Excluding IP addresses and host names from discovery scans
Exclusion objects define ranges of IPv4 addresses and ports that you do not want the Discovery engine to scan. You can also exclude certificates and SSH server keys already being managed in the Policy tree from discovery, or you can exclude certificates from discovery based on the certificate’s Issuer or Subject DN.
To apply these exclusions to individual discoveries, you must reference the Exclusion objects in the Discovery object configuration. For information on configuring Discovery objects to reference an Exclusion object, see Specifying discovery exclusion objects.
To create an Exclusion
-
From the TLS Protect menu bar, click Policy Tree.
IMPORTANT You must have the View and Create permissions to the root Discovery object to create Exclusion objects.
- In the Discovery tree, select the root Discovery object or the Discovery folder where you want to create the Exclusion object.
-
Click Add > Exclusion.
-
Refer to the following table to configure the remaining settings:
Field
Description
General
Rule Name
Enter a name for the exclusion.
Description
Custom description for the exclusion
Contact
User or group Identities assigned to this object.Default system notifications are sent to the contact identities.
Default contact = master administrator
To select the object contacts
Click the Browse button.
The Identity Selector dialog opens.
If the Identity Selector dialog is not populated, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Platform can query the external Identity store and return the list of requested users or groups.If you want to display all user or group entries, you can enter the wildcard character (*).
Select a User or Group Identity, and then click Select.
Press Shift+click to select multiple, contiguous objects.
Press Ctrl+click to select multiple, discontiguous objects.
Exclude
Allows you to define the IPv4 addresses and ports you want to exclude from discovery. You can exclude IPv4 addresses with their associated ports, port ranges, or both.
If you enter duplicate IPv4 address and port settings in the Exclusion object, the Summary tab duplicates the exclusions in the scan results. For example, if you added the same IPv4 address and port to the Exclusion object four times, the Summary tab would report four ports excluded.
Addresses, Hostnames, and/or CIDR definitions
Range of IPv4 addresses that you want to exclude from Discovery. For example, if you want to exclude IP addresses 198.162.0.1 through 198.162.0.100 inclusive, type 192.168.0.1 in the first text box and 192.168.0.100 in the second text box.
If you want to exclude only one device, type the IPv4 address in the first box.
Port Range(s)
Ranges of ports that you want to exclude from discovery on all scanned IPv4 addresses.
These addresses and ports will not be scanned by any associated discovery.
Ignore
Managed DN(s)
Allows you to ignore certificates that are already under management in the designated DNs. When you choose to ignore managed keys found within a designated DN in the Policy tree, those objects are filtered out of the Discovery results. That is, the Discovery engine continues to find them; you just don’t see them in the Discovery results.
When you specify a DN to ignore, the Discovery Server ignores all certificates from that point down in the Policy tree.
Issuer DN Regular Expression(s)
Excludes a certificate from discovery based on a regular expression applied to the issuer DN (CA).
The regular expression is used only to exclude certificates from the discovery. It cannot be used to select certificates.
For example, if your system has HP LaserJet printers, you can use the following regular expression to exclude HP LaserJet certificates from discovery:
O=Hewlett-Packard\sCo.,\sCN=HP\sJetdirect
If you want to do a simple “contains” statement, you can enter:
Jetdirect
Subject DN Regular Expression(s)
Excludes a certificate from discovery based on a regular expression applied to the subject DN.
For example, the following regular expression excludes from discovery all certificates issued to NonCorp.com:
(cn=.*?noncorp.com.*|dc=noncorp.*)
If you want to do a simple “contains” statement, you can enter:
noncorp.com
The regular expression is used only to exclude certificates from the discovery. It cannot be used to select certificates.
- When you're finished, click Save.
Next step: Specifying discovery exclusion objects