>
    Strata Copilot
    Downloading and Installing Scanafi
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Discovery Overview
    6. Discover Certificates on Private Networks
    7. Set Up a Basic Discovery Service
    8. Downloading and Installing Scanafi
    Next‑Gen Trust Security

    Downloading and Installing Scanafi

    Table of Contents

    Downloading and Installing Scanafi

    Note: Network Discovery configuration must exist only in parent TSGs. Only users with appropriate Strata Cloud Manager (SCM) roles in the parent TSG can create, configure, or manage Network Discovery services.

    Permissions

    • Web UI actions: Users must have the appropriate SCM role permissions to perform Network Discovery configuration actions through the web interface
    • API actions: Built-In Accounts must have the appropriate SCM role permissions to perform API actions on Network Discovery configuration
    Scanafi is a lightweight command line tool that enables you to scan hosts on your internal network for SSL/TLS certificates. Scanafi is available as a single executable file for Windows, Linux, and MacOS operating systems.
    Scanafi performs network discoveries for certificates on port 443 and additional well-known ports via SSL/TLS and STARTTLS handshakes.
    This utility tests for the presence of known vulnerabilities such as DROWN, Heartbleed, logjam, poodle, and poodle TLS.
    The primary mode of operation involves sending certificate discovery results to the Next-Gen Trust Security Platform over REST API. This communication is over HTTPS TCP Port 443.
    Scanafi operates in the following modes:
    • Online Mode: The online mode involves the automatic transmission of certificate discovery results to the Next-Gen Trust Security instance specified in the API call portion of the command line operation. For online mode with Next-Gen Trust Security, communication is over HTTPS and authentication credentials (an API token) for Next-Gen Trust Security are also required. You can get an API token after successful registration on Next-Gen Trust Security.
    • Offline mode: Scanafi is capable of operating in a offline mode. In this mode, all certificate discovery results are logged to a standard text file, in JSON format. This file can then be collected for out-of-band import to Next-Gen Trust Security Platform using the Next-Gen Trust Security API.

    Downloading and installing the Scanafi utility

    1. In the menu bar, click Configurations > Network Discovery > New > Basic Discovery.
    2. Walk through the steps to create the Basic Discovery Service.
    3. On the Download Scanafi page. you can learn about and download the Scanafi utility.
    4. (Optional) Click How do I install and run the utility? to familiarize yourself with how Scanafi works.
      Note: The installation location must have access to the IP addresses you want to scan. If it's running in online mode, Scanafi should also have Internet access to upload results to the appropriate instance of Next-Gen Trust Security.
    5. Click Download next to the appropriate operating system.
    6. Save the file, then run it.

    Verifying the Scanafi binary signature

    To ensure the Scanafi binary you downloaded is authentic and has not been tampered with, Palo Alto Networks provides a digital signature. You can verify this signature using GPG and the NGTS public key. This process confirms that the binary was signed by Palo Alto Networks and remains unmodified since it was published.
    1. Download and import the NGTS public key:
      1. Download the NGTS public key:
        curl -O https://dl.ngts.paloaltonetworks.com/ngts/ngtskey.pub
      2. Import the key into your GPG keyring:
        gpg --import ./ngtskey.pub
      3. Set ownertrust for Next-Gen Trust Security, Palo Alto Networks, Inc. to "Ultimate":
        echo -e "trust\n5\ny\n" | gpg --no-tty --command-fd 0 --edit-key "gpg-ngts@paloaltonetworks.com"
      4. Verify the key in your keyring:
        gpg --list-keys
        You should see something like:
        /home/edge/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096 2026-04-21 [SC]
        7020F9A40719CE4B7E30B0F51BA5DF04D675404D
uid           [ultimate] Next-Gen Trust Security, Palo Alto Networks, Inc. <gpg-ngts@paloaltonetworks.com>
sub   rsa2048 2026-04-21 [A]
sub   rsa2048 2026-04-21 [E]
    2. Download the Scanafi binary and its corresponding signature file with a command similar to the following example for Linux:
      curl -O https://dl.ngts.paloaltonetworks.com/ngts/scanafi_linux_64.tgz && \
curl -O https://dl.ngts.paloaltonetworks.com/ngts/scanafi_linux_64.tgz.sig
    3. Once the Scanafi binary signature file is installed, verify signing as follows:
      gpg --verify scanafi_linux_64.tgz.sig scanafi_linux_64.tgz
      The result should look similar to the following:
      gpg: Signature made Wed May 29 15:23:10 2025 UTC
gpg:                using RSA key 7020F9A40719CE4B7E30B0F51BA5DF04D675404D
gpg:                issuer "gpg-ngts@paloaltonetworks.com"
gpg: Good signature from "Next-Gen Trust Security, Palo Alto Networks, Inc. <gpg-ngts@paloaltonetworks.com>" [ultimate]

    Optional deployment strategies

    Scanafi is deployed as an executable file and requires no installation on the target host. It does not receive commands or perform work from a centralized platform. Scans that are performed are simply passed as command arguments to the executable.
    While it is possible to execute scans manually by copying the executable to a host and executing Scanafi, it is assumed that in most enterprise organizations a more automated management process would be desired. A typical strategy is to identify hosts within network segments to host the Scanafi executable and configure scheduled tasks and/or cron jobs to routinely execute the discovery process.
    Another strategy would be to use existing system management frameworks (i.e. BigFix, Tanium, Puppet, Chef, and Microsoft SCCM) already in place to manage, patch, and configure systems in the environment to automatically deploy Scanafi. Discovery would be executed, then Scanafi would automatically be removed after completion.

    Automated Result Processing

    The typical approach is for Scanafi to be configured to execute on a host within the target network segment and upon completion of the scan, send the results directly to Next-Gen Trust Security using the WebSDK API. This approach simplifies any additional work required to process result files in order to gain visibility through Next-Gen Trust Security.

    Standalone Result File Processing

    Another approach is to deploy Scanafi to a host within the targeted network segment and execute it with parameters intended to scan the local subnet then output results to a JSON file. Upon completion, the results file can be sent to a central location for import into Next-Gen Trust Security using the WebSDK API. The executable and result file can then be removed from the target machine.

    © 2026 Palo Alto Networks, Inc. All rights reserved.