In larger enterprises, you can reduce the time and cost of setting up and maintaining locations by deploying environments with the same internal IP addresses. To disambiguate between assets that have the same IP addresses across environments, use networks in Tenable Vulnerability Management. Networks can also be used to logically separate assets for reporting, Role Based Access Control (RBAC), and Tagging purposes.

If you deploy environments with the same internal IP addresses, create a network for each environment you have, and assign scanners and scanner groups to each network. When a scanner scans an asset, the associated network is added to the asset's details. You can filter assets by network or create dynamic tags based on a network. Recast rules and access groups do not support networks.

A scanner or scanner group can only belong to one network at a time.

There are two types of networks:

  • Default network — The network to which a scanner or scanner group belongs unless you assign it to a custom network.

    You can view scanners in the default network, but you cannot add or remove scanners from the default network.

    If you remove a scanner or scanner group from a custom network, or if you delete a custom network, Tenable Vulnerability Management returns the scanner or scanner groups to the default network.

    Imported scans always belong to the default network.

    Note: Assets from AWS pre-authorized scanners can only appear in the Default network.

    Note: If you move agents from a custom network to the Default network, you need to move the agents' associated assets to the Default network manually. Assets do not revert back to the Default network automatically. For more information, see Add an Agent to a Network and Move Assets to a Network via Settings.

  • Custom network — A network you create. Add a custom network only if you want to scan targets in separate environments that contain overlapping IP ranges. If your scans do not involve separate environments with overlapping IP ranges, keep all scanners in the Default network.

For more information, see the following topics: