Scan Zones

Scan zones are areas of your network that you want to target in an active scan, associating an IP address or range of IP addresses with one or more scanners in your deployment. You must create scan zones in order to run active scans on your managed Tenable.sc instances.

If your deployment includes Tenable.sc Director, you can use it to manage the scan zones on your managed Tenable.sc instances.

For more information, see Add a Scan Zone, View Your Scan Zones, Edit a Scan Zone, and Delete a Scan Zone.

Option Description
Tenable.sc Instance The name of the managed Tenable.sc instance where you configured the scan zone.
Name A name for the scan zone.
Description (Optional) A description for the scan zone.
Ranges

One or more IP addresses that you want the scan zone to target. Supported formats:

  • a comma-separated list of IP addresses and/or CIDR addresses.
  • a newline-separated list of IP addresses and/or CIDR addresses.
  • a hyphenated range of IP addresses (e.g., 192.0.2.0-192.0.2.25).
Scanners

One or more scanners that you want to use to scan the Ranges in this scan zone.

Note: Do not choose scanners that cannot reach the areas of your network identified in the Ranges. Similarly, consider the quality of the network connection between the scanners you choose and the Ranges.

Best Practices

Tenable recommends pre-planning your scan zone strategy to efficiently target discrete areas of your network. If configured improperly, scan zones prevent scanners from reaching their targets. Consider the following best practices:

  • It is simplest to configure and manage a small number of scan zones with large ranges.
  • It is simplest to target ranges (versus large lists of individual IP addresses).
  • If you use Nessus Manager for agent management, do not target Nessus Manager in any scan zone ranges.

Overlapping Scan Zones

In some cases, you may want to configure overlapping scan zones to ensure scanning coverage or redundancy.

Note: Do not configure overlapping scan zones without pre-planning your scan zone and Distribution Method strategy.

Two or more scan zones are redundant if they target the same area of your network. If Tenable.sc executes a scan with redundant scan zones, it first attempts the scan using the narrowest, most specific scan zone.

In this example, the red numbers represent specific IP addresses on your network. The grey circles represent the network coverage of individual scan zones.

See the following table to understand the primary and redundant scan zones for the IP addresses in this example.

IP Address Primary Scan Zone Redundant Scan Zones
1 Scan Zone A None.
2 Scan Zone B Scan Zone A.
3 Scan Zone C

Scan Zone B, then Scan Zone A.

4 Scan Zone C Scan Zone A.
5 Scan Zone D Scan Zone A.
6 Scan Zone E Scan Zone A.
7 Scan Zone F Scan Zone E, then Scan Zone A.