target network specifies the hosts you want to evaluate for
white list compliance. A white list can have more than one target network, and
it evaluates hosts that meet the criteria of any of its targets.
constrain a target network by IP address or range. In multidomain deployments,
the initial constraints also include a domain.
default white list targets all monitored hosts: 0.0.0.0/0 and ::/0. In a
multidomain deployment, the default white list is constrained to (and only
available in) the Global domain.
If you modify a target network or a host so that the host is no
longer a valid target for the white list, the host is no longer evaluated by
the white list and is considered neither compliant nor non-compliant.
Refining Target Networks
When you add a target network to a white list, the system
prompts you to survey the network map to help you characterize compliant hosts.
The survey adds a target to the white list that represents the hosts you
You can survey a
subnet or individual host. In a multidomain deployment, you can survey an
entire domain, or you can survey across domains. Surveying an ancestor domain
causes the system to survey that domain's descendants.
In addition to the
added target, the survey also populates the white list with one host profile
for each operating system detected in the survey. These host profiles allow all
the clients, application protocols, web applications, and protocols that the
system has detected on the applicable operating systems.
After you survey a target network (or skip the survey), refine the
target. You can exclude hosts by IP address, or constrain target networks by
host attribute or VLAN.
Targeting Domains with Compliance White Lists
In a multidomain deployment, domains and target networks are closely
Leaf-domain administrators can create white lists that evaluate
hosts within their leaf domains.
Higher-level domain administrators can create white lists that
evaluate hosts across domains. You can target different subnets in different
domains in the same white list.
Consider a scenario where you are a Global domain administrator, and
you want to apply the same compliance criteria to web servers across the entire
deployment. You can create one white list in the Global domain that defines the
compliance criteria. Then, constrain the white list with target networks that
specify the IP space (or individual IP addresses) of the web servers in each
In addition to targeting IP addresses and ranges in leaf domains,
you can also constrain a target network using a higher-level domain. Targeting
a subnet in a higher-level domain targets the
same subnet in
each of the descendant leaf domains.
The system builds a separate network map for each leaf domain.
In a multidomain deployment, using literal IP addresses to constrain this
configuration can have unexpected results.