In larger enterprises, you can reduce the time and cost of setting up and maintaining locations by deploying environments with the same internal IP addresses. To disambiguate between assets that have the same IP addresses across environments, use networks in Tenable Vulnerability Management.

If you deploy environments with the same internal IP addresses, create a network for each environment you have, and assign scanners and scanner groups to each network. When a scanner scans an asset, the associated network is added to the asset's details. You can filter assets by network or create dynamic tags based on a network. Recast rules and access groups do not support networks.

A scanner or scanner group can only belong to one network at a time.

There are two types of networks:

  • Default network — The network to which a scanner or scanner group belongs unless you assign it to a custom network.

    You can view scanners in the default network, but you cannot add or remove scanners from the default network.

    If you remove a scanner or scanner group from a custom network, or if you delete a custom network, Tenable Vulnerability Management returns the scanner or scanner groups to the default network.

    Imported scans always belong to the default network.

    Note: You can only add agents that are assigned to the Default network to custom networks.

    Note: Assets from Tenable Nessus Agents or AWS Pre-Authorized Scanners can only appear in the Default network.

  • Custom network — A network you create. Add a custom network only if you want to scan targets in separate environments that contain overlapping IP ranges. If your scans do not involve separate environments with overlapping IP ranges, keep all scanners in the Default network.

For more information, see the following topics: