Professional edition: Ambiguities regarding required network connections for sensors

Documentation tells:

“A sensor does not require any network connectivity other than to the master and the scan targets.”

But that’s wrong, since documentation also tells at different place:

“It is not possible to upgrade the flash partition of sensors via the master.”

However, I refer to 19 Architektur — Greenbone Enterprise Appliance 22.04.11 Dokumentation where all client protocols are told at once without cifferentiation between master and sensor, instead between appliance and standalone. E.g. DHCP does not make sense via master, means, the sensor would need DHCP directly in any case. Therefore, when reading the docs from that point of view, all protocols would be required for the sensor.

Now my question(s):

  • What about DNS, NTP, LDAP and syslog - if the appropriate functionality is used. Are the sensors required to connect themselve using these protocols, or does the master do it for the sensors completely?
  • Especially regarding syslog: if the master is configured to send syslog, do we get the logs from all connected sensors through the master?

Best regards, Christoph K.

That is appliance specific, and referring to the recovery partition. You deploy the sensors normally with static IPs. All processing is done at the master , as well the master will update the scanner on the sensor. This “only” applies to sensor appliances you can commercial buy at Greenbone.

Thanks for your answer.

Yes, of course, my question is about the commercial appliances to buy running in operation mode “sensor”, as hardware and/or virtual appliance. Therefore I put “professional edition” into the header.

I am sorry if my question was not precise, please, give me another try to make my question more specific.

(Flash partition update and DHCP were just examples why documentation is ambiguous for me).

I try to figure out, if the <commercial appliance acting as as sensor> …

  • … needs NTP if it should synchronize its time, or if the master acting similar like a time server under the hood for all connected appliances.
  • … wants to send its audit logs directly to the syslog server, or if I get all audit logs from all the appliances from the master as single source
  • … can resolve hostname and/or IPs over the master, or if it needs DNS connection for itself
  • … use LDAP through the master, if authenticating scans are performed against active directory, or if each appliance needs an LDAP connection for itself.

Please forgive me, if this sounds like a strange question. This is not very clear in documentation. E.g. I still would not believe, that the master would fetch IPs via DHCP for all connected appliances instead of the appliances themselves. Therefore “A sensor does not require any network connectivity other than to the master and the scan targets" doesn’t seem to be correct.

Maybe there is a misunderstanding regarding the terms “sensor” and sensor appliance" too.

If you run a dynamic network at the sensor side, you need DHCP of course, it makes no sense to tunnel this. But i don´t get your point, the documentation is consistent and correct here.

For example the sensor does not run any alerts like Syslog that will be always done via master appliance.

I would suggest to talk to sales / a consultant to discuss your concerns and requirements.

The point is:
“A sensor does not require any network connectivity other than to the master…” is wrong, example: DHCP, and example flash/recovery partition. Actually the doc tells about appliance and non-appliance, but does not distinct between sensor and master in this point (from this point of view, the doc may be correct, but not very clear).

Therfore, I still don’t know about NTP, DNS, LDAP and Syslog.

[_] Yes, if timesync is required, the sensor appliance requires NTP. Similar for DNS, LDAP and Syslog connection

[_] No, the sensor appliance never requires NTP, DNS, LDAP or Syslog. Only the master requires these connections.

That’s all I wanted to know. Sorry if I have not worked out the point properly.

(Our partner manager already contacted your sales, but this will take very long, and will take multiple iterations. Normally I would just test it, but this cannot be tested without the commercial license)