Result mismatch between manual and bulkscan network scan in CA PAM
search cancel

Result mismatch between manual and bulkscan network scan in CA PAM


Article ID: 204861


Updated On:


CA Privileged Access Manager (PAM)


Running  a manual network port scan from the Tools page in CA PAM  on some individual servers and then running the same batch through the bulk scan option (loading a csv file) in the same page  there are differing results for some servers with respect to open or filtered ports: the results of the bulk scan will show them as filtered, whereas a manual scan of the same servers will yield those ports as open. The bulk scan arguments are the default ones as specified in the sample file that can be downloaded in the page, that is, a bulk scan is performing the following operation against each of the IP addresses specified in the csv file:

 nmap -n -T4 -sT -PN --max-scan-delay 0ms --min-rate 1000000 --max-retries 0 -p <port> <ip_address>

By default a manual scan just does 

nmap -p <port> <ip_address>


CA Privileged Access Management versions 3.4.X


This is due to the -sT option specified in the bulkscan, which corresponds to a TCP connect scan, the default option when a SYN scan is not possible. In principle specifying it or not should not have any adverse effect on functionality.


In the bulk scan parameters to load in the csv file, do not specify this option, that is, use -n -T4  -PN --max-scan-delay 0ms --min-rate 1000000 --max-retries 0

Additional Information for an explanation of the nmap functionalities and this specific option