When new assets are imported into the ArcSight Manager using the Network Model wizard, an attempt is made to assign the assets to the appropriate zone from the default network called Local. This process is called auto-zoning.
When the asset is imported, if a zone is found with an address range that includes the imported asset and that zone is located in the Local network, the matching zone is assigned to the asset. For the asset to find the matching zone, the matching zone must either:
Already exist on the ArcSight Manager prior to the import.
Be imported with the asset as part of the same import process—part of the same transaction. Zones are created before assets in the import process.
If no matching zone is found in the network, no zone is assigned.
The following example illustrates the auto-zone process. A zone called DMZCorporate is defined in the Local network on the Manager with a starting address of 192.0.2.0 and an ending address of 192.0.2.22. If an asset called DMZCorpDatabase with an IP address of 192.0.2.11 is imported by the wizard, the DMZCorporate zone is assigned to DMZCorpDatabase asset because the IP address of the DMZCorpDatabase asset is within the range of addresses specified in the DMZCorporate zone, and the DMZCorporate zone is located in the Local network.
Note: Only one asset with a given host name is allowed in a given zone on a network. When two assets with the same host name are imported, and if the Manager assigns them to the same zone in the same network, both assets are imported but one of the assets is disabled and displays with the broken-asset icon in the Console.