When a focus network is specified via the Monitored Networks IP Addresses and Ranges configuration parameter, only one side of a session must match in the list. For example, if you have a DMZ that is part of the focus network list, NNM reports on vulnerabilities of the web server there, but not on web clients visiting from outside the network. However, a web browser within the DMZ visiting the same web server is reported.
In the diagram above, three sessions labeled A, B, and C are shown communicating to, from, and inside a focus network. In session A, NNM analyzes only those vulnerabilities observed on the server inside the focus network and does not report client side vulnerabilities. In session B, NNM ignores vulnerabilities on the destination server, but reports client side vulnerabilities. In session C, both client and server vulnerabilities are reported.
There is another filter that NNM uses while looking for unique sessions. This is a dependency that requires the host to run a major service. These dependencies are defined by a list of NNM plugin IDs that identify SSL, FTP, and several dozen other services.
Finally, the entire process of detecting these sessions can be filtered by specific network ranges and ports. For example, if a University ran a public FTP server that had thousands of downloads each hour, they may want to disable interactive sessions on port 21 on that FTP server. Similarly, disabling encryption detection on ports such as 22 and 443 also eliminates some noise for NNM.