Zones

Zones are ArcSight resources that represent a functional part of the network with contiguous IP addresses, such as DMZ, VPN, wireless LAN, or DHCP.

Every asset or address range is associated with a zone. ArcSight is configured with the standard global IP address ranges represented as zones, so if your network uses only these public IP addresses, ArcSight can resolve them without setting up additional zones.

Zone groups are folders in which one or more zone resource is stored. Although the assets contained in a zone do not inherit the properties of a zone, the zone groups are hierarchical, which means that properties assigned to a zone group apply to all the zones contained within that group.

The following zones are standard:

Create your own zones if you have overlapping private networks. Private networks usually model a functional group within your network or a subnet, such as a wireless LAN, the engineering network, the VPN, or the DMZ.

For details about using the zone editor, see Managing Zones.

Dynamic and Static Zones

The asset auto-creation feature (see Asset Auto-Creation) relies on zones that are already in place before device discovery occurs, either in customer-created zones, or in default zones. When you add a SmartConnector, you assign one or more existing Networks to that Connector. All assets reported by that Connector are then associated with that Network and the zones the Network represents.

The system differentiates dynamic and static zones to classify the represented asset types.

Static Zones

Devices in a static zone use static (constant) IP addresses. These are devices that stay on the network and use the same IP address for all traffic. In order to identify assets in static zones, the assets must have either a unique IP address, a unique host name, or both.

Dynamic Zones

Devices in a dynamic zone use dynamic addressing (such as DHCP). Dynamic zones represent assets that come and go from the network, such as laptops. By default, the system requires either a MAC address or a host name to identify assets in dynamic zones. The system first looks for a MAC address; if not available, the host name is used.

Caution: Classifying Zones as Static or Dynamic

It is important that zones are classified properly as dynamic or static.

If a zone is classified as static, but hosts assets that come and go from the network, the system may not be able to update the network model properly. For example:

The updated network might have duplicate and disabled assets.
Other information, such as vulnerability information and open ports, might not be updated properly.

Static Assets in Dynamic Zones

If an asset is classified as static, but belongs to a dynamic zone, the system treats the asset as if it was in a static zone. See the description and links above for how the asset auto-creation feature works for static zones.