This is a question/best practices advice...
We have several dedicated subnets for On board administrator/iLO cards in HP C7000 enclosures. These are older cards and enclosures so there is not an upgrade path to the latest firmware without replacing hardware, so we are stuck with TLS 1.0. These subnets are being scanned with every scheduled scan that is taking place, so you would expect the results to be the same scan after scan. However, this is not the case, (the security group is using Qualys, and I am not sure how the scan itself is configured) one scan will detect the presence of TLS 1.0 and all the related vulnerabilities, the next scan (may or may not) see TLS/SSL present at all on the same device, then the next scan will detect the TLS finding again. This flip flopping looks like the the vulnerabilities on these devices are repeatedly being closed and reopened when we know that there state is not changing.
The onboard administrator card is the interface for all the ilo's in the chassis, working out what the scanner is doing with it's default configuration each individual IP is being with 1,700 TCP and 800 UDP probes, times that by 16 ilo ip's and one OA ip, that's a lot of traffic for a low powered device that is not designed to have that amount of traffic sent to it.
So the question is, what are the best practices for scanning these types of devices? I am presuming having a separate group configured in the scanner that sends a smaller amount of traffic than the default would produce more consistent and accurate results?