Exclusions

Exclusions are restrictive rules that prevent Tenable scanners from probing specific IP addresses or ranges. They serve as a safety mechanism to protect fragile infrastructure, respect maintenance windows, and ensure business continuity.

For information on managing exclusions, see Manage Exclusions.

How Exclusions Work

When an exclusion is active for a specific target, the scanner is strictly prohibited from scanning that IP address.

  • Priority — Exclusions always override scan configurations. Even if a user explicitly launches a scan against an IP, the scanner skips that target if it falls within an active exclusion rule.

  • Scope — Exclusions apply to network scans only. They do not apply to Tenable Agents, as agents operate locally on the host and do not require network probing.

Common Use Cases

  • Fragile OT/IoT devices — Permanently excluding legacy printers, medical devices, or industrial control systems that may crash if scanned.

  • Business hours — Preventing scans during peak operational times (for example, excluding the "Trading Server" subnet Mon-Fri, 9:00 AM – 5:00 PM).

  • Prohibited subnets — Ensuring scanners never cross into restricted networks, such as third-party partner networks connected via VPN.

Types of Exclusions

When configuring an exclusion, you define the duration and frequency. You can create two different types of exclusion:

  • Permanent exclusions — The target is blocked indefinitely until the rule is removed. Use this for fragile hardware that should never be scanned.

  • Scheduled exclusions — The target is blocked only during specific windows. You can set these to recur (for example, "Every Day at 8:00 AM for 9 hours").

Critical Considerations

  • IP-based limitations — Exclusions are primarily enforced by IP Address. If you exclude a server by IP and that server moves to a new IP via DHCP, the exclusion no longer protects it (and the exclusion may inadvertently block the new device at that old IP).

  • Active scans — If a scan is currently running and an exclusion window opens (starts), the scanner aborts the scan for those specific targets immediately.

  • PAM integrations — Do not exclude your Privileged Access Management (PAM) servers (for example, CyberArk, Thycotic). If you exclude the PAM server, the scanner cannot communicate with the vault to retrieve credentials, causing credentialed scans across your entire environment to fail.