Advanced Settings

The Advanced Settings page allows you to manually configure Nessus. You can configure advanced settings from the Nessus user interface, or from the command line interface. Nessus validates your input values to ensure only valid configurations are allowed.

Advanced Settings are grouped into the following categories:


  • Advanced settings apply globally across your Nessus instance.

  • To configure advanced settings, you must use a Nessus administrator user account.
  • Not all advanced settings are automatically populated in the Nessus interface.
  • Changes may take several minutes to take effect.
  • Settings that require restarting Nessus for the change to apply are indicated by the icon in the user interface.
  • Custom policy settings supersede the global advanced settings.

User Interface




Default Valid Values

Allow Post-Scan Editing


Allows a user to make edits to scan results after the scan is complete.

yes yes or no
Disable API disable_api Disables the API, including inbound HTTP connections. Users cannot access Nessus via the user interface or the API.


yes or no

Disable Frontend disable_frontend Disables the Nessus user interface. Users can still use the API.


yes or no

Disable Tenable News disable_rss In Nessus Essentials or Nessus Professional trial, the left navigation bar displays a Tenable news widget. Use this setting to disable the widget.


yes or no

Disable UI disable_ui Disables the user interface on managed scanners. no yes or no
Login Banner login_banner

A text banner displays that appears after you attempt to log in to Nessus.

Note: The banner only appears the first time you log in on a new browser or computer.

None String

Maximum Concurrent Web Users


Maximum web users who can connect simultaneously.



If set to 0, no limit is enforced.

Nessus Web Server IP


IPv4 address to listen for incoming connections. If set to, this restricts access to local connections only. String in the format of an IP address
Nessus Web Server Port xmlrpc_listen_port The port that the Nessus web server listens on. 8834 Integers
Use Mixed Vulnerability Groups scan_vulnerability_groups_mixed When enabled, Nessus displays the severity level as Mixed for vulnerability groups, unless all the vulnerabilities in a group have the same severity. When disabled, Nessus displays the highest severity indicator of a vulnerability in a group yes Yes or No
Use Vulnerability Groups scan_vulnerability_groups When enabled, Nessus groups vulnerabilities in scan results by common attributes, giving you a shorter list of results. yes yes or no





Default Valid Values
Audit Trail Verbosity audit_trail Controls verbosity of the plugin audit trail. Full audit trails include the reason why plugins were not included in the scan. full full, partial, none
Auto Enable Plugin Dependencies auto_enable_dependencies Automatically activates the plugins that are depended on. If disabled, not all plugins may run despite being selected in a scan policy. yes yes or no
CGI Paths for Web Scans cgi_path

A colon-delimited list of CGI paths to use for web server scans.


Engine Thread Idle Time engine.idle_wait Number of seconds a scan engine remains idle before shutting itself down. 60 Integers 0-600
Max Plugin Output Size plugin_output_max_size_kb

The maximum size, in kilobytes (KB), of plugin output to be included in exported scan results with the .nessus format. If the output exceeds the maximum size, it is truncated in the report.



If set to 0, no limit is enforced.

Maximum Ports in Scan Reports report.max_ports The maximum number of allowable ports. If there are more ports in the scan results than this value, the excess will be discarded. This limit helps guard against fake targets that may have thousands of reported ports, but can also result in valid results being deleted from the scan results database, so you may want to increase the default if this is a problem. 1024 Integers
Maximum Size for E-mailed Reports attached_report_maximum_size Specifies the maximum size, in megabytes (MB), of any report attachment. If the report exceeds the maximum size, then it is not attached to the email. Nessus does not support report attachments larger than 50 MB. 25 Integers 0-50
Nessus Rules File Location rules

Location of the Nessus rules file (nessusd.rules).

The following are the defaults for each operating system:



Mac OS X:




Nessus config directory for your operating system String
Non-Simultaneous Ports non_simult_ports Specifies ports against which two plugins cannot not be run simultaneously. 139, 445, 3389 String
Paused Scan Timeout paused_scan_timeout The duration, in minutes, that a scan can remain in the paused state before it is terminated. 0 Integers 0-10080
PCAP Snapshot Length pcap.snaplen The snapshot size used for packet capture; the maximum size of a captured network packet. Typically, this value is automatically set based on the scanner's NIC. However, depending on your network configuration, packets may be truncated, resulting in the following message in your scan report: "The current snapshot length of ### for interface X is too small." You can increase the length to avoid packets being truncated. 0 Integers 0-262144
Port Range port_range The default range of ports that the scanner plugins probe. default

default, all, a range of ports, a comma-separated list of ports and/or port ranges.

Specify UDP and TCP ports by prefixing each range by T: or U:.

Reverse DNS Lookups reverse_lookup When enabled, targets are identified by their fully qualified domain name (FQDN) in the scan report. When disabled, the report identifies the target by hostname or IP address. no yes or no
Safe Checks safe_checks

When enabled, Nessus uses safe checks, which use banner grabbing rather than active testing for a vulnerability.

yes yes or no
Silent Plugin Dependencies silent_dependencies When enabled, the list of plugin dependencies and their output are not included in the report. A plugin may be selected as part of a policy that depends on other plugins to run. By default, Nessus runs those plugin dependencies, but does not include their output in the report. When disabled, Nessus includes both the selected plugin and any plugin dependencies in the report. yes yes or no
Slice Network Addresses slice_network_addresses If this option is set, Nessus does not scan a network incrementally (, then, then, and so on) but attempts to slice the workload throughout the whole network (e.g., it scans, then, then, then, and so on). no yes or no





Default Valid Values
Log Additional Scan Details log_details When enabled, scan logs include the user name, scan name, and current plugin name in addition to the base information. You may not see these additional details unless log_whole_attack is also enabled. no yes or no
Log Verbose Scan Details log_whole_attack Logs verbose details of the scan. Helpful for debugging issues with the scan, but this may be disk intensive. To add additional details, enable log_details. no yes or no
Nessus Dump File Location dumpfile

Location of nessusd.dump, a log file for debugging output if generated.

The following are the defaults for each operating system:



Mac OS X:




Nessus log directory for your operating system

Nessus Dump File Log Level nasl_log_type

The type of NASL engine output in nessusd.dump.

normal normal, none, trace, or full.
Nessus Log Level backend_log_level

The logging level of the backend.log log file, as indicated by a set of log tags that determine what information to include in the log.

If you manually edited log.json to set a custom set of log tags for backend.log, this setting overwrites that content.

For more information, see log.json Format.


  • normal — sets log tags to "log", "info", "warn", "error", "trace"
  • debug — sets log tags to "log", "info", "warn", "error", "trace", "debug"
  • verbose — sets log tags to"log", "info", "warn", "error", "trace", "debug", "verbose"
Nessus Scanner Log Location logfile

Location where the Nessus scanner log file is stored.

The following are the defaults for each operating system:



Mac OS X:




Nessus log directory for your operating system String
Scanner Metric Logging scanner.metrics Enables scanner performance metrics data gathering. 0

0 (off), 0x3f (full data except plugin metrics), 0x7f (full data including plugin metrics)

Note: Including plugin metrics greatly increases the size of the log file. Nessus does not automatically clean up log files.

Use Milliseconds in Logs logfile_msec When enabled, nessusd.messages log timestamps are in milliseconds. When disabled, log timestamps are in seconds. no yes or no
Log File Rotation logfile_rot

If set to daily or time, indicates that Nessus logs are rotated daily. When left undefined, log rotation is based upon size.

None daily or time





Default Valid Values
Engine Thread Pool Size thread_pool_size The size of the pool of threads available for use by the scan engine. Asynchronous tasks can be deferred to these threads, and this value controls the maximum number of threads to be created. 200 Integers 0-500
Global Max Hosts Concurrently Scanned global.max_hosts

Maximum number of hosts that can be scanned simultaneously across all scans.

Varies depending on hardware

Global Max TCP Sessions global.max_simult_tcp_sessions Maximum number of simultaneous TCP sessions across all scans.

50 for desktop operating systems (e.g., Windows 10).

50000 for other operating systems (e.g., Windows Server 2016).

Integers 0 - 2000

Max Concurrent Checks Per Host max_checks

Maximum number of simultaneous plugins that can run concurrently on each host.



Max Concurrent Hosts Per Scan max_hosts Maximum number of hosts checked at one time during a scan. Varies, up to 100.


If set to 0, defaults to 100.

Max Concurrent Scans global.max_scans Maximum number of simultaneous scans that can be run by the scanner. 0

Integers 0-1000

If set to 0, no limit is enforced.

Max Engine Threads engine.max Maximum number of scan engines that run in parallel. Each scan engine scans multiple targets concurrently from one or more scans (see engine.max_hosts). 8 times the number of CPU cores on the machine Integers
Max Engine Checks engine.max_checks

Maximum number of simultaneous plugins that can run concurrently on a single scan engine.

64 Integers
Max Hosts Per Engine Thread engine.max_hosts Maximum number of targets that run concurrently on a single scan engine. 16 Integers
Max HTTP Connections max_http_connections The number of simultaneous connection attempts before the web server responds with HTTP code 503 (Service Unavailable, Too Many Connections). 600 Integers
Max HTTP Connections Hard max_http_connections_hard

The number of simultaneous connection attempts before the web server does not allow further connections.

3000 Integers
Max TCP Sessions Per Host host.max_simult_tcp_sessions

Maximum number of simultaneous TCP sessions for a single host.

This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. E.g., if this option is set to 15, the SYN scanner sends 150 packets per second at most.



If set to 0, no limit is enforced.

Max TCP Sessions Per Scan max_simult_tcp_sessions Maximum number of simultaneous TCP sessions for the entire scan, regardless of the number of hosts being scanned. 0

Integers 0-2000.

If set to 0, no limit is enforced.

Minimum Engine Threads engine.min The number of scan engines that start initially as targets are being scanned. After the engine reaches engine.optimal_hosts number of targets, additional scan engines are added up to engine.max. 2 times the number of CPU cores on the machine Integers
Optimize Tests optimize_test Optimizes the test procedure. If you disable this setting, scans may take longer and typically generate more false positives. yes yes or no
Optional Hosts Per Engine Thread engine.optimal_hosts The minimum number of targets that are running on each scan engine before additional engines are added (up to engine.max). 2 Integers
Plugin Check Optimization Level optimization_level

Determines the type of check that is performed before a plugin runs.

If this setting is set to open_ports, then Nessus checks that required ports are open; if they are not, the plugin does not run.

If this setting is set to required_keys, then Nessus performs the open port check, and also checks that required keys (KB entries) exist, ignoring the excluded key check.

None open_ports or required_keys
Plugin Timeout plugins_timeout Maximum lifetime of a plugin’s activity in seconds. 320 Integers 0-1000
QDB Memory Usage qdb_mem_usage Directs Nessus to use more or less memory when idle. If Nessus is running on a dedicated server, setting this to high uses more memory to increase performance. If Nessus is running on a shared machine, settings this to low uses considerably less memory, but has a moderate performance impact. low low or high
Reduce TCP Sessions on Network Congestion reduce_connections_on_congestion Reduces the number of TCP sessions in parallel when the network appears to be congested. no yes or no
Scan Check Read Timeout checks_read_timeout

Read timeout for the sockets of the tests.

5 Integers 0-1000
Stop Scan on Host Disconnect stop_scan_on_disconnect When enabled, Nessus stops scanning a host that seems to have been disconnected during the scan. no yes or no
Throttle Scan on CPU Overload throttle_scan When enabled, Nessus throttles scan when the CPU is overloaded. yes yes or no
Webserver Thread Pool Size www_thread_pool_size Thread pool size for the webserver/backend. 100 Integers 0-500
XML Enable Plugin Attributes xml_enable_plugin_attributes When enabled, plugin attributes are included in exported scans to no yes or no





Default Valid Values
Always Validate SSL Server Certificates strict_certificate_validation

Always validate SSL server certificates, even during initial remote link (requires manager to use a trusted root CA).

no yes or no
Cipher Files on Disk cipher_files_on_disk Encipher files that Nessus writes. yes yes or no
Force Public Key Authentication force_pubkey_auth Force logins for Nessus to use public key authentication. no yes or no
Max Concurrent Sessions Per User max_sessions_per_user Maximum concurrent sessions per user 0

Integers 0-2000.

If set to 0, no limit is enforced.


SSL Cipher List ssl_cipher_list Cipher list to use for Nessus backend connections. Nessus only supports strong SSL ciphers when connecting to port 8834. strong noexp, strong, and edh.
SSL Mode ssl_mode

Minimum supported version of TLS.

  • compat - TLS v1.0+.
  • ssl_3_0 - SSL v3+.
  • tls_1_1 - TLS v1.1+.
  • tls_1_2 - TLS v1.2+.

Agents & Scanners

Note: The following settings are only available in Nessus Manager.




Default Valid Values
Agents Progress agents_progress_viewable When a scan gathers information from agents, Nessus Manager does not show detailed agents information if the number of agents exceeds this setting. Instead, a message indicates that results are being gathered and will be viewable when the scan is complete. 100


If set to 0, this defaults to 100.

Automatically Download Agent Updates agent_updates_from_feed

When enabled, new Nessus Agent software updates are automatically downloaded.

yes yes or no
Concurrent Agent Software Updates cloud.manage.download_max The maximum concurrent agent update downloads. 10 Integers
Include Audit Trail Data agent_merge_audit_trail

Controls whether or not agent scan result audit trail data is included in the main agent database. Excluding audit trail data can significantly improve agent result processing performance.

If this setting is set to false, the Audit Trail Verbosity setting in an individual scan or policy defaults to No audit trail.

false true or false
Include KB Data agent_merge_kb

Includes the agent scan result KB data in the main agent database. Excluding KB data can significantly improve agent result processing performance.

If this setting is set to false, the Include the KB setting in an individual scan or policy defaults to Exclude KB.

false true or false
Result Processing Journal Mode agent_merge_journal_mode

Sets the journaling mode to use when processing agent results. Depending on the environment, this can somewhat improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation.





Result Processing Sync Mode agent_merge_synchronous_setting

Sets the filesystem sync mode to use when processing agent results. Turning this off will significantly improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation.





Track Unique Agents track_unique_agents When enabled, Nessus Manager checks if MAC addresses of agents trying to link match MAC addresses of currently linked agents with the same hostname, platform, and distro. Nessus Manager deletes duplicates that it finds. no yes or no


Note: The following settings are only available in Nessus Manager with clustering enabled.




Default Valid Values
Agent Blacklist Duration Days agent_blacklist_duration_days

The number of days that an agent remains blocked from relinking to a cluster node.

For example, an agent is blocked if it tries to link with a UUID that matches an existing agent in a cluster.

Note: An agent is blocked if it is deleted or removed due to inactivity. However, the agent is placed back in good standing and is not blocked if an administrator manually unlinks and relinks it.


Integers > 0

Agent Clustering Scan Cutoff agent_cluster_scan_cutoff Scans will be aborted after running this many seconds without a child node update. 3600 Integers > 299
Agent Node Global Maximum Default agent_node_global_max_default

The global default maximum number of agents allowed per cluster node.

If you set an individual maximum for a child node, that setting overrides this setting.

10000 Integers 0-20000





Default Valid Values
Automatic Update Delay auto_update_delay Number of hours that Nessus waits between automatic updates. 24

Integers > 0

Automatic Updates auto_update Automatically updates plugins. If enabled and Nessus is registered, Nessus automatically gets the newest plugins from Tenable when they are available. If your scanner is on an isolated network that is not able to reach the internet, disable this setting. yes yes or no
Automatically Update Nessus auto_update_ui Automatically download and apply Nessus updates. yes yes or no
Initial Sleep Time ms_agent_sleep (Nessus Manager only) Sleep time between managed scanner and agent requests. This can be overridden by Nessus Manager or 30 Integers 5-3300
Max HTTP Client Requests max_http_client_requests Maximum number of concurrent outbound HTTP connections on managed scanners and agents. 4 Integers > 0
Nessus Debug Port dbg_port The port on which nessusd listens for ndbg client connections. If left empty, no debug port is established. None String in one of the following formats:  port or localhost:port or ip:port
Nessus Preferences Database config_file

Location of the configuration file that contains the engine preference settings.

The following are the defaults for each operating system:



Mac OS X:




Nessus database directory for your operating system String
Non-User Scan Result Cleanup Threshold report_cleanup_threshold_days The age threshold (in days) for removing old system-user scan reports. 30 Integers > 0
Orphaned Scan History Cleanup orphaned_scan_cleanup_days

Number of days after which orphaned scans are removed from Nessus. For example, an orphaned scan could be a scan executed via that was not properly removed.

If set to 0, no cleanup is performed.

30 Integers > 0
Path to Java path_to_java Custom path to Java for PDF exports. If not set, Nessus uses the system path. None


Must be an absolute file path.

Remote Scanner Port remote_listen_port This setting allows Nessus to operate on different ports: one dedicated to communicating with remote agents and scanners (comms port) and the other for user logins (management port). By adding this setting, you can link your managed scanners and agents a different port (e.g., 9000) instead of the port defined in xmlrpc_listen_port (default 8834). None Integer
Report Crashes to Tenable report_crashes When enabled, Nessus crash information is automatically sent to Tenable, Inc.. to identify problems. No personal or system-identifying information is sent to Tenable, Inc. yes yes or no
Scan Source IP(s) source_ip Source IPs to use when running on a multi-homed host. If multiple IPs are provided, Nessus will cycle through them whenever it performs a new connection. None IP address or comma-separated list of IP addresses.
Send Telemetry send_telemetry

When enabled, Nessus periodically and securely sends non-confidential product usage data to Tenable.

Usage statistics include, but are not limited to, data about your visited pages within the Nessus interface, your used reports and dashboards, your Nessus license, and your configured features. Tenable uses the data to improve your user experience in future Nessus releases. You can disable this option at any time to stop sharing usage statistics with Tenable.

yes yes or no
User Scan Result Deletion Threshold scan_history_expiration_days The number of days after which scan history and data for completed scans is permanently deleted. 0

0 or integers larger than or equal to 3.

If set to 0, all history is retained.


Not all advanced settings are populated in the Nessus user interface, but some settings can be set in the command line interface. If you create a custom setting, it appears in the Custom tab.

The following table lists available advanced settings that are not listed by default in the Nessus user interface but can still be configured.



Default Valid Values

Adds a classification banner to the top and bottom of the Nessus user interface, and turns on last successful and failed login notification.

None UNCLASSIFIED (green banner), CONFIDENTIAL (blue banner), SECRET (red banner), or a custom value (orange banner).
nessus_syn_scanner.global_throughput.max Sets the max number of SYN packets that Nessus sends per second during its port scan (no matter how many hosts are scanned in parallel). Adjust this setting based on the sensitivity of the remote device to large numbers of SYN packets. 65536 Integers

A text banner displays that appears after you attempt to log in to Nessus. The banner only appears the first time you log in on a new browser or computer.

None String

timeout.<plugin ID>

Enter the plugin ID in place of <plugin ID>. The maximum time, in seconds, that plugin <pluginID> is permitted to run before Nessus stops it. If set for a plugin, this value supersedes plugins_timeout. None Integers 0-86400