Port Requirements

Tenable Nessus Agent port requirements include Tenable Nessus Agent-specific requirements and manager-specific requirements. Depending on your deployment setup, see the Tenable Nessus Manager and Tenable Nessus Cluster Nodes and Tenable Security Center port requirements.

Tenable Nessus Agent

Your Tenable Nessus Agents require access to specific ports for outbound traffic.

Outbound Traffic

You must allow outbound traffic to the following ports.

Port Traffic
TCP 443

Communicating with Tenable Vulnerability Management.

TCP 8834

Communicating with Tenable Nessus Manager.

Note: The default Tenable Nessus Manager port is TCP 8834. However, this port is configurable and may be different for your organization.

UDP 53

Performing DNS resolution.

Note: Operating system installation commands, such as dnf install, may require other connections besides Tenable Vulnerability Management or Tenable Nessus Manager. Consult your operating system administrator for more information.

Tenable Nessus Manager and Tenable Nessus Cluster Nodes

Your Tenable Nessus instances require access to specific ports for inbound and outbound traffic.

Inbound Traffic

You must allow inbound traffic to the following ports.

Port Traffic
TCP 8834

Accessing the Tenable Nessus interface.

Communicating with Tenable Security Center.

Interacting with the API.

Outbound Traffic

You must allow outbound traffic to the following ports.

Port Traffic
TCP 25

Sending SMTP email notifications.

TCP 443

Communicating with Tenable Vulnerability Management (sensor.cloud.tenable.com or sensor.cloud.tenablecloud.cn).

Communicating with the plugins.nessus.org server for plugin updates.

UDP 53

Performing DNS resolution.

Tenable Security Center

Your Tenable Security Center instances require access to specific ports for inbound and outbound traffic.

Inbound Traffic

You must allow inbound traffic to the following ports.

Port Traffic
TCP 22 Performing remote repository synchronization with another Tenable Security Center.
TCP 443

Accessing the Tenable Security Center interface.

Communicating with Tenable Security Center Director instances.

Communicating with OT Security instances.

Performing the initial key push for remote repository synchronization with another Tenable Security Center.

Interacting with the API.

Outbound Traffic

You must allow outbound traffic to the following ports.

Port Traffic
TCP 22 Communicating with Log Correlation Engine for event query.
TCP 25

Sending SMTP email notifications.

TCP 443

Communicating with Tenable Lumin for synchronization.

Communicating with the plugins.nessus.org server for plugin updates.

TCP 1243 Communicating with Tenable Log Correlation Engine.
TCP 8834 Communicating with Tenable Nessus.
TCP 8835 Communicating with Tenable Nessus Network Monitor.
UDP 53

Performing DNS resolution.

Agent Content Distribution Network (CDN)

Dependent on rule logic in place, you may need to adjust your firewall or proxy rules in order to utilize the Agent Content Distribution Network (CDN).

FQDN Updates

The CDN leverages sensor.cloud.tenable.com for downloading plugins and binary updates, uploading scan results, and linking and communicating with Tenable Vulnerability Management. If you have a firewall or proxy rule configured for sensor.cloud.tenable.com then you should not encounter issues. However, if there are stricter rules in place then you need to update your rule set.

IP Allowlisting

The IP addresses associated with sensor.cloud.tenable.com are dynamic and dependent on the locale of the agent and its connectivity to the internet. If you currently have IP-based rules configured for proxies and firewalls you must update the rules based on IP ranges utilized by Amazon CloudFront. Amazon's documentation Locations and IP Address Ranges of CloudFront Edge Servers has a list of the IP ranges available for download.

Note: If you are connecting to Tenable Vulnerability Management through Tenable Nessus scanners, Tenable Nessus Agents, Tenable Web App Scanning scanners, or Tenable Nessus Network Monitors (NNM) located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of sensor.cloud.tenable.com.