How to Scan Your Environment for NGINX Instances

Akash Ananthanarayanan Thumbnail
Akash Ananthanarayanan
Published June 01, 2023

As the core module of F5 NGINX Management Suite, Instance Manager is an invaluable resource that enables you to locate, manage, and monitor all your NGINX Open Source and NGINX Plus instances easily and efficiently. Keeping track of NGINX instances is now simple with Instance Manager – the easy-to-use interface allows organizations to conveniently monitor all instances from a single pane of glass.

Instance Manager can also identify instances affected by Common Vulnerabilities and Exposures (CVEs) and instances with potentially expired SSL certificates. This wide scanning capability is crucial to ensure the security and safety of your Information Technology (IT) assets. The module also notifies when a new version exists to help resolve these vulnerabilities, making it essential for anyone who wants to proactively manage and secure NGINX instances.

With Instance Manager, you can be certain that your assets are being precisely tracked – leading to better management and enhanced overall security.

How NGINX Management Suite Instance Manager Works

Instance Manager makes it easy to scan your environment for NGINX instances by identifying active hosts using the Internet Control Message Protocol (ICMP).

Two primary methods can be used to identify active hosts:

  1. Enabling ICMP
  2. Disabling ICMP

To scan for an instance, navigate to the scan page and provide the IP address along with the port number. This process is straightforward and can be accomplished by following the steps provided on the scan page.

Overview of a NGINX scan when ICMP is enabled
Figure 1.  Overview of a NGINX scan when ICMP is enabled

To identify active hosts, you first verify port accessibility using ICMP Hello packets and then perform a TCP handshake. To detect NGINX, analyze the HTTP header of the server.

Note: If HTTP is enabled in NGINX Plus, your scan may reveal any CVE vulnerabilities. However, disabling HTTP on NGINX Plus could potentially affect the accuracy of this approach. If you choose to disable it, your scan will not be able to identify any CVEs. Therefore, it is recommended to keep HTTP enabled on NGINX Plus to achieve the most comprehensive and effective results in identifying active hosts.

Wireshark capture of when ICMP is enabled
Figure 2. Wireshark capture of when ICMP is enabled

When ICMP is disabled, you can ensure the proper functioning of a port by verifying it through the TCP handshake method. This method assesses the port’s response and confirms that the port is working as expected. If the SYN request is answered, Instance Manager can determine if the port is running NGINX or if the certificate has expired.

Note: If the SYN request goes unanswered, the process may be delayed and can potentially cause port exhaustion issues.

Overview of a NGINX scan when ICMP is disabled
Figure 3. Overview of a NGINX scan when ICMP is disabled

Instance Manager has the capability to check the SSL certificate date of any server, whether or not it is part of NGINX servers. The module conducts a comprehensive evaluation of each server’s SSL certificate date to identify any potential expirations. Scans done by Instance Manager cover all requested ports, alert you of any expired SSL certificates, and provide valuable insights to help keep your enterprise safe.

Wireshark capture when ICMP is disabled
Figure 4. Wireshark capture when ICMP is disabled

Lastly, implementing role-based access control (RBAC) affords you complete control over who can initiate a scan and who has granted access to your scan results. With this feature, your sensitive information remains confidential and secure, as only authorized personnel can access the results.

Additional Resources

Complete documentation on NGINX Management Suite Instance Manager can be found here.

If you are interested in exploring Instance Manager today, you can reach out to us to discuss your specific use cases.

"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous links will redirect to similar NGINX content on"