General Best Practices

Note: For agent deployment best practices and considerations, see Deployment Considerations.

With network scans, never scan through or try to bypass devices such as firewalls, switches, etc., that are designed to obfuscate or impede scans (for example, network address translation).
Either put Tenable Nessus scanners in every segment, closest to the host, or run agents locally on the system, which does not require explicitly making an overage of firewall rules. Both solutions require minimal firewall rules to provide connectivity when implemented correctly.
For full visibility into your network, Tenable recommends that you combine agent-based and network scanning to identify risk across your entire network. This approach is especially important for organizations in the United States Federal Government as there are specific laws and acts that mandate you evaluate the entire spectrum of your risk.
For shared resource environments, such as VDI or ESXi, Tenable recommends setting agents' Plugin Compilation Performance to medium or low to ensure that agents have a minimal impact on CPU usage when compiling plugins.

Copyright © 2025 Tenable, Inc. All rights reserved. Tenable, Tenable Nessus, Tenable Lumin, Assure, and the Tenable logo are registered trademarks of Tenable, Inc. or its affiliates. All other products or services are trademarks of their respective owners.