Deployment Considerations

When deploying Tenable Nessus, you must consider your network environment, including routing, filters, and firewall policies. These factors can significantly impact the accuracy of your vulnerability scans.

Network Address Translation (NAT) Limitation

Tenable does not recommend deploying Tenable Nessus behind a NAT device unless it is scanning the internal network.

When a vulnerability scan flows through a NAT device or application proxy:

Data Distortion — The check can distort false positives or false negatives.
Enumeration Failures — Host enumeration and operating system identification are often negatively affected.

Firewalls and Network Devices

Network devices that perform stateful inspection (firewalls, load balancers, and Intrusion Detection/Prevention Systems (IDPS)) may react negatively when Tenable Nessus conducts a scan through them.

Host-Based Firewalls — Personal or desktop firewalls can drastically limit the effectiveness of a remote vulnerability scan. Depending on the configuration, the firewall may prevent, distort, or hide the probes of a Tenable Nessus scan.
Mitigation — While Tenable Nessus offers tuning options to reduce impact, the best method to avoid issues with these devices is to perform a credentialed scan.

Port Configuration

The Tenable Nessus user interface uses port 8834. If this port is not already open, consult your firewall vendor's documentation for configuration instructions.

Allow Connections

If the Tenable Nessus server resides on a host with a third-party firewall (for example, ZoneAlarm or Windows Firewall), you must configure it to allow connections from the IP addresses of the clients using Tenable Nessus.

FirewallD

You can configure Tenable Nessus to work with FirewallD. When installing on a system using firewalld, use the following commands to open the required ports:

>> firewall-cmd --permanent --add-service=nessus

>> firewall-cmd --reload

Agent Management Performance

If you configure Tenable Nessus Manager for agent management, Tenable does not recommend using that specific instance as a local scanner.

Do not configure Tenable Nessus scan zones to include the Tenable Nessus server itself.
Avoid running network-based scans directly from the Tenable Nessus server.

These configurations can negatively impact agent scan performance.

IPv6 Support

Tenable Nessus supports scanning IPv6-based resources. To perform these scans:

Interface — You must configure at least one IPv6 interface on the host where Tenable Nessus is installed.
Network — Tenable Nessus must reside on an IPv6-capable network. You cannot scan IPv6 resources over IPv4, though you can enumerate IPv6 interfaces via credentialed scans over IPv4.

Note: Both full and compressed IPv6 notations are supported when initiating scans.

Limitations

Global Unicast — Tenable Nessus does not support scanning IPv6 Global Unicast IP address ranges unless you enter the IPs separately in list format.
Ranges — Tenable Nessus does not support ranges expressed as hyphenated ranges or CIDR addresses.
Link-Local — Tenable Nessus supports Link-local ranges using the link6 directive as the scan target or local link with eth0.

Antivirus Software

Due to the large number of TCP connections generated during a scan, some anti-virus software packages may classify Tenable Nessus as a worm or a form of malware. Antivirus software may increase your scan processing times.

Alerts — If your antivirus software triggers a warning, select Allow to let Tenable Nessus continue scanning.
Allowlisting — If your antivirus allows exceptions, add the following processes to the allowlist:
- nessusd.exe
- nessus-service.exe
- nessuscli.exe
For more information, see File and Process Allowlist.

Browser Security Warnings

By default, Tenable Nessus uses a self-signed SSL certificate to manage the user interface via HTTPS on port 8834. When you access the interface (for example, https://[server IP]:8834), your browser may show a security warning stating the connection is untrusted or privacy is at risk.

This is normal behavior. You can either accept the risk temporarily or obtain a valid SSL certificate from a registrar.

Bypass SSL Warnings

Depending on your browser, use the following steps to proceed to the Tenable Nessus login page.

Browser	Instructions
Google Chrome or Microsoft Edge	Select Advanced, and then Proceed to example.com (unsafe). Note: Some instances of Google Chrome and Microsoft Edge do not allow you to proceed. If this happens, Tenable recommends using a different browser.
Mozilla Firefox	Select I Understand the Risks, then Add Exception. Select Get Certificate, then Confirm Security Exception.

Browser

Instructions

Google Chrome or Microsoft Edge

Select Advanced, and then Proceed to example.com (unsafe).

Note: Some instances of Google Chrome and Microsoft Edge do not allow you to proceed. If this happens, Tenable recommends using a different browser.

Mozilla Firefox

Select I Understand the Risks, then Add Exception.

Select Get Certificate, then Confirm Security Exception.