Link a Sensor

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Tenable Web App Scanning User Role: Scan Manager or Administrator

This procedure describes how to link a sensor to Tenable Vulnerability Management.

Linking a sensor to Tenable Vulnerability Management represents a one-time event in managing a sensor, unless you remove the sensor. After you link the sensor, the sensor connects to Tenable Vulnerability Management using unique credentials.

Once you copy the linking key in Tenable Vulnerability Management, you must paste the linking key in the appropriate location of the sensor user interface (for example, the Tenable Nessus Agent CLI or the Tenable Network Monitor Cloud Settings section). Expand the following sections for specific details.

Note: If you use the Tenable Vulnerability Management FedRAMP environment, Tenable recommends reviewing the following documents before you link sensors:

Cloud Sensors (FedRAMP Moderate Cloud Sensors) — View the Tenable Vulnerability Management FedRAMP sensor connectivity IP ranges, which are different from non-FedRAMP environments.
If you have policies that require you to enable NIAP compliance settings, view the following topics to configure your scanners and agents accordingly:
- Configure Tenable Nessus for NIAP Compliance
- Configure Tenable Nessus Agent for NIAP Compliance

Note: If you use domain allowlists for firewalls, Tenable recommends adding:

* cloud.tenable.com (Commercial)
*.fedcloud.tenable.com (FedRAMP)

(with the wildcard character) to the allowlist. This ensures communication with sensor.fed/cloud.tenable.com, which the scanner uses to communicate with Tenable Vulnerability Management. If you are connecting to Tenable Vulnerability Management through Tenable Nessus scanners, Tenable Nessus Agents, Tenable Web App Scanning scanners, or Tenable Network Monitors (NNM) located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of sensor.cloud.tenable.com.

Note: Under certain circumstances, you may need to regenerate the linking key. See Regenerate a Linking Key for more information. To learn more about the sensor security and linking keys, see Sensor Security.

To link a sensor:

In the left navigation, click Sensors.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.
Then:
To link a Tenable Nessus Agent sensor, click the Nessus Agents tab.
Note: For troubleshooting agents in environments where Zscaler is used, see the Difficulties with Nessus Agents when Zscaler is in useTenable community article.
1. Click Add Agent.
  The Add Agent plane appears.
2. Do one of the following:
  - To install and link Tenable Nessus Agent manually:
    
    In the Linking Key section, click Copy.
    A Linking key copied to clipboard confirmation message appears.
    
    Access the Tenable Nessus Agent instance that you want to link to Tenable Vulnerability Management.
    
    Use the copied linking key in the Tenable Nessus Agent CLI to link the sensor. For more information, see Install Tenable Nessus Agent in the Tenable Nessus Agent Deployment and User Guide.
  - (Windows only) To use a single command to install and link Tenable Nessus Agent:
    
    Under the Installing Agent on Windows platforms header, copy the command.
    
    The command contains the linking key and syntax required to install the agent, link the agent to Tenable Vulnerability Management, change the agent name, and add the agent to an agent group. For example:
    
    Invoke-WebRequest -Uri “https://cloud.tenable.com/install/
    
    {sensorType}/installer/ms-install-script.ps1” -OutFile “./ms-install-script.
    
    ps1"; & “./ms-install-script.ps1” -key “{linkingKey}” -type
    
    “{sensorType}” -name “<agent name>” -groups “<list of groups>“;
    
    Remove-Item -Path “./ms-install-script.ps1”
    
    Tip: For Tenable FedRAMP Moderate environments, use "fedcloud.tenable.com".
    
    In the command, replace <agent name> with the agent name.
    
    Tip: If you do not want to set a custom agent name, remove -name "<agent name>". If you do not set a custom name, Tenable names the agent using the hostname of the machine on which you installed the agent.
    
    In the command, replace <list of groups> with the agent group name or names.
    
    Note: The agent group name is case-sensitive and must match exactly. You must encase the agent group name in quotation marks (for example, --groups="My Group").
    
    Tip: If you do not want to add the agent to an agent group, remove -groups "<list of groups>".
    
    As a user with administrative privileges, access the CLI of the Windows machine on which you want to install the agent.
    
    Run the command.
    
    Tenable Nessus Agent installs on your Windows machine, links to your instance of Tenable Vulnerability Management, and updates the agent name and agent group if necessary.
  - (Linux only) To use a single command to install and link Tenable Nessus Agent:
    
    Under the Installing Agent on Linux platforms header, copy the command.
    
    The command contains the linking key and syntax required to install the agent, link the agent to Tenable Vulnerability Management, change the agent name, and add the agent to an agent group. For example:
    
    curl -H 'X-Key: abcd1234efgh5678ijkl9012mnop3456qrst7890uvwx1234yz5678abcd1234ef' 'https://cloud.tenable.com/install/agent?name=agent-name&groups=agent-group' | bash
    
    Note: For Tenable FedRAMP Moderate environments, use "fedcloud.tenable.com".
    
    In the command, replace agent-name with the agent name.
    
    Tip: If you do not want to set a custom agent name, remove name=agent-name. If you do not set a custom name, Tenable names the agent using the hostname of the machine on which you installed the agent.
    
    In the command, replace agent-group with the agent group name.
    
    Note: The agent group name is case-sensitive and must match exactly. You must encase the agent group name in quotation marks (for example, --groups="My Group").
    
    Tip: If you do not want to add the agent to an agent group, remove groups=agent-group.
    
    As a user with administrative privileges, access the CLI of the Linux machine on which you want to install the agent.
    
    Run the command.
    
    Tenable Nessus Agent installs on your Linux machine, links to your instance of Tenable Vulnerability Management, and updates the agent name and agent group if necessary.
To link an Tenable Network Monitor instance, click the Nessus Network Monitors tab.
1. Click Add Nessus Network Monitor.
  The Add Nessus Network Monitor plane appears.
2. In the Linking Key section, click Copy.
  A Linking key copied to clipboard confirmation message appears.
3. Access the Tenable Network Monitor instance that you want to link to Tenable Vulnerability Management.
4. Use the copied linking key in the Tenable Network Monitor user interface to link the sensor. For more information, see the NNM User Guide.
To link a Tenable Nessus sensor, click the Nessus Scanners tab.
For a demonstration on installing and linking a Tenable Nessus scanner, see the following video:
1. Click Add Nessus Scanner.
  The Add Nessus plane appears.
2. Do one of the following:
  - To install and link Tenable Nessus manually:
    
    In the Linking Key section, click Copy.
    A Linking key copied to clipboard confirmation message appears.
    
    Access the Tenable Nessus instance that you want to link to Tenable Vulnerability Management.
    
    Use the copied linking key in the Tenable Nessus user interface to link the sensor. For more information, see the Link to Tenable Vulnerability Management in the Tenable Nessus User Guide.
  - (Windows only) To use a single command to install and link a Tenable Nessus scanner:
    
    Under the One-Line Installation instructions, copy the command.
    
    The command contains the linking key and syntax required to install the scanner, link the scanner to Tenable Vulnerability Management, change the scanner name, and add the scanner to a scanner group. For example:
    
    Invoke-WebRequest -Uri "https://cloud.tenable.com/install/scanner/installer/ms-install-script.ps1" -OutFile "./ms-install-script.ps1"; & "./ms-install-script.ps1" -key "51cc161bfa7c62dd7fc90a63561a256306cda982e3edba9d7ebadc05f6a2118c" -type "scanner" -name "<scanner name>" -groups "<list of groups>"; Remove-Item -Path "./ms-install-script.ps1"
    
    Tip: For Tenable FedRAMP Moderate environments, use "fedcloud.tenable.com".
    
    In the command, replace <scanner-name> with the scanner name.
    
    Tip: If you do not want to set a custom scanner name, remove -name "<scanner-name>". If you do not set a custom name, Tenable names the scanner using the hostname of the machine on which you installed the scanner.
    
    In the command, replace <list of groups> with the scanner group name.
    
    Note: The scanner group name is case-sensitive and must match exactly.
    
    Tip: If you do not want to add the scanner to a scanner group, remove -groups "<list of groups>".
    
    As a user with administrative privileges, access the CLI of the Windows machine on which you want to install the scanner.
    
    Run the command.
    
    Tenable Nessus installs on your Windows machine, links to your instance of Tenable Vulnerability Management, and updates the scanner name and scanner group if necessary.
  - (Linux only) To use a single command to install and link a Tenable Nessus scanner:
    
    Under the One-Line Installation instructions, copy the command.
    
    The command contains the linking key and syntax required to install the scanner, link the scanner to Tenable Vulnerability Management, change the scanner name, and add the scanner to a scanner group. For example:
    
    curl -H 'X-Key: abcd1234efgh5678ijkl9012mnop3456qrst7890uvwx1234yz5678abcd1234ef' 'https://cloud.tenable.com/install/scanner?name=scanner-name&groups=scanner-group'| bash
    
    Tip: For Tenable FedRAMP Moderate environments, use "fedcloud.tenable.com".
    
    In the command, replace scanner-name with the scanner name.
    
    Tip: If you do not want to set a custom scanner name, remove name=scanner-name. If you do not set a custom name, Tenable names the scanner using the hostname of the machine on which you installed the scanner.
    
    In the command, replace scanner-group with the scanner group name.
    
    Note: The scanner group name is case-sensitive and must match exactly.
    
    Tip: If you do not want to add the scanner to a scanner group, remove groups=scanner-group.
    
    As a user with administrative privileges, access the CLI of the Linux machine on which you want to install the scanner.
    
    Run the command.
    
    Tenable Nessus installs on your Linux machine, links to your instance of Tenable Vulnerability Management, and updates the scanner name and scanner group if necessary.
To link a Tenable Core + Tenable Web App Scanning instance, in the left navigation menu, click Web App Scanners.
1. Click Add Web Application Scanner.
  The Add Web Application Scanner plane appears.
2. In the Linking Key section, click Copy.
  A Linking key copied to clipboard confirmation message appears.
3. Access the Tenable Core + Tenable Web App Scanning instance that you want to link to Tenable Vulnerability Management.
4. Use the copied linking key in the Tenable Core + Tenable Web App Scanning user interface to link the sensor. For more information, see the Tenable Core+Tenable Web App Scanning User Guide.

What to do next:

Manage the sensor in Tenable Vulnerability Management (including disabling or re-enabling the sensor link).
Select the sensor when configuring Tenable Vulnerability Management scans.