ASM Network Configuration¶

Overview¶

Network configuration parameters control how ASM scans interact with target Assets from a network perspective, including request rate limits, concurrency controls, and geographic scan origination. Proper network configuration is essential for balancing scan thoroughness against infrastructure impact, ensuring compliance with system constraints, and managing scan traffic across distributed environments.

This document covers two primary aspects of ASM network configuration: request rate limiting for scan traffic management, and Public Location configuration for geographic scan origination.

Request Rate Control¶

ASM scan traffic can be configured to control the rate and volume of requests transmitted to target Assets through the network configuration parameters in the Global Configuration. Rate control mechanisms prevent infrastructure overload and ensure compliance with system-imposed rate limits or security controls.

Configuration Parameters¶

Three primary parameters govern request rate and concurrency behavior:

requests_per_second

Maximum number of requests transmitted per second. This parameter establishes a hard rate limit, distributing requests over time to prevent burst traffic patterns.

parallel_requests

Maximum number of concurrent requests allowed in parallel. This parameter limits concurrency to prevent connection exhaustion on target systems or scanner infrastructure.

request_timeout_s

Maximum duration (in seconds) for each individual request before timeout. This parameter prevents indefinite blocking on unresponsive endpoints.

Rate Limiting Configuration¶

The following configuration demonstrates rate control parameter usage with default values:

network:
  requests_per_second: 100        # Default: 100 requests per second
  parallel_requests: 5             # Default: 5 concurrent requests
  request_timeout_s: 10            # Default: 10 second timeout per request

Configuration Behavior¶

Request Rate Behavior:

The requests_per_second parameter enforces a hard rate limit, spreading requests temporally to avoid burst patterns that may trigger rate-limiting controls or security alerts.

Concurrency Behavior:

The parallel_requests parameter restricts the number of simultaneous active connections, preventing connection pool exhaustion on either the target infrastructure or scanner platform.

Performance Trade-offs:

• Lower parameter values reduce load on target infrastructure but increase total scan duration
• Higher parameter values accelerate scan completion but may trigger rate-limiting mechanisms or overwhelm service capacity

Use Cases for Rate Control¶

Production Environment Protection:

Scan aggressiveness can be reduced for production Assets to minimize performance impact on operational services. Lower rate limits and concurrency values prevent scan traffic from affecting end-user experience.

API Rate Limit Compliance:

Rate control parameters can be configured to remain within API provider rate limits or Web Application Firewall (WAF) thresholds, preventing scan interruption due to rate-based blocking.

Security Control Avoidance:

Request rates can be tuned to remain below thresholds that would trigger rate-limiting security controls, intrusion detection systems, or automated blocking mechanisms.

Infrastructure Capacity Management:

Scan speed can be balanced against target infrastructure capacity, ensuring that security assessment does not interfere with system availability or performance SLAs.

Custom Header Configuration¶

Custom headers can be configured to identify and differentiate scan traffic from organic user traffic, enabling downstream systems to implement custom handling logic:

network:
  requests_per_second: 100
  parallel_requests: 5
  custom_headers:
    x-scan-identifier:
      - "asm-security-scan"

Custom headers are included in all requests transmitted during ASM scans, allowing WAFs, load balancers, or application logic to recognize and process scan traffic accordingly.

Complete network parameter documentation and advanced configuration options are available in the Configuration Reference.

Public Location Architecture¶

Public Locations define the geographic regions from which security scans originate. These locations are Organization-level resources that apply uniformly across all scan types.

Public Location Scope¶

Public Locations cannot be configured separately for ASM and DAST scan types. All enabled Public Locations are utilized globally across the Organization and are available for both DAST and ASM scans simultaneously.

Current Architecture:

• Public Locations are Organization-level resources that apply to all scan types without differentiation
• Enabling or disabling Public Locations affects both DAST and ASM scans equally
• No mechanism exists to restrict specific Public Locations to individual scan types or specific Assets

This unified architecture ensures consistent network behavior across all security assessments but may require infrastructure adjustments when geographic restrictions apply to specific Assets.

Geographic Restriction Requirements¶

Organizations may encounter scenarios where ASM scans must be restricted to specific geographic regions (e.g., United States-only due to firewall allowlist constraints) while DAST scans require origination from different regions (e.g., European locations for GDPR compliance testing).

Solution Approach¶

When geographic differentiation between ASM and DAST scans is required, the following approach must be implemented:

1. Public Location Configuration: Public Locations are configured to include only the regions required for ASM scans (e.g., US Public Locations exclusively)

2. DAST Scan Migration: All DAST scans are migrated to utilize the same Public Locations configured for ASM requirements, or alternative connectivity methods are implemented

3. Private Location Deployment: If DAST scans require origination from regions not available in Public Location configuration, Private Locations are deployed in those specific regions as an alternative connectivity mechanism

This approach maintains compliance with geographic restrictions while preserving comprehensive scan coverage across both ASM and DAST assessment types.

Private Locations for Geographic Flexibility¶

For Organizations with complex geographic requirements or strict regional isolation mandates, Private Locations provide greater flexibility. Private Locations enable region-specific deployment while maintaining complete separation from Public Location configurations, allowing independent geographic control for different scan types or Assets.

Summary¶

ASM network configuration provides essential controls for managing scan traffic behavior and geographic origination. Request rate limiting ensures that scan operations remain within infrastructure and security control constraints, while Public Location architecture defines the global network origination points for all security assessments. Organizations requiring differentiated geographic configurations should leverage Private Locations to achieve scan-type-specific regional control while maintaining compliance with network restrictions.

Related Documentation¶

• ASM Configuration Reference
• Scope Management
• Private Locations
• DAST Internal Application Scanning