TOC & Recently Viewed

Recently Viewed Topics

Scan Zones

Path: Resources > Scan Zones

Scan zones are areas of your network that you want to target in an active scan, associating an IP address or range of IP addresses with one or more scanners in your deployment. You must create scan zones in order to run active scans in SecurityCenter.

Scan zones define the IP ranges associated with the scanner and also specify organizational user access. SecurityCenter allows the configuration of defined organizations with three different scan zone modes: Automatic Distribution Only, Locked Zone, and Selectable Zones. If an organization is in Automatic Distribution Only mode, SecurityCenter picks the scan zone and scanners based on the IP address of the target. If an organization is in Locked Zone mode, only the selected zones are available to users during the creation of scan policies. If an organization is in Selectable mode, all scan zones display and can be selected as needed.

When in Selectable mode, at scan time, the zones associated with the organization and All Zones are available to the user. When a scan is configured to use a specific zone in either selectable or forced mode, the zone’s ranges are ignored and any IPs in the managed ranges for that user are scanned by the Nessus scanners associated with the chosen zone.

When a scan is configured to use the All Zones zone, the targets for the scan are given to scanners in the most appropriate zone available based on the zone’s specified ranges (20K character limit). This facilitates optimal scanning and is very useful if an organization has devices placed behind a firewall or NAT device and has conflicting RFC 1918 non-internet-routable address space with another organization. In addition, some organizations may benefit from the ability to override their default scanner(s) with one(s) from a different zone. This allows an organization to more easily run internal and external vulnerability scans.

Tip: Sometimes forcing a scan to use a non-ideal scanner helps to analyze the vulnerability stance from a new perspective. For example, set the default scanner to an external one to see the attack surface from an external attacker’s perspective.

For more information, see Add a Scan Zone, Edit a Scan Zone, and Delete a Scan Zone.

Option Description
Name A name for the scan zone.
Description (Optional) A description for the scan zone.

One or more IP addresses that you want the scan zone to target. Supported formats:

  • a comma-separated list of IP addresses and/or CIDR addresses.
  • a newline-separated list of IP addresses and/or CIDR addresses.
  • a hyphenated range of IP addresses (e.g.,

One or more scanners that you want to use to scan the Ranges in this scan zone.

Note: Do not choose scanners that cannot reach the areas of your network identified in the Ranges. Similarly, consider the quality of the network connection between the scanners you choose and the Ranges.

Best Practices

Tenable recommends pre-planning your scan zone strategy to efficiently target discrete areas of your network. If configured improperly, scan zones prevent scanners from reaching their targets. Consider the following best practices:

  • It is simplest to configure and manage a small number of scan zones with large ranges.
  • It is simplest to target ranges (versus large lists of individual IP addresses).
  • If you use Nessus Manager for agent management, do not target Nessus Manager in any scan zone ranges.

Overlapping Scan Zones

In some cases, you may want to configure overlapping scan zones to ensure scanning coverage or redundancy.

Note: Do not configure overlapping scan zones without pre-planning your scan zone strategy.

Two or more scan zones are redundant if they target the same area of your network. If SecurityCenter executes a scan with redundant scan zones, it first attempts the scan using the narrowest, most specific scan zone.

In this example, the red dots 1, 2, 3, 4, 5, 6, and 7 represent specific IP addresses on your network. The blue circles represent the network coverage of Scan Zones A, B, C, D, E, and F.

See the following table to understand the primary and redundant scan zones for the IP addresses in this example.

IP Address Primary Scan Zone Redundant Scan Zones
1 Scan Zone A None.
2 Scan Zone B Scan Zone A.
3 Scan Zone C

Scan Zone B, then Scan Zone A.

4 Scan Zone C Scan Zone A.
5 Scan Zone D Scan Zone A.
6 Scan Zone E Scan Zone A.
7 Scan Zone F Scan Zone E, then Scan Zone A.

Copyright 2017-2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable,, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.