Subnets
Subnets define the IPv4/IPv6 network ranges your scanners will probe. Each subnet is specified in CIDR notation and can be grouped into subnet groups for use in scan templates. Subnets referenced by a group or scan template are protected from deletion.
Inputs
| Name | Description | Allowed Values | Default |
|---|---|---|---|
| Name | Human-readable label for this subnet | Non-empty string, must be unique across subnets | — |
| CIDR | Network range in CIDR notation | Valid IPv4 or IPv6 CIDR (e.g., 192.168.1.0/24, fd00::/64) | — |
| Description | Optional free-text note about this subnet | Any text, max 10,000 characters | Empty |
| Rate Limit | Maximum probes per second allowed against this subnet, protecting the target network | Integer 0–100,000 | 0 (unlimited) |
Fields & Columns
| Name | Description |
|---|---|
| Name | Editable inline — the subnet label |
| CIDR | Editable inline — the network range |
| IPs | Computed host count derived from the CIDR prefix length |
| Description | Editable inline — optional note |
| Rate Limit | Editable inline — max probes per second against this subnet, or "—" if unlimited |
Gotchas
- Subnets that belong to a subnet group or are referenced by a scan template cannot be deleted — remove the references first.
- Each subnet must have at least one scanner assigned before it can be scanned. Assigning a scanner binds it to that subnet, meaning the scanner will probe only the IP range defined by the CIDR. Click a subnet name in the table to open its detail page, then use the Scanners tab to assign scanners.
- Changing the CIDR of an existing subnet does not retroactively update past scan results.
- Deleting a subnet does not destroy historical scan results — those results remain read-only for audit integrity.
- When multiple scanners in a group target the same subnet, the subnet rate limit is divided equally among them. Example: 600 pps with 3 scanners → each limited to 200 pps.
- Rate limiting uses a three-tier model: scanner (hardware capacity), subnet (target network sensitivity), and port list (service sensitivity). The most restrictive non-zero value wins. A value of 0 means unlimited at that tier.
API Calls (8)
| Method | Path | Description |
|---|---|---|
| GET | /api/config/subnets | List all subnets |
| POST | /api/config/subnets | Create a new subnet |
| PUT | /api/config/subnets/:id | Update an existing subnet |
| DELETE | /api/config/subnets/:id | Delete a subnet (if unreferenced) |
| POST | /api/config/subnets/analyze | Analyze CIDR ranges for overlap and host counts |
| GET | /api/config/subnets/:id/details | Get subnet details with associations |
| GET | /api/config/subnets/scannable | List subnets eligible for scanning |
| GET | /api/config/subnets/filter-values | Get available filter values for the subnets table |
Related Pages
- Subnet Groups — Groups multiple subnets for use in scan templates
- Scan Templates — Consumes subnets (or subnet groups) to define what gets scanned
- Scanners — Scanners are assigned to subnets on the subnet detail page
- FQDNs — FQDNs provide domain-based targeting as an alternative to subnet-based targeting
- Scan Template Groups — Template groups aggregate subnet targets across member templates
- Discovery — Discovery lists complement subnets as scan targets