Scan Zones
Scan zones are areas of your network that you want to target in an active scan, associating an IP address or range of IP addresses with one or more scanners in your deployment. You must create scan zones in order to run active scans on your managed Tenable Security Center instances.
If your deployment includes Tenable Security Center Director, you can use it to manage the scan zones on your managed Tenable Security Center instances.
For more information, see Add a Scan Zone, View Your Scan Zones, Edit a Scan Zone, and Delete a Scan Zone.
Option | Description |
---|---|
Tenable Security Center Instance | The name of the managed Tenable Security Center instance where you configured the scan zone. |
Name | A name for the scan zone. |
Description | (Optional) A description for the scan zone. |
Ranges |
One or more IP addresses that you want the scan zone to target. Supported formats:
|
Scanners |
One or more scanners that you want to use to scan the Ranges in this scan zone. Note: Do not choose scanners that cannot reach the areas of your network identified in the Ranges. Similarly, consider the quality of the network connection between the scanners you choose and the Ranges. |
Best Practices
Tenable recommends pre-planning your scan zone strategy to efficiently target discrete areas of your network. If configured improperly, scan zones prevent scanners from reaching their targets. Consider the following best practices:
- It is simplest to configure and manage a small number of scan zones with large ranges.
- It is simplest to target ranges (versus large lists of individual IP addresses).
- If you use Nessus Manager for agent management, do not target Nessus Manager in any scan zone ranges.
Overlapping Scan Zones
In some cases, you may want to configure overlapping scan zones to ensure scanning coverage or redundancy.
Note: Do not configure overlapping scan zones without pre-planning your scan zone and Distribution Method strategy.
Two or more scan zones are redundant if they target the same area of your network. If Tenable Security Center executes a scan with redundant scan zones, it first attempts the scan using the narrowest, most specific scan zone.
In this example, the red numbers represent specific IP addresses on your network. The grey circles represent the network coverage of individual scan zones.
See the following table to understand the primary and redundant scan zones for the IP addresses in this example.
IP Address | Primary Scan Zone | Redundant Scan Zones |
---|---|---|
1 | Scan Zone A | None. |
2 | Scan Zone B | Scan Zone A. |
3 | Scan Zone C |
Scan Zone B, then Scan Zone A. |
4 | Scan Zone C | Scan Zone A. |
5 | Scan Zone D | Scan Zone A. |
6 | Scan Zone E | Scan Zone A. |
7 | Scan Zone F | Scan Zone E, then Scan Zone A. |