When deploying Tenable Nessus, knowledge of routing, filters, and firewall policies is often helpful. Deploying behind a NAT device is not desirable unless it is scanning the internal network. Anytime a vulnerability scan flows through a NAT device or application proxy of some sort, the check can distort and a false positive or negative can result.
In addition, if the system running Tenable Nessus has personal or desktop firewalls in place, these tools can drastically limit the effectiveness of a remote vulnerability scan. Host-based firewalls can interfere with network vulnerability scanning. Depending on your firewall’s configuration, it may prevent, distort, or hide the probes of a Tenable Nessus scan.
Certain network devices that perform stateful inspection, such as firewalls, load balancers, and Intrusion Detection/Prevention Systems, may react negatively when Tenable Nessus conducts a scan through them. Tenable Nessus has several tuning options that can help reduce the impact of scanning through such devices, but the best method to avoid the problems inherent in scanning through such network devices is to perform a credentialed scan.
If you configure Tenable Nessus Manager for agent management, Tenable does not recommend using Tenable Nessus Manager as a local scanner. For example, do not configure Tenable.sc scan zones to include Tenable Nessus Manager and avoid running network-based scans directly from Tenable Nessus Manager. These configurations can negatively impact agent scan performance.
This section contains the following deployment considerations: