Tenable Connect Support

Knowledge Base Article

What ports are required for Tenable products?

Tenable Security Center (TSC)

  • Incoming TCP Port 22 - SSH for remote repository sync with other TSC deployments
  • Incoming TCP Port 443 - HTTPS for User Interface, API calls, and remote repositories initial key push
  • Incoming TCP Port 8837 - HTTPS for Sensor Proxy communication
  • Outgoing TCP Port 22 - SSH for Remote repository sync
  • Outgoing TCP Port 25 - SMTP Email notification (may also use 587 for secure email or other non-standard port)
  • Outgoing TCP Port 389 - LDAP Authentication (may also use 636 for LDAPS)
  • Outgoing TCP Port 443 - HTTPS for Plugin/Feed/Patch updates and Tenable One  communication
  • Outgoing UDP Port 514 - Syslog forwarding (optional, may also use TCP Port 514)
  • Outgoing TCP Port 3128 - Web Proxy communication (customizable)
  • Outgoing TCP Port 8834 - HTTPS for Nessus and Nessus Manager communication (customizable)
  • Outgoing TCP Port 8835 - HTTPS for Nessus Network Monitor communication (customizable)
  • Outgoing UDP Port 53 - DNS resolution

Note: The remote repository process starts on port 443. All additional requests regarding the remote repository will go through port 22.

Tenable Security Center (TSC+)

All the ports listed for Tenable Security Center above, plus the ports below, only if deploying LCE:

  • Outgoing TCP Port 22 - SSH for LCE event query
  • Outgoing TCP Port 1243 - LCE Event Vulnerability Data Reporting (customizable)

Tenable Nessus (includes Professional, Scanner, and Manager variants)

  • Incoming TCP Port 8834 - HTTPS for User Interface, Tenable Security Center communication, agent communication, and API calls (customizable)
  • Outgoing TCP Port 25 - SMTP email notification
  • Outgoing TCP Port 389 - LDAP Authentication (may also use 636 for LDAPS)
  • Outgoing TCP Port 443 - HTTPS for Plugin updates and Tenable Vulnerability Management  communication
  • Outgoing TCP Port 3128 - Web Proxy communication (customizable)
  • Outgoing UDP Port 53 - DNS resolution, required for some plugins

Nessus Agents

  • Outgoing TCP Port 443 - HTTPS for Tenable Vulnerability Management or Sensor Proxy communication
  • Outgoing TCP Port 8834 - HTTPS for Nessus Manager communication (customizable)

Note: The Agent will initiate the conversation with the Manager. The Manager will need to respond to the Agent's messages but it will not need to start the conversation. Once installed, Nessus Agents are automatically updated by their manager.

Sensor Proxy

  • Incoming TCP Port 443 - HTTPS for Agent communication
  • Outgoing UDP Port 123 - NTP synchronization
  • Outgoing TCP Port 443 - HTTPS for Tenable Vulnerability Management communication and OS updates
  • Outgoing UDP Port 53 - DNS resolution

LCE (Log Correlation Engine)

LCE Server

  • Incoming TCP Port 8836 - HTTPS for User Interface
  • Incoming TCP Port 1243 - Event Vulnerability Data Reporting (may also use 8080 or any other custom port)
  • Incoming TCP Port 31300 - LCE Client/Monitor Communication
  • Incoming TCP Port 601 - Receive Reliable Syslog
  • Incoming TCP Port 22 - SSH for Tenable Security Center event query
  • Outgoing TCP Port 25 - SMTP Email Notification
  • Outgoing TCP Port 443 - HTTPS for Plugins update and TVM Communication
  • Outgoing TCP Port 601 - Forward Reliable Syslog
  • Incoming UDP Port 162 - SNMP
  • Incoming UDP Port 514 - Receive Syslog
  • Outgoing UDP Port 53 - DNS Resolving
  • Outgoing UDP Port 514 - Forward Syslog

LCE Client

  • Outgoing TCP 31300 - LCE Server - Communication between LCE and LCE clients
  • Outgoing TCP 135 - Windows Targets - Communication between WMI Monitor and targets
  • Outgoing TCP 445 - Windows Targets - Communication between WMI Monitor and targets
  • Outgoing TCP 443 - AWS, GCP, Salesforce - Communication between Web Query Monitor and web host
  • Incoming TCP 9800 - Splunk - Communication between Splunk and the Splunk Client
  • Incoming TCP 18185 - Checkpoint Firewall - Communication between Checkpoint Firewalls and the OPSEC client
  • Incoming TCP 1468 - Network Devices - Communication between network devices and the network monitor
  • Incoming UDP 514 - Network Devices - Communication between network devices and the network monitor
  • Incoming UDP 2055 - Routers - Communication between routers and Netflow Monitor

Nessus Network Monitor (formerly Passive Vulnerability Scanner)

  • Incoming TCP Port 8835 - HTTPS for User Interface and Tenable Security Center Communication
  • Outgoing TCP Port 443 - Plugins update and Nessus Cloud Manager Communication
  • Outgoing UDP Port 514 - Forward Syslog
  • Outgoing TCP Port 601 - Forward Reliable Syslog
  • Outgoing UDP Port 53 - DNS Resolving

Tenable OT Security (TOT)

Tenable OT Security Enterprise Manager (IEM)

  • Incoming TCP Port 22 - SSH and IEM pairing
  • Incoming TCP Port 443 - Web UI access and IEM pairing
  • Outgoing TCP Port 22 - SSH and IEM pairing
  • Outgoing TCP Port 443 - Web UI access and IEM pairing
  • Incoming TCP Port 28305 - ICP pairing
  • Incoming TCP Port 8000 - ICP update distribution

Tenable OT Security Industrial Core Platform (ICP)

  • Incoming TCP Port 22 - SSH, Sensor pairing, IEM pairing
  • Incoming TCP Port 443 - Web UI access, Sensor pairing, IEM pairing
  • Incoming TCP Port 28303 - Sensor pairing (TOT version 3.14 and lower)
  • Incoming TCP Port 28304 - Sensor pairing (TOT version 3.16 and higher)
  • Outgoing TCP Port 28305 - Enterprise Manager pairing
  • Outgoing TCP Port 22 - SSH, Sensor pairing, IEM pairing
  • Outgoing TCP Port 443 - Web UI access, Sensor pairing, IEM pairing, communication with TSC, HTTPS fingerprinting
  • Outgoing TCP Port 80 - HTTP fingerprinting
  • Outgoing TCP Port 102 - S7/S7+ protocol
  • Outgoing TCP Port 389 - LDAPS communication
  • Outgoing TCP Port 636 - LDAPS communication
  • Outgoing TCP Port 445 - WMI queries
  • Outgoing TCP Port 502 - Modbus protocol
  • Outgoing ICMP - Asset discovery
  • Outgoing TCP Port 5432 - PostgreSQL queries
  • Outgoing TCP Port 44818 - CIP protocol
  • Outgoing TCP Port 53 - DNS
  • Outgoing UDP Port 53 - DNS
  • Outgoing TCP Port 25 - SMTP email
  • Outgoing UDP Port 514 - Syslog forwarding
  • Outgoing UDP Port 161 - SNMP queries
  • Outgoing UDP Port 137 - NBNS queries
  • Outgoing UDP Port 138 - NetBIOS queries

Tenable OT Security Sensor

  • Incoming TCP Port 22 - SSH, Sensor pairing
  • Incoming TCP Port 443 - Sensor pairing
  • Outgoing TCP Port 28303 - Sensor pairing (TOT version 3.14 and lower)
  • Outgoing TCP Port 28304 - Sensor pairing (TOT version 3.16 and higher)
  • Outgoing TCP Port 22 - SSH, Sensor pairing
  • Outgoing TCP Port 443 - Sensor pairing
  • Outgoing TCP Port 80 - HTTP fingerprinting
  • Outgoing TCP Port 102 - S7/S7+ protocol
  • Outgoing TCP Port 389 - LDAPS communication
  • Outgoing TCP Port 636 - LDAPS communication
  • Outgoing TCP Port 445 - WMI queries
  • Outgoing TCP Port 502 - Modbus protocol
  • Outgoing ICMP - Asset discovery
  • Outgoing TCP Port 5432 - PostgreSQL queries
  • Outgoing TCP Port 44818 - CIP protocol
  • Outgoing TCP Port 53 - DNS
  • Outgoing UDP Port 53 - DNS
  • Outgoing TCP Port 25 - SMTP email
  • Outgoing UDP Port 514 - Syslog forwarding
  • Outgoing UDP Port 161 - SNMP queries
  • Outgoing UDP Port 137 - NBNS queries
  • Outgoing UDP Port 138 - NetBIOS queries

Tenable Core

  • Incoming TCP Port 22 - Command-line interface
  • Incoming TCP Port 8000 - Management Interface
  • Incoming TCP Port 8090 - Used to upload archives for restoration and migrations. This port will only be enabled during the archive uploads process.
  • Outgoing TCP Port 22 - Backup remote storage
  • Outgoing TCP Port 443 - Appliance Update
  • Incoming UDP Port 161 - SNMP communication
  • Outgoing UDP Port 53 - DNS Resolving
  • Outgoing UDP Port 123 - NTP synchronization

Note: The ports required for the application(s) hosted on Tenable Core will also be required.

Tenable Cloud Security (TCS)

  • On-Premise Code Scanner - Incoming TCP Port 9020 - Receive jobs from SCM, Web UI, receive authorization from SCM authorizer
  • On-Premise Code Scanner - Outgoing TCP Port 443 (to internet) - Send data to TCS cloud service

Additional ports

Ports that may be required for hosts to be scanned (not an exhaustive list)

  • TCP Port 22 - SSH 
  • TCP Port 139 - SMB
  • TCP Port 445 - SMB
  • UDP Port 161 - SNMP

Site connections for updates

See Which Tenable sites should I allow?

Published 28 days ago
Version 1.0
No CommentsBe the first to comment