SNMPv3 Integration

Required User Role: Standard, Scan Manager, or Administrator

Tenable Nessus Manager provides an option for CyberArk SNMPv3.

Before you begin:

  • Ensure you have both a Tenable Nessus Manager and CyberArk account.

To integrate Tenable Nessus Manager with CyberArk using SNMPv3 credentials:

  1. Log in to your Tenable user interface.

  2. In the left navigation plane, click Scans.

    The Scans page appears.

  3. Click + New Scan.

    The Select a Scan Template page appears.

  4. Select a scan template.

    The scan configuration page appears.

  5. In the Name box, type a name for the scan.
  6. In the Targets box, type an IP address, hostname, or range of IP addresses.

  7. (Optional) Add a description, folder location, scanner location, and specify target groups.

  8. Click the Credentials tab.

    The Credentials pane appears.

  9. In the Select a Credential menu, select the Host drop-down.

  10. Select SNMPv3.

    The Settings pane appears.

  11. In the SNMPv3 Authentication Method drop-down, select CyberArk.

    The CyberArk options appear.

  12. Configure each option for SNMPv3 authentication.

    Caution: Tenable strongly recommends encrypting communication between the Nessus scanner and the CyberArk AIM gateway using HTTPS and/or client certificates. For information on securing the connection, refer to the Nessus User Guide and the Central Credential Provider Implementation Guide located at cyberark.com (login required).

    Note: The SNMPv3 credential with the CyberArk authentication type always uses the same account for all the targets. Unlike SSH, Windows, and Database, there is no way to separate accounts by target IP/FQDN. This is because the credential currently does not collect an Account Name/Identifier and has no other way of specifying the Authentication Password and Privacy Password. Tenable recommends that the same username and address be assigned to a single pairing of SNMPv3 and SNMPv3PrivacyKey within CyberArk.

    Option Description Required

    Username

    (Required) The username for the SNMPv3 account that Tenable Vulnerability Management uses to perform checks on the target system.

    yes

    Port

    The TCP port that SNMPv3 listens on for communications from Tenable Vulnerability Management. By default, Tenable uses 161.

    yes

    SNMPv3 Authentication Method

    The authentication method to SNMPv3. Available options:

    • Password Entry
    • CyberArk

    Note: Select CyberArk from the options.

    yes
    Security Level

    The security level for SNMP (set to Authentication and privacy by default):

    • No authentication and no privacy

    • Authentication without privacy

    • Authentication and privacy

    yes
    Authentication Algorithm The algorithm the remove service supports the following: SHA1, SHA224, SHA-256, SHA-384, SHA-512, or MD5.

    yes
    Privacy Algorithm The encryption algorithm to use for SNMP traffic: AES, AES-192, AES-192C, AES-256, AES-256C, or DES.

    yes

    CyberArk Host

    The IP address or FQDN name for the CyberArk AIM Web Service. This can be the host, or the host with a custom URL added on in a single string.

    yes

    CyberArk Port

    The port on which the CyberArk API communicates. By default, Tenable uses 443.

    yes

    AppID

    The Application ID associated with the CyberArk API connection.

    yes

    Safe

    The CyberArk safe, the credential should be retrieved from.

    no

    Username

    (If Get credential by is set to Username) The username of the CyberArk user to request a password from.

    no
    Account Name

    (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential.

    		 no
    CyberArk Address

    The option should only be used if the Address value is unique to a single CyberArk account credential.

    		 no
    Folder

    The folder of the credential.

    		 no
    Database The database of the credential. no

    Query

    Specify a custom “free query” using account properties. When this method is specified, all other search criteria are ignored.

    no

    Query Format

    Defines the query format. Allowed values are Exact and Regexp. The default is Exact. This value is ignored unless the Query option was specified.

    no
    Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host. no
    Client Certificate Private Key The file that contains the PEM private key for the client certificate. yes, if private key is applied
    Client Certificate Private Key Passphrase The passphrase for the private key, if required. yes, if private key is applied
    Use SSL If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. no
    Verify SSL Certificate If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. no

  1. Do one of the following:

    • If you want to save without launching the scan, click Save.

    • If you want to save and launch the scan immediately, click Save & Launch.

    Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.

What to do next

Verify the integration is working:

  1. On the My Scans page, click the Launch button to initiate an on-demand scan.

  2. Once the scan completes, select the completed scan and look for the following message:

    For SNMPv3 : Plugin ID 141118. This result validates if It was possible to log into the target SNMPv3 host via the provided credentials from CyberArk.