Link to Tenable Vulnerability Management

During initial installation, you can install Tenable Nessus as a remote scanner linked to Tenable Vulnerability Management. If you choose not to link the scanner during initial installation, you can link your Tenable Nessus scanner later. Once you link Tenable Nessus to Tenable Vulnerability Management, it remains linked until you unlink it.

Note: If you use domain allow lists for firewalls, Tenable recommends adding *.cloud.tenable.com (with the wildcard character) to the allow list. This ensures communication with sensor.cloud.tenable.com, which the scanner uses to communicate with Tenable Vulnerability Management.

Note: If you are connecting to Tenable Vulnerability Management through Tenable Nessus scanners, Tenable Nessus Agents, Tenable Web App Scanning scanners, or Tenable Nessus Network Monitors (NNM) located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of sensor.cloud.tenable.com.

Before you begin:

  • Configure Tenable Nessus as described in Configure Tenable Nessus.
  • If the Tenable Nessus scanner is or was previously linked to Tenable Vulnerability Management, Tenable Security Center, or Tenable Nessus Manager, you need to unlink the scanner or run the nessuscli fix --reset-all command (for more information, see Fix Commands).

To link Tenable Nessus to Tenable Vulnerability Management from the Tenable Nessus user interface:

  1. On the Welcome to Nessus screen, select Managed Scanner.

  2. Click Continue.

    The Managed Scanner screen appears.

  3. From the Managed by drop-down box, select Tenable Vulnerability Management.

  4. In the Linking Key box, type the linking key of your Tenable Vulnerability Management instance.

  5. (Optional) If you want to use a proxy, select Use Proxy.

    Configure the proxy settings in Settings.

  6. (Optional) To configure advanced settings such as proxy, plugin feed, and encryption password, click Settings.

    • (Optional) In the Proxy tab:
      1. In the Host box, type the hostname or IP address of your proxy server.

      2. In the Port box, type the port number of the proxy server.

        Note: To view the ports that Tenable products require, see the What ports are required for Tenable products? knowledge base article.
      3. In the Username box, type the name of a user account that has permissions to access and use the proxy server.
      4. In the Password box, type the password of the user account that you specified in the previous step.
      5. In the Auth Method drop-down box, select an authentication method to use for the proxy. If you do not know, select AUTO DETECT.
      6. If your proxy requires a preset user agent, in the User-Agent box, type the user agent name; otherwise, leave it blank.
      7. Click Save.
    • (Optional) In the Plugin Feed tab:
      1. In the Custom Host box, type the hostname or IP address of a custom plugin feed.
      2. Click Save.
    • (Optional) In the Encryption Password tab:

      1. In the Password box, type an encryption password.

        If you set an encryption password, Nessus encrypts all policies, scans results, and scan configurations. You must enter the password when Tenable Nessus restarts.

        Caution: If you lose your encryption password, it cannot be recovered by an administrator or Tenable Support.

      2. Click Save.

  7. Click Continue.

    The Create a user account screen appears.

  8. Create a Tenable Nessus administrator user account that you use to log in to Tenable Nessus:
    1. In the Username box, enter a username.

    2. In the Password box, enter a password for the user account.

      Note: Passwords cannot contain Unicode characters.

  9. Click Submit.

    Tenable Nessus finishes the configuration process, which may take several minutes.

  10. Using the administrator user account you created, Sign In to Tenable Nessus.

To link Tenable Nessus to Tenable Vulnerability Management from the command line interface (CLI):

If you registered or linked Tenable Nessus previously, you need to reset Tenable Nessus before linking to Tenable Vulnerability Management.

Run the following commands to reset Tenable Nessus and link to Tenable Vulnerability Management based on your operating system. To retrieve the linking key needed in the following commands, see Link a Sensor in the Tenable Vulnerability Management User Guide.

Note: The --reset-all command used in the following steps removes any existing users, data, settings, and configurations. Tenable recommends exporting scan data and creating a backup before resetting. For more information, see Backing Up Tenable Nessus.
Note: When running the adduser command in the following steps, create the user as a full administrator/system administrator when prompted.
Note: You must have root permissions or greater to run the link commands successfully.

  1. Open the Linux CLI.

  2. Run the following commands in the listed order:

    # service nessusd stop
    # cd /opt/nessus/sbin
    # ./nessuscli fix --reset-all
    # ./nessuscli adduser

  3. Do one of the following:

    • If you are linking to a Tenable Vulnerability Management FedRAMP site, run the following link command:

      # /opt/nessus/sbin/nessuscli managed link --key=<key> --host=fedcloud.tenable.com --port=443

    • If you are not linking to a FedRAMP site, run the following link command:

      # ./nessuscli managed link --key=<LINKING KEY> --cloud

      Tip: There are many scanner options that you can configure by adding optional parameters to the managed link command (for example, scanner name, custom CA path, and proxy server information). For more information, see Managed Scanner Commands.

  4. Run the following linking command:

    # service nessusd start

Note: You must have admin permissions to run the link commands successfully.

  1. Open the Windows CLI.

  2. Run the following commands in the listed order:

    > net stop "tenable nessus"
    > cd C:\Program Files\Tenable\Nessus
    > nessuscli fix --reset-all
    > nessuscli adduser

  3. Do one of the following:

    • If you are linking to a Tenable Vulnerability Management FedRAMP site, run the following link command:

      > \opt\nessus\sbin\nessuscli managed link --key=<key> --host=fedcloud.tenable.com --port=443

    • If you are not linking to a FedRAMP site, run the following link command:

      > nessuscli managed link --key=<LINKING KEY> --cloud

      Tip: There are many scanner options that you can configure by adding optional parameters to the managed link command (for example, scanner name, custom CA path, and proxy server information). For more information, see Managed Scanner Commands.

  4. Run the following command:

    > net start "tenable nessus"
Note: You must have admin permissions to run the link commands successfully.

  1. Open Terminal.

  2. Run the following commands in the listed order:

    # launchctl unload -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
    # /Library/Nessus/run/sbin/nessuscli fix --reset-all
    # /Library/Nessus/run/sbin/nessuscli adduser

  3. Do one of the following:

    • If you are linking to a Tenable Vulnerability Management FedRAMP site, run the following link command:

      # /opt/nessus/sbin/nessuscli managed link --key=<key> --host=fedcloud.tenable.com --port=443

    • If you are not linking to a FedRAMP site, run the following link command:

      # /Library/Nessus/run/sbin/nessuscli managed link --key=<LINKING KEY> --cloud

      Tip: There are many scanner options that you can configure by adding optional parameters to the managed link command (for example, scanner name, custom CA path, and proxy server information). For more information, see Managed Scanner Commands.

  4. Run the following command:

    # launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist