OT Agents

Use an OT Agent to scan remote Windows machines where sensor installation is not possible. OT Agent uses active queries to scan duplicated and active query networks listed under Monitored Networks. For more information about active queries, see Manage Active Queries.

To scan networks, first install and configure the OT Agent. The following sections describe how to install, configure, and run scans using the OT Agent.

  1. Download the OT Agent

  2. Install the OT Agent

  3. Configure the OT Agent

  4. Run scans

Install the OT Agent

Before you Begin

  • Download the OT Agent from the Tenable downloads portal.

  • Make sure you have administrator permissions on the Windows machine.

Note: The default ports for pairing and connection are 443 and 28306 respectively. For information about ports, see Firewall Considerations

To install the OT Agent:

  1. Transfer the install file (Tenable-OT-Agent-version.msi) to the Windows machine.

  2. Click the .msi install file to open the installation wizard.

  3. In the OT-Agent Setup Wizard window, click Next.

    The Enter ICP Details window appears.

  4. Select one of the following:

    • This is the default option. If you selected this option, perform the following steps:

      1. In OT Security, navigate to Data Collection > Data Sources.

        The Data Sources page appears.

      2. Click the Agents tab.

        The Agents page appears.

      3. In the upper-right corner, click Generate Pairing Key.

        The Generate Agent Pairing Key panel appears.

      4. In the ICP IP/Host box, provide the IP address or the hostname of the ICP.

      5. In the Expiration Period drop-down box, retain the default 90 days or specify the number of days after which the key expires.

      6. In the Description box, provide a description for the key.

      7. Click Next.

        OT Security generates the pairing key.

      8. Click the button to copy the pairing key.

      9. Click Done.

        OT Security closes the panel.

      10. Navigate back to the Windows host machine.

      11. In the Pairing Key box, paste the pairing key you copied from the ICP.

    • If you select this option, the relevant fields appear where you can provide the required details for the ICP.

      1. In the ICP Address box, type the IP address of the ICP.

      2. In the ICP Username box, type the name of the ICP machine.

      3. In the ICP Password box, type the password of the ICP machine.

      4. In the API Key box, provide the API key generated from the ICP. See Generate API Keys.

      5. In the Certificate Fingerprint box, provide the fingerprint generated from the ICP. See Certificates.

    Note: The pairing key and certificates are only required for the pairing process. Once pairing is complete, you can delete the pairing key and certificate, if needed.

  5. Click Next.

    The Destination Folder window appears.

  6. In the Install OT-Agent to: box, retain the default destination or provide the path to install the OT Agent and click Next.

  7. Click Install.

    The installer installs the OT Agent and lists it on the Agents tab in OT Security with the status Pending Configuration.

  8. Click Finish to close the installer.

    Note: If there are issues with the pairing, you can use the Repair option in the OT Agent installation wizard to provide the pairing details again.

  9. To automatically approve the pairing request, click to enable the Auto-Approve Agent Pairing Requests toggle.

    If this option is not enabled, do the following:

    • Right-click the newly added OT Agent.

      A menu appears.

    • Select the checkbox next to the OT Agent.

      OT Security enables the Actions > Approve menu.

  10. Click Approve.

    OT Security approves the agent pairing and changes the status to Pending Configuration.

    Note: Before you run the OT Agent, ensure that its configuration is complete, even if the Auto-Approve Agent Pairing Requests option is enabled.

What to do next

Configure the OT Agent

Configure the OT Agent

Before you Begin

  • Install the OT-Agent.

To configure the OT Agent:

  1. In the Agents tab, do one of the following:

    • Right-click the newly added OT Agent.

      A menu appears.

    • Select the checkbox next to the OT Agent.

      OT Security enables the Actions > Configure menu.

  2. Click Configure.

    The Configure Agent panel appears.

  3. In the Name box, type a name for the agent.

  4. In the Active Query box, provide the IP addresses of the networks to scan.

    Note: The OT Agent scans only those active query network IP addresses that are part of the Monitored Networks (Environment Settings > Network Definitions > Monitored Networks).

  5. (Optional) Click the Run Schedule Scan toggle to enable scheduled scans.

    OT Security enables the Repeats Every drop-down box.

  6. (Optional) Specify the minutes, hours, days, or weeks as required.

  7. In the Credentials box, select the required credentials from the drop-down.

    Note: The credentials you create in Active Queries > Credentials appear in the drop-down. For more information, see Credentials.

  8. Click Save.

    OT Security updates OT Agent's status to Connected.

What to do next

Run Scans

Run Scans using OT Agent

  1. In the Data Sources > Agents tab, do one of the following:

    • Right-click the newly added OT Agent.

      A menu appears.

    • Select the checkbox next to the OT Agent.

      OT Security enables the Actions > Scan Now menu.

  2. Click Scan Now.

    OT Security changes the status of the agent to Scanning and starts scanning the specified networks. After OT Security completes the scan, you can click the number of assets link in the Reported Assets column in the Agents table to view the filtered results in the Inventory page.

Delete OT Agent

Uninstalling the OT Agent from the Windows machine changes the status of the agent to Disconnected in OT Security.

To delete an OT Agent:

  1. In the Windows machine, open the installer and click Remove.

  2. Follow the steps in the wizard to uninstall the agent.

    OT Agent gets uninstalled from the Windows machine.

  3. Navigate to the Data Sources > Agents tab in OT Security.

    OT Security updates the status of the agent to Disconnected.

  4. Do one of the following:

    • Right-click the newly added OT Agent.

      A menu appears.

    • Select the checkbox next to the OT Agent.

      OT Security activates the Actions > Delete menu.

  5. Click Delete.

    OT Security deletes the OT Agent.

    Note: If there are associated duplicated networks, you must first delete them before deleting the agent.

Install OT Agents using CLI

You can use CLI commands to install OT Agent with pairing key, ICP credentials, or API key. You can also uninstall OT Agent via CLI.

Before you begin

  • Download the OT Agent installer from the Tenable Downloads portal.

To install OT Agent with pairing key, run the following command:

Copy 
msiexec.exe /i "<OtAgentInstaller.msi>" /qn PAIRING_KEY="<PairingKey>"

Where:

  • OtAgentInstaller.msi is the installation file.

  • PairingKey is the key that you generate from the Data Collection > Data Sources > Agents tab in OT Security.

Example:

Copy 
msiexec.exe /i "OtAgentInstaller.msi" /qn PAIRING_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxoxxxxxxxxxxxx"

To install OT Agent with username and password, run the following command:

Copy 
msiexec.exe /i "<OtAgentInstaller.msi>" /qn ICP_ADDRESS="<IpAddress>" ICP_USERNAME="<Username>" ICP_PASSWORD="<Password>" ICP_FINGERPRINT="<CertFingerprint>"

Where:

  • OtAgentInstaller.msi is the installation file.

  • IpAddress is the IP address of the ICP.

  • Username is the username to log in to the ICP.

  • Password is the ICP password.

  • CertFingerprint is the certificate that you generate in OT Security.

Example:

Copy 
msiexec.exe /i "OtAgentInstaller.msi" /qn ICP_ADDRESS="XX.XXX.XX.XX" ICP_USERNAME="admin" ICP_PASSWORD="xxxxxxx" ICP_FINGERPRINT="XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX"

To install with API Key, run the following command:

Copy 
msiexec.exe /i "<OtAgentInstaller.msi>" /qn ICP_ADDRESS="<IpAddress>" ICP_APIKEY="<APIKey>" ICP_FINGERPRINT="<CertFingerprint>"

(Optional parameter) INSTALLBASE='"<FullDirPath>"'

Where:

  • OtAgentInstaller.msi is the installation file.

  • IpAddress is the IP address of the ICP.

  • APIKey is the API Key generated from the ICP.

  • CertFingerprint is the certificate generated from the ICP.

  • FullDirPath is the path of the installation directory.

Example 1:

Copy 
msiexec.exe /i "OtAgentInstaller.msi" /qn ICP_ADDRESS="XX.XXX.XX.XX" ICP_APIKEY="kxxxxxxxxxxxxxxxxx_xxxxxxxx=" ICP_FINGERPRINT="XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Example 2: Using the INSTALLBASE parameter:

Copy 
msiexec.exe /i "OtAgentInstaller.msi" /qn ICP_ADDRESS="xx.xxx.xx.xx" ICP_APIKEY="xxxxxxxxxxxxxxx_xxxxxxxxxxx=" ICP_FINGERPRINT="XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX" INSTALLBASE='"C:\Program Files\AAA"'

To uninstall OT Agent, run the following command:

Copy 
msiexec.exe /x "<OtAgentInstaller.msi>" /qn

Where:

  • OtAgentInstaller.msi is the installation file.