Miscellaneous
Tenable Vulnerability Management supports the additional authentication methods described below.
ADSI
ADSI requires the domain controller information, domain, and domain admin and password.
ADSI allows Tenable Vulnerability Management to query an ActiveSync server to determine if any Android or iOS-based devices are connected. Using the credentials and server information, Tenable Vulnerability Management authenticates to the domain controller (not the Exchange server) to directly query it for device information. This feature does not require any ports be specified in the scan configuration. These settings are required for mobile device scanning.
| Option | Description |
|---|---|
|
Domain Controller |
(Required) Name of the domain controller for ActiveSync |
|
Domain |
(Required) Name of the Windows domain for ActiveSync |
|
Domain Admin |
(Required) Domain admin’s username |
|
Domain Password |
(Required) Domain admin’s password |
Tenable Vulnerability Management supports obtaining the mobile information from Exchange Server 2010 and 2013 only; Tenable Vulnerability Management cannot retrieve information from Exchange Server 2007.
F5
Note: This credential type is only available in the Advanced Network Scan template.
| Option | Description |
|---|---|
| Username | (Required) Username for a scanning account on the F5 target. |
| Password | (Required) Password associated with the scanning account. |
| Port |
Port to use when connecting to the F5 target. |
| HTTPS | When enabled, connect using secure communication (HTTPS). When disabled, connect using standard HTTP. |
| Verify SSL Certificate | Verify that the SSL certificate is valid. If you are using a self-signed certificate, disable this setting. |
IBM iSeries
Note: This credential type is only available in the Advanced Network Scan template.
| Option | Description |
|---|---|
| Username | (Required) An iSeries username. |
| Password | (Required) An iSeries password. |
Netapp API
Note: This credential type is only available in the Advanced Network Scan template.
| Option | Description |
|---|---|
| Username | (Required) Username for an account on the Netapp system that has HTTPS access. |
| Password | (Required) Password associated with the account. |
| vFiler | If this setting is blank, the scan audits for all discovered Netapp virtual filers (vFilers) on target systems. To limit the audit to a single vFiler, type the name of the vFiler. |
| Port | Ports to scan on target systems. Type a comma-separated list of port numbers. |
Nutanix Prism
Note: This credential type is only available in the Advanced Network Scan template.
| Option | Description | Default |
|---|---|---|
|
Nutanix Host |
(Required) Hostname or IP address of the Nutanix Prism Central host. |
- |
|
Nutanix Port |
(Required) The TCP port that the Nutanix Prism Central host listens on for communications from Tenable. |
9440 |
|
Username |
(Required) Username used for authentication to the Nutanix Prism Central host. |
- |
|
Password |
(Required) Password used for authentication to the Nutanix Prism Central host. |
- |
|
Discover Host |
This option adds any discovered Nutanix Prism Central hosts to the scan targets to be scanned. | - |
|
Discover Virtual Machines |
This option adds any discovered Nutanix Prism Central Virtual Machines to the scan targets to be scanned. | - |
|
HTTPS |
When enabled, Tenable connects using secure communication (HTTPS). When disabled, Tenable connects using standard HTTP. |
enabled |
|
Verify SSL Certificate |
When enabled, Tenable verifies that the SSL certificate on the server is signed by a trusted CA. Tip: If you are using a self-signed certificate, disable this setting. |
enabled |
OpenStack
Note: This credential type is only available in the Advanced Network Scan template.
| Option | Description |
|---|---|
| Username | (Required) Username for an account on the OpenStack deployment. |
| Password | (Required) Password associated with the account. |
| Tenant Name for Authentication | (Required) Name of the specific tenant the scan uses to authenticate. A tenant (also known as a project) is a group of resources that can be controlled by users in the tenant. |
| Port | (Required) Port that the scanner uses to connect to OpenStack. |
| HTTPS | When enabled, connect using secure communication (HTTPS). When disabled, connect using standard HTTP. |
| Verify SSL Certificate | Verify that the SSL certificate is valid. If you are using a self-signed certificate, disable this setting. |
Palo Alto Networks PAN-OS
| Option | Description |
|---|---|
| Username | (Required) The PAN-OS username. |
| Password | (Required) The Pan-OS password. |
| Port | (Required) The management port number. |
| HTTPS | Whether Tenable Vulnerability Management authenticates over an encrypted (HTTPS) or an unencrypted (HTTP) connection. |
| Verify SSL Certificate | Verify that the SSL certificate is valid. If the target is using a self-signed certificate, disable this setting. |
Red Hat Enterprise Virtualization (RHEV)
Note: This credential type is only available in the Advanced Network Scan template.
| Option | Description |
|---|---|
|
Username |
(Required) Username to login to the RHEV server. |
|
Password |
(Required) Username to the password to login to the RHEV server. |
|
Port |
Port to connect to the RHEV server. |
|
Verify SSL Certificate |
Verify that the SSL certificate for the RHEV server is valid. |
VMware ESX SOAP API
Access to VMware servers is available through its native SOAP API. VMware ESX SOAP API allows you to access the ESX and ESXi servers via username and password. Additionally, you have the option of not enabling SSL certificate verification.
Note: This credential type is only available in the Advanced Network Scan template.
| Option | Description |
|---|---|
|
Username |
(Required) Username to login to the ESXi server. |
|
Password |
(Required) Username to the password to login to the ESXi server. |
|
Do not verify SSL Certificate |
Do not verify that the SSL certificate for the ESXi server is valid. |
VMware vCenter SOAP API
VMware vCenter SOAP API allows you to access vCenter. If available, the vCenter REST API is used to collect data in addition to the SOAP API.
For more information on configuring VMWare vCenter SOAP API, see Configure vSphere Scanning.
| Option | Description |
|---|---|
|
vCenter Host |
(Required) Name of the vCenter host. |
|
vCenter Port |
Port to access the vCenter host. |
|
Username |
(Required) Username to login to the vCenter server. |
|
Password |
(Required) Username to the password to login to the vCenter server. |
|
HTTPS |
Connect to the vCenter via SSL. |
|
Verify SSL Certificate |
Verify that the SSL certificate for the ESXi server is valid. |
VMware vCenter Auto Discovery
Note: This credential type is only available in the Advanced Network Scan template.
Tenable can access vCenter through the native VMware vCenter SOAP API. If available, Tenable uses the vCenter REST API to collect data in addition to the SOAP API.
Note: Tenable supports VMware vCenter/ESXi versions 7.0.3 and later for authenticated scans. This does not impact vulnerability checks for VMware vCenter/ESXi, which do not require authentication.
Note: The SOAP API requires a vCenter account with read permissions and settings privileges. The REST API requires a vCenter admin account with general read permissions and required Lifecycle Manager privileges to enumerate VIBs.
| Option | Description | Default |
|---|---|---|
|
vCenter Host |
(Required) The name of the vCenter host. |
- |
|
vCenter Port |
(Required) The TCP port that vCenter listens on for communications from Tenable. |
443 |
|
Username |
(Required) The username for the vCenter server account with admin read/write access that Tenable uses to perform checks on the target system. |
- |
|
Password |
(Required) The password for the vCenver server user. |
- |
|
HTTPS |
When enabled, Tenable connects using secure communication (HTTPS). When disabled, Tenable connects using standard HTTP. |
enabled |
|
Verify SSL Certificate |
When enabled, Tenable verifies that the SSL certificate on the server is signed by a trusted CA. Tip: If you are using a self-signed certificate, disable this setting. |
enabled |
|
Auto Discover Managed VMware ESXi Hosts |
This option adds any discovered VMware ESXi hypervisor hosts to the scan targets you include in your scan. |
not enabled |
|
Auto Discover Managed VMware ESXi Virtual Machines |
This option adds any discovered VMware ESXi hypervisor virtual machines to the scan targets you include in your scan. | not enabled |
X.509
Note: This credential type is only available in the Advanced Network Scan template.
| Option | Description |
|---|---|
|
Client certificate |
(Required) The client certificate. |
| Client key | (Required) The client private key. |
| Password for key | (Required) The passphrase for the key. |
| CA certificate to trust | (Required) The trusted Certificate Authority's (CA) digital certificate. |