Zones

Set Zone Networks & About Lists

The Zone Networks tab provides labeling and control settings for each zone. It includes the Known, Eligible, Internal, and Avoid lists.

Of these, Eligible, Avoid, and to a limited extent Known influence and restrict collector discovery. The Internal list is used for post-discovery reporting and analysis.

Zone Network settings apply to all collectors operating within the zone.

Before discovery begins, you must select a zone and define the networks (IPs and CIDRs) included in its lists. This “kick-off” set of devices gives Asset Manager the starting point to discover the full set of network devices within the zone. You can think of Zone Networks as the initial “starter set” for discovery.

Eligible Networks and Collector Behavior

The Eligible list defines which discovered devices and networks Asset Manager is allowed to probe and share across collectors.

When a device (IP or CIDR) discovered by any collector in a zone is added to the Eligible list, it becomes available for interrogation by all collectors in that zone. In this way, the Eligible list acts as a bridge, allowing collectors to share and act on discovered information.

  • If a collector discovers a device that is not on the Target list, Asset Manager checks the Eligible list:

  • If the device is on the Eligible list, it is interrogated.

  • If not, the system checks the Avoid list.

  • If the device is not on the Avoid list, it is still interrogated.

Newly discovered subnets—especially those previously unknown to your organization—can be added to the Eligible list to authorize further investigation. As these networks are validated, you may designate some as Internal Zone Networks.

When TargetDiscoveredRoutes is enabled:

  • In Host Discovery, Asset Manager targets all discovered devices that are in the Eligible list.

  • In Path Discovery, Asset Manager traces routes to all Eligible networks and can display the results in a map.

Additionally, discovery methods such as SNMP, Port, Profile, and Leak can be configured to run against subnets included in the Eligible list.

Known Zone Networks

The Known list contains IPs and CIDRs that your organization recognizes but does not own or manage. These are networks you are generally aware of, though you may not require detailed insight into them.

The Known list is used for labeling and reporting purposes. It allows you to mark devices and associated CIDR blocks as “known,” which influences how data is categorized and presented in analysis. It does not affect discovery behavior.

Unlike the Eligible list, the Known list does not control what Asset Manager probes. Instead, it is best understood as a way to identify “networks your organization is aware of.”

When a network element is changed from Unknown to Known, it is recommended that you also add it to the Eligible list. Doing so ensures that all collectors in the zone—not just the current one—can interrogate the device going forward.

Internal Zone Networks

The Internal Zone Networks list contains subnets that your organization owns and manages within a given zone. These represent your true internal network space.

Asset Manager uses this list to define the network perimeter. The final forwarding devices—those “hops” before traffic exits into external networks—are treated as perimeter routers and mark the edge of the internal environment.

The Internal list allows you to label CIDR blocks as Internal for reporting, mapping, and analysis purposes. This designation affects reporting only and does not influence discovery behavior.

By monitoring your Internal list, you can also identify when internal elements become inactive.

As a useful configuration option, the Internal list can help enforce preferred reference addressing. For example, if your management network is 10.1.0.0/16 and you want devices to be identified using that range on maps, you can add 10.1.0.0/16 to the Internal list.

Preference order for Reference IP is:

  1. Mac

  2. IPv4

  3. Internal

  4. Trusted

  5. Known

Avoid Zone Networks

The Avoid list contains IP addresses or CIDR blocks that must be excluded from active discovery within a zone. These represent network ranges that should never be interrogated, such as infrastructure owned by business partners, affiliates, or segments containing sensitive or restricted data.

Any address space added to the Avoid list is skipped during discovery, ensuring that no probes, scans, or data collection activities are directed toward those assets. This setting is applied at the zone level and enforced across all collectors, providing a centralized way to prevent unintended interaction with protected networks.