Port Requirements
Tenable Nessus Agent port requirements include Tenable Nessus Agent-specific requirements and manager-specific requirements. Depending on your deployment setup, see the Tenable Nessus Manager and Tenable Nessus Cluster Nodes and Tenable Security Center port requirements.
Tenable Nessus Agent
Your Tenable Nessus Agents require access to specific ports for outbound traffic.
Outbound Traffic
You must allow outbound traffic to the following ports.
| Port | Traffic |
|---|---|
| TCP 443 |
Communicating with Tenable Vulnerability Management. |
| TCP 8834 |
Communicating with Tenable Nessus Manager. Note: The default Tenable Nessus Manager port is TCP 8834. However, this port is configurable and may be different for your organization. |
| UDP 53 |
Performing DNS resolution. |
Tenable Nessus Manager and Tenable Nessus Cluster Nodes
Your Tenable Nessus instances require access to specific ports for inbound and outbound traffic.
Inbound Traffic
You must allow inbound traffic to the following ports.
| Port | Traffic |
|---|---|
| TCP 8834 |
Accessing the Tenable Nessus interface. Communicating with Tenable Security Center. Interacting with the API. |
Outbound Traffic
You must allow outbound traffic to the following ports.
| Port | Traffic |
|---|---|
| TCP 25 |
Sending SMTP email notifications. |
| TCP 443 |
Communicating with Tenable Vulnerability Management (sensor.cloud.tenable.com or sensor.cloud.tenablecloud.cn). Communicating with the plugins.nessus.org server for plugin updates. |
| UDP 53 |
Performing DNS resolution. |
Tenable Security Center
Your Tenable Security Center instances require access to specific ports for inbound and outbound traffic.
Inbound Traffic
You must allow inbound traffic to the following ports.
| Port | Traffic |
|---|---|
| TCP 22 | Performing remote repository synchronization with another Tenable Security Center. |
| TCP 443 |
Accessing the Tenable Security Center interface. Communicating with Tenable Security Center Director instances. Communicating with OT Security instances. Performing the initial key push for remote repository synchronization with another Tenable Security Center. Interacting with the API. |
Outbound Traffic
You must allow outbound traffic to the following ports.
| Port | Traffic |
|---|---|
| TCP 22 | Communicating with Log Correlation Engine for event query. |
| TCP 25 |
Sending SMTP email notifications. |
| TCP 443 |
Communicating with Tenable Lumin for synchronization. Communicating with the plugins.nessus.org server for plugin updates. |
| TCP 1243 | Communicating with Tenable Log Correlation Engine. |
| TCP 8834 | Communicating with Tenable Nessus. |
| TCP 8835 | Communicating with Tenable Nessus Network Monitor. |
| UDP 53 |
Performing DNS resolution. |
Agent Content Distribution Network (CDN)
Dependent on rule logic in place, you may need to adjust your firewall or proxy rules in order to utilize the Agent Content Distribution Network (CDN).
FQDN Updates
The CDN leverages sensor.cloud.tenable.com for downloading plugins and binary updates, uploading scan results, and linking and communicating with Tenable Vulnerability Management. If you have a firewall or proxy rule configured for sensor.cloud.tenable.com then you should not encounter issues. However, if there are stricter rules in place then you need to update your rule set.
IP Allowlisting
The IP addresses associated with sensor.cloud.tenable.com are dynamic and dependent on the locale of the agent and its connectivity to the internet. If you currently have IP-based rules configured for proxies and firewalls you must update the rules based on IP ranges utilized by Amazon CloudFront. Amazon's documentation Locations and IP Address Ranges of CloudFront Edge Servers has a list of the IP ranges available for download.
Note: If you are connecting to Tenable Vulnerability Management through Tenable Nessus scanners, Tenable Nessus Agents, Tenable Web App Scanning scanners, or Tenable Nessus Network Monitors (NNM) located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of sensor.cloud.tenable.com.