Miscellaneous

Tenable Security Center supports the following additional authentication methods:

You can configure these authentication methods in scan policies, as described in The Authentication tab specifies authentication options during a scan. and Add a Scan Policy.

ADSI

ADSI allows Tenable Security Center to query an ActiveSync server to determine if any Android or iOS-based devices are connected. Using the credentials and server information, Tenable Security Center authenticates to the domain controller (not the Exchange server) to directly query it for device information. These settings are required for mobile device scanning.

Tenable Security Center supports obtaining the mobile information from Exchange Server 2010 and 2013 only.

Option Description Default

Domain Controller

(Required) The name of the domain controller for ActiveSync.

-

Domain

(Required) The name of the NetBIOS domain for ActiveSync.

-

Domain Admin

(Required) The domain administrator's username.

-

Domain Password

(Required) The domain administrator's password.

-

F5

Option Description Default
Username

(Required) The username for the scanning F5 account that Tenable Security Center uses to perform checks on the target system.

-
Password (Required) The password for the F5 user. -
Port

(Required) The TCP port that F5 listens on for communications from Tenable Security Center.

443
HTTPS

When enabled, Tenable connects using secure communication (HTTPS).

When disabled, Tenable connects using standard HTTP.

enabled
Verify SSL Certificate

When enabled, Tenable verifies that the SSL certificate on the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this setting.

enabled

IBM iSeries

Option Description Default
Username

(Required) The username for the IBM iSeries account that Tenable Security Center uses to perform checks on the target system.

-
Password (Required) The password for the IBM iSeries user. -

Red Hat Enterprise Virtualization (RHEV)

Option Description Default

Username

(Required) The username for RHEV account that Tenable Security Center uses to perform checks on the target system.

-

Password

(Required) The password for the RHEV user.

-

Port

(Required) The TCP port that the RHEV server listens on for communications from Tenable Security Center.

443

Verify SSL Certificate

When enabled, Tenable verifies that the SSL certificate on the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this setting.

enabled

Netapp API

Option Description Default
Username

(Required) The username for the Netapp API account with HTTPS access that Tenable Security Center uses to perform checks on the target system.

-
Password (Required) The password for the Netapp API user. -
vFiler

The vFiler nodes to scan for on the target systems.

To limit the audit to a single vFiler, type the name of the vFiler.

To audit for all discovered Netapp virtual filers (vFilers) on target systems, leave the field blank.

-
Port (Required) The TCP port that Netapp API listens on for communications from Tenable Security Center. 443

Palo Alto Networks PAN-OS

Option Description Default
Username (Required) The username for the PAN-OS account that Tenable Security Center uses to perform checks on the target system. -
Password (Required) The password for the PAN-OS user. -
Port (Required) The TCP port that PAN-OS listens on for communications from Tenable Security Center. 443
Verify SSL Certificate

When enabled, Tenable verifies that the SSL certificate on the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this setting.

enabled

VMware ESX SOAP API

For more information about configuring VMWare ESX SOAP API, see Configure vSphere Scanning.

Tenable can access VMware servers through the native VMware SOAP API.

Option Description Default

Username

(Required) The username for the ESXi server account that Tenable uses to perform checks on the target system.

-

Password

(Required) The password for the ESXi user.

-

Do not verify SSL Certificate

Do not validate the SSL certificate for the ESXi server.

disabled

VMware vCenter SOAP API

For more information about configuring VMWare vCenter SOAP API, see Configure vSphere Scanning.

Tenable can access vCenter through the native VMware vCenter SOAP API. If available, Tenable uses the vCenter REST API to collect data in addition to the SOAP API.

Note: Tenable supports VMware vCenter/ESXi versions 7.0.3 and later for authenticated scans. This does not impact vulnerability checks for VMware vCenter/ESXi, which do not require authentication.

Note: The SOAP API requires a vCenter account with read permissions and settings privileges. The REST API requires a vCenter admin account with general read permissions and required Lifecycle Manager privileges to enumerate VIBs.

Option Description Default

vCenter Host

(Required) The name of the vCenter host.

-

vCenter Port

(Required) The TCP port that vCenter listens on for communications from Tenable.

443

Username

(Required) The username for the vCenter server account with admin read/write access that Tenable uses to perform checks on the target system.

-

Password

(Required) The password for the vCenver server user.

-

HTTPS

When enabled, Tenable connects using secure communication (HTTPS). When disabled, Tenable connects using standard HTTP.

enabled

Verify SSL Certificate

When enabled, Tenable verifies that the SSL certificate on the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this setting.

enabled

X.509

Option Description Default

Client Certificate

(Required) The client certificate.

-

Client Key

(Required) The client private key. -

Password

(Required) The passphrase for the client private key. -

CA Certificate to Trust

(Required) The trusted Certificate Authority's (CA) digital certificate. -