>
    Strata Copilot
    Set Up a Basic Discovery Service
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Discovery Overview
    6. Discover Certificates on Private Networks
    7. Set Up a Basic Discovery Service
    Next‑Gen Trust Security

    Set Up a Basic Discovery Service

    Table of Contents

    Set Up a Basic Discovery Service

    Use Basic Discovery to manually find certificates within your internal network using the Venafi Scanafi utility.
    Tip: Basic Discovery does not include automated certificate validation. To include validation, create an Enhanced Discovery service.

    Prerequisites

    Ensure you have the following before creating the service:
    • In Next-Gen Trust Security: The Superuser role in the parent TSG. Discovery services are parent TSG resources and can only be created and configured by parent TSG users.
    • Administrative access to an internal endpoint (Windows, Linux, or macOS).
    • Scanafi Credentials: A Scanafi Built-in Account Private Key or Client ID. These are generated after creating a Scanafi Built-in Account. For instructions, see Create a Scanafi built-in account.
    What is Scanafi?"
    Scanafi is a lightweight, command-line executable that scans internal network hosts for SSL/TLS certificates. It performs discoveries on port 443 and other common ports via SSL/TLS and STARTTLS handshakes.
    The utility supports two modes:
    • Online mode (Standard): Automatically transmits discovery results to Next-Gen Trust Security via REST API.
    • Offline mode: Logs results to a local JSON file for manual import to the Next-Gen Trust Security Platform later.

    Create a Basic Discovery service

    1. Sign in to Next-Gen Trust Security.
    2. Click Configuration > Network Discovery.
    3. Click New > Basic Discovery.
    4. Enter a unique Service name.
    5. Enter a Port Number or a range of ports to scan.
    6. Enter your Targets using IP addresses or fully qualified domain names (FQDNs):
      • Manual: Type the address and click Add.
      • Bulk: Click Import to upload a .csv file.
    7. Click Create Service.

    Download and run Scanafi

    After creating the service, run the utility on your local endpoint.
    1. In the Download Scanafi section, select your operating system: Windows PowerShell, macOS, or Linux.
    2. Copy and run the Download and Unzip command in your terminal.
    3. After downloading and installing, copy and run the Execute with Built-in Account command, replacing the <CLIENT_ID> placeholder with the Client ID from your Scanafi Built-in Account.

    © 2026 Palo Alto Networks, Inc. All rights reserved.