ContextQMD
Back to Infisical

Network

docs/documentation/platform/pki/discovery/network.mdx

0.159.253.8 KB
Original Source

Network discovery scans network endpoints over TLS to discover certificates served by hosts across IP ranges and domains. Optionally, you can use an Infisical Gateway to reach endpoints in private networks that are not accessible from the internet.

<Note> If you are self-hosting Infisical, you can alternatively set the [`ALLOW_INTERNAL_IP_CONNECTIONS`](/self-hosting/configuration/envars#param-allow-internal-ip-connections) environment variable to `true` on your instance to scan private networks directly without a gateway. </Note> <Tabs> <Tab title="Infisical UI"> 1. Navigate to your Certificate Management Project > **Discovery** and press **Add Job**. ![Discovery Page](/images/platform/pki/discovery/network-tls/create-discovery-job.png) 
2. Fill in the discovery job details and click **Create**.
![Create Discovery Job](/images/platform/pki/discovery/network-tls/configure-discovery-job.png)

    - **Name**: A slug-friendly name for the discovery job (e.g., `prod-tls-scan`).
    - **Description**: An optional description for the discovery job.
    - **Targets**: A list of domains, IP addresses, or CIDR ranges to scan (e.g., `example.com`, `192.168.1.1`, `10.0.0.0/24`).
    - **Ports**: The ports to scan for TLS certificates. Defaults to common TLS ports if not specified.
    - **Gateway** (optional): The Infisical Gateway to use for running the scan. Only required to reach endpoints in private networks.
    - **Auto Scan**: Toggle to enable automatic periodic scanning. When enabled, select a scan interval (e.g., daily, weekly).

    <Note>
      At least one target (domain or IP) must be specified.
    </Note>

3. Trigger a scan manually by pressing **Scan Now** on the discovery job's page, or wait for the next automatic scan if auto scan is enabled.
![Scan Now](/images/platform/pki/discovery/network-tls/scan-now.png)

4. After a scan completes, view the results on the discovery job's detail page:
![Scan Results](/images/platform/pki/discovery/network-tls/scan-results.png)

    - **Installations**: The unique locations where certificates were found.
    - **Certificates**: The certificates discovered at each installation, including details such as common name, issuer, and expiration date.
    - **Scan History**: A log of all scans that have been run, including status and timestamps.
</Tab> <Tab title="API"> To create a **Network** discovery job, make an API request to the [Create Discovery](/api-reference/endpoints/pki-discovery/create) API endpoint. 
### Sample request

```bash Request
curl --request POST \
  --url https://app.infisical.com/api/v1/pki/discovery \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "name": "prod-tls-scan",
    "description": "Scan production network for TLS certificates",
    "type": "network-tls",
    "gatewayId": "550e8400-e29b-41d4-a716-446655440000",
    "isAutoScanEnabled": true,
    "scanIntervalInDays": 1,
    "targetConfig": {
      "ipRanges": ["10.0.0.0/24", "192.168.1.1"],
      "domains": ["example.com"],
      "ports": "443, 8443"
    }
  }'
```

To trigger a scan, make a request to the [Trigger Scan](/api-reference/endpoints/pki-discovery/trigger-scan) endpoint:

```bash Request
curl --request POST \
  --url https://app.infisical.com/api/v1/pki/discovery/<discoveryId>/scan \
  --header 'Authorization: Bearer <access-token>'
```
</Tab> </Tabs>

Limits

The following limits apply to Network discovery jobs:

  • Max individual IPs: 256
  • Max domains: 20
  • Max ports: 5
  • Minimum CIDR prefix: /24 (256 hosts)