Environment Settings

Network Definitions

The Network Definitions page includes the following sections:

Monitored Networks

The Monitored Network configuration contains a set of IP ranges (CIDRs / subnets) that define the monitoring boundaries for OT Security. OT Security ignores assets outside of the configured ranges.

By default, OT Security configures three default public ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, as well as the link-local range of 169.254.0.0/16 (APIPA).

To disable any of the default ranges or add ranges appropriate for your network:

  1. Go to Settings > Environment Settings > Network Definitions.

    The Network Definitions page appears.

  2. In the Monitored Network section, click Edit.

    The Monitored Network panel appears.

  3. Select the required Default IP ranges and/or add Additional IP ranges (one IP range per line) in the designated text box.

  4. Click Save.

    OT Security saves the monitored network configuration.

Duplicated Internal Networks

Overlapping IP ranges occur when an IP address is assigned to multiple devices. Overlapping IP ranges are common across manufacturing environments, which leads to challenges in accurately identifying and tracking asset resulting in visibility gaps, incorrect asset associations, and so on. You can define your overlapping networks for OT Security to track assets accurately even when IP addresses are reused across different segments.

Note: If an asset in a duplicated network is detected by both a sensor and another source (such as another sensor or the ICP locally), the OT Security interface merges it into a single asset. However, licensing counts it as two assets. To prevent this, Tenable recommends adjusting the duplicated network range to exclude such assets.

Add a Duplicated Network

Before you Begin

  • Make sure you have paired authenticated sensors.

    Note: OT Security does not support duplicated networks on unauthenticated sensors.

To define the duplicate networks in your environment:

  1. Go to Settings > Environment Settings > Network Definitions.

    The Network Definitions page appears.

  2. In the Duplicated Internal Networks section, click Add Network.

    The Add Duplicated Network panel appears with the Network Details.

    Note: OT Security uses the 240.0.0.0/4 IP range as the internal reserve pool for mapping IP addresses to NAT IP allocation. To change this reserve pool range, contact Tenable Support.

  3. In the Duplicated IP Range box, type the IP range in the CIDR format, for example, 192.168.0.0/24.

  4. From the Duplicates (Sensors) drop-down box, select the sensors associated with the duplicated IP range.

  5. Click Next.

    The Confirmation panel appears.

  6. (Optional) Select the Delete Assets checkbox.

    Tip: To separate all the selected assets into their own networks, Tenable recommends that you allow OT Security to delete the assets and rediscover them after startup. If you do not select the Delete Assets checkbox, the assets remain in the current IP range and may cause inconsistencies or unexpected behavior.

  7. Click Save.

    OT Security saves the duplicate IP range and it appears in the Duplicated Internal Networks table.

    Important: Once you complete configuring duplicated networks, Tenable recommends that you restart OT Security before enabling the sensors.

  8. Restart OT Security.

  9. To enable sensors, go to Local Settings > Sensors:

    Note: The IP ranges (CIDRs) for the active query are the ones that you configured in the Duplicated Internal Network settings.

    1. Do one of the following:

      • Single sensor: Right-click the sensor and click Edit. In the Edit Sensor panel, click the Sensor active queries toggle to enable active queries.

      • Multiple sensors: Select all the required sensors. In the header, select Bulk Actions > Enable Active Queries.

    2. Right-click the sensors and activate them by changing the status from Paused to Connected.

Next Steps

After configuring the duplicated networks and restarting OT Security, the assets appear with their actual IPs in the All Assets table. Additionally, when entering an IP assigned to a duplicated network, you must select the corresponding Sensor. For example: in Active query > Discovery / Nessus Scan > Create Scan, or in Credentials > Test Credentials:

  • In Inventory > All Assets, view the real IP addresses and the Source of assets in the All Assets table. For instance, two assets that share the same IP address but are associated with different sensors.

  • In Active Queries > Queries Management > Discovery or Nessus Scans > Create Scan, when configuring an active query involving duplicated networks, select the Relevant Sensors for that IP range. This allows you to run the query for assets associated with a specific sensor while excluding the other sensors.

    Note: OT Security enables the Relevant Sensors box only for IP ranges in duplicated networks. It remains disabled for all other IP ranges.

  • In Active Queries > Credentials > Test Credentials when configuring credentials, if you input an IP range in duplicated network, you must also select the associated sensors in the Duplicate (Sensor) box.

  • To create Asset Groups for assets part of duplicated networks, use the Asset Selection option and identify the specific IP based on the Source column in the Assets table.

The Duplicated Internal Networks table shows the following details:

Column Description
CIDR The duplicated network IP range.
Sensors The sensors associated with the duplicated network IP range.
In Use - Discovery Queries Indicates if the CIDRs are in-use in at least one Asset Discovery (active query). If yes, remove the CIDR Active Discovery before deleting the duplicated network that contains that CIDR.
In Use - Nessus Scans Indicates if the CIDRs are in-use in at least one Nessus Scan. If yes, remove the CIDR from the Nessus Scan before deleting the duplicated network that contains that CIDR.

Actions on Duplicated Internal Networks

To edit a duplicated network:

  1. In the Duplicated Internal Networks section, select the duplicated network to modify.

  2. Do one of the following:

    • Right-click the duplicated network and select Edit.

    • In the upper-right corner of the section, select Actions > Edit.

      The Edit Duplicated Network panel appears with the details of the selected duplicated network.

  3. Modify the values as needed.

  4. Click Next.

  5. In the Confirmation panel, click Save.

    OT Security saves the changes to the duplicated network.

You can delete duplicated networks that you no longer need.

To delete a duplicated network:

  1. In the Duplicated Internal Networks section, select the duplicated network to delete.

  2. Do one of the following:

    • Right-click the duplicated network and select Delete.

    • In the upper-right corner of the section, select Actions > Delete.

OT Security deletes the duplicated network.

  1. Remove the CIDRs from Nessus Scan / Active Discovery.

  2. Delete the sensor from the duplicated network settings configuration.

  3. In case of replacement, use API to set the new sensor ID and replace the old sensor.

  4. In the Sensors page, delete the old sensor.

Discover New Assets via SNMP

When you enable the Discover New Assets via SNMP option, OT Security adds the assets discovered by SNMP queries to the assets inventory.

Fetch IP Address for IoT Assets

By default, when importing assets from an IoT connector, OT Security imports the IP address along with the MAC address of the devices. To import only the MAC address, disable the Fetch IP Address for IoT Assets option. For more information, see Managing IoT Connectors.

Event Clusters

To facilitate the monitoring of events, multiple events with the same characteristics are clustered together into a single cluster. The clustering is based on event type (that is, events that share the same policy), source, and destination assets, and so on.

To cluster events, they must be generated within the following configured time intervals:

  • Maximum time between consecutive events — Sets the maximal time interval between events. If this time passes, the consecutive events are not clustered.

  • Maximum time between the first and last event — Sets the maximal time interval for all events to be shown as a cluster. An event that is generated after this time interval is not be part of the cluster.

To enable clustering:

  1. The Event Clusters page appears.

  2. Go to Settings > Environment Settings > Event Clusters.

    The Event Clusters page appears.

  3. Click the toggle to enable desired categories for clustering.

  4. To configure the time intervals for a category, click Edit.

    The Edit Configuration window appears.

  5. Type the required number value in the number box and select the unit of time using the drop-down box.

    Note: For more information about clustering and time intervals, click the icon.

  6. Click Save.