TOC & Recently Viewed

Recently Viewed Topics

Nessus Scanners

In the SecurityCenter framework, the Nessus scanner behaves as a server, while SecurityCenter serves as a client that schedules and initiates scans, retrieves results, reports results, and performs a wide variety of other important functions. Click Resources and then Nessus Scanners to retrieve a list of the scanners including their name, features, current status, version, host, uptime, type, and when they were last modified. If the status of a scanner is believed to have changed recently (since visiting the page), click the Update Status button within the Options drop-down box to see the latest scanner status between its auto-refresh interval. Click the gear icon to the right of the scanner information to view information, edit the configuration, or delete the scanner.

The Features column indicates if the connected Nessus Manager or™ instance is configured to provide Nessus Agent scan results to SecurityCenter.

There are three classifications of Nessus scanners that may be added to SecurityCenter: Managed, Unmanaged, and™.

A managed scanner is managed by SecurityCenter. Managed scanners are logged in to using Nessus credentials. SecurityCenter can send plugin updates to the scanner. SecurityCenter also maintains the Activation Code for managed scanners.

An unmanaged scanner has been logged into using a standard Nessus user’s credentials. This scanner may be used to perform a scan but SecurityCenter cannot send plugin updates to an unmanaged scanner or manage its Activation Code.

SecurityCenter may also use a™ scanner to perform scans. This is a vulnerability scanning service that may be used to audit Internet facing IP addresses for both network and web application vulnerabilities from the cloud. A™ scanner is considered to be an unmanaged scanner and therefore SecurityCenter does not push plugin updates to a™ scanner.

In the examples below, the Nessus scanners are installed on remote systems and are functioning properly.

Adding a Nessus Scanner

To add a scanner, click the Add button. Items with a star (*) next to them indicate required information that does not have a default setting.

The table below provides details about the available options for adding a Nessus scanner:




Descriptive name for the Nessus scanner.


Scanner description, location, or purpose.


Hostname or IP address of the scanner.


TCP port that the Nessus scanner listens on for communications from SecurityCenter. The default is port 8834.


A scanner may be Enabled or Disabled within SecurityCenter to allow or prevent access to the scanner.

Verify Hostname

Adds a check to verify that the hostname or IP address entered in the Host option matches the CommonName (CN) presented in the SSL certificate from the Nessus server.

Use Proxy

Instructs SecurityCenter to use its configured proxy for communication with the scanner.

Authentication Type

Select Password or SSL Certificate for the authentication type to connect to the Nessus scanner. For detailed SSL Certificate configuration options, see the Nessus SSL Configuration section of this document.


Username generated during the Nessus install for daemon to client communications. This must be an administrator user in order to send plugin updates to the Nessus scanner. If the scanner is updated by a different method, such as through another SecurityCenter, a standard Nessus user account may be used to perform scans. This option is only available if the Authentication Type is set to Password.


The login password must be entered in this option. This option is only available if the Authentication Type is set to Password.


This option is available if the Authentication Type is set to SSL Certificate. Click the Browse button, choose a SSL Certificate file to upload, and upload to the SecurityCenter. For more information, see Nessus SSL Configuration.


The zone(s) within SecurityCenter that have access to use this scanner.

Agent Capable

When the Agent Capable option is enabled, an organization option is presented. Select one or more organizations that have access to import Nessus Agent data into SecurityCenter.

Agent capable Nessus scanners must be either™ or Nessus Manager version 6.5 or higher. When using Nessus Manager, an organizational user account must be used to connect from SecurityCenter.

Configure SecurityCenter for Custom Certificates to Verify Hostname

To enable the Verify Hostname, ensure the correct Certificate Authority (CA) certificate is configured for use by SecurityCenter. When using the default certificates for Nessus servers, this is not required. These steps only apply when using a custom CA.

  1. Copy the required PEM-encoded CA certificate (and intermediary CA, if needed) to the SecurityCenter server’s /tmp directory. For this example, the file is named ROOTCA2.cer.
  2. Run the installCA.php script to create the required files for each CA in /opt/sc/data/CA as follows:

    # /opt/sc/support/bin/php /opt/sc/src/tools/installCA.php /tmp/ROOTCA2.cer

  3. Once each of your CAs has been processed, restart the SecurityCenter services with the following command:

    # service SecurityCenter restart

After SecurityCenter is configured with the proper CA certificate(s), the Verify Hostname verifies the SSL certificate presented against the proper CA certificate.™ Scanners

SecurityCenter supports the use of the™ as a Nessus scanner within SecurityCenter. The™ is an enterprise-class remote vulnerability scanning service that may be used to audit Internet facing IP addresses for both network and web application vulnerabilities from the cloud. While they are not managed by a SecurityCenter (e.g., plugins are not pushed from SecurityCenter to the scanner),™ scanners can be added to SecurityCenter in the same manner that internal, local, or remote Nessus scanners are added.

To add a™ scanner to SecurityCenter , a valid and active™ subscription must be used. In SecurityCenter, click the Resources tab, Nessus Scanners, and then Add.

Type a name (mandatory) and description (optional) for the™ scanner to be used with SecurityCenter. Type the address as host, and specify the port as 443 (HTTPS). Type a valid™ username and password for authentication and click the zone(s) within SecurityCenter that use the™ scanner. If Nessus Agent information is to be imported into SecurityCenter, enable the Agent Capable option and click the organization(s) with permission to access the data. When finished, click Submit to add the authorized™ scanner to SecurityCenter. If successful, the™ scanner is listed under Nessus Scanners with a status of working.

Note that existing scan reports from the™ are not automatically available through SecurityCenter. However, they can be manually downloaded and imported into SecurityCenter by users with permissions to do so.

Note: The™ Scanner selects the corresponding regional scanner by default. Example: If you are running a scan in the United States, the application selects the U. S. scanner. If you are in Germany, the application selects the Germany scanner.

Nessus Scanner Details

Click the view button from the gear icon drop-down menu to view information about the selected scanner. The information includes name, description, IP address or hostname, port, username used to connect to the scanner, uptime, and when the scanner was created and last modified from SecurityCenter. The Nessus scanner version, web server version, type, if it is Nessus Agent capable, and zones it is a part of also display. The number of active scans (load) the server is performing displays and is updated every 15 minutes, as well as the current loaded plugin set on the scanner.

Deleting a Nessus Scanner

In some cases it may be necessary to delete a configured Nessus scanner from SecurityCenter. When this must be done, click the gear icon next to the scanner to be deleted and click the delete option from the menu. This opens a confirmation window which asks to confirm the deletion of the scanner by its name. Click the delete button to remove the scanner or the cancel button or the X at the top right to cancel.

Scan Zones

Scan zones define the IP ranges associated with the scanner along with organizational access. SecurityCenter allows the configuration of defined organizations with three different scan zone modes: Automatic Distribution Only, Locked Zone, and Selectable Zones. If an organization is in Automatic Distribution Only mode, SecurityCenter picks the scan zone and scanners based on the IP address of the target. If an organization is in Locked Zone mode, only the selected zones are available to users during the creation of scan policies. If an organization is in Selectable mode, all scan zones display and can be selected as needed.

When in Selectable mode, at scan time, the zones associated with the organization and All Zones are available to the user. When a scan is configured to use a specific zone in either selectable or forced mode, the zone’s ranges are ignored and any IPs in the managed ranges for that user are scanned by the Nessus scanners associated with the chosen zone.

When a scan is configured to use the All Zones zone, the targets for the scan are given to scanners in the most appropriate zone available based on the zone’s specified ranges (20K character limit). This facilitates optimal scanning and is very useful if an organization has devices placed behind a firewall or NAT device and has conflicting RFC 1918 non-internet-routable address space with another organization. In addition, some organizations may benefit from the ability to override their default scanner(s) with one(s) from a different zone. This allows an organization to more easily run internal and external vulnerability scans.

Tip: Sometimes forcing a scan to use a non-ideal scanner helps to analyze the vulnerability stance from a new perspective. For example, set the default scanner to an external one to see the attack surface from an external attacker’s perspective.

For more information, see Scan Zones.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable,, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.