether you need to scan all UDP ports or whether you scan these ports less frequently than TCP ports.

The following ports are some of the highest priority UDP ports that you need to consider scanning regularly:

  • Authentication services such as RADIUS and Kerberos
  • Back doors and remote access applications
  • Backup applications
  • Database servers
  • DNS (Domain Name System)
  • NetBIOS and Common Internet File System (CIFS)
  • NFS (Network File System)
  • NTP (Network Time Protocol)
  • P2P (peer-to-peer) and chat applications
  • Routing protocols, including RIP (Routing Information Protocol)
  • RPC (Remote Procedure Call) and RPC endpoint mapping
  • SNMP (Simple Network Management Protocol) and SNMP trap
  • Syslog
  • TFTP (Trivial File Transfer Protocol)
  • VPNs, including Internet Security Association and Key Management Protocol (ISAKMP), Layer Two Tunneling Protocol (L2TP), and (NAT Traversal) NAT-T.
  • Ports that are known to be associated with malicious activity.

Typical scan times

The following table gives information about scanning times.

Table 1. Scanning times for QRadar appliances
QRadar appliance Scan times

QRadar 2100/3100 All-in-One

A default full scan of 2000-4000 assets takes 2-3 days.

QRadar Vulnerability Manager on the following managed hosts:






A default full scan of 2000-4000 assets takes 2-3 days.

An offboard QRadar Vulnerability Manager processor on a managed host (600) is required when more than 50,000 assets are being scanned regularly or when scans are running for long periods of time on the QRadar Console.