What ports are required for Tenable products?

Tenable Security Center (TSC)

Incoming TCP Port 22 - SSH for remote repository sync with other TSC deployments
Incoming TCP Port 443 - HTTPS for User Interface, API calls, and remote repositories initial key push
Incoming TCP Port 8837 - HTTPS for Sensor Proxy communication
Outgoing TCP Port 22 - SSH for Remote repository sync
Outgoing TCP Port 25 - SMTP Email notification (may also use 587 for secure email or other non-standard port)
Outgoing TCP Port 389 - LDAP Authentication (may also use 636 for LDAPS)
Outgoing TCP Port 443 - HTTPS for Plugin/Feed/Patch updates and Tenable One communication
Outgoing UDP Port 514 - Syslog forwarding (optional, may also use TCP Port 514)
Outgoing TCP Port 3128 - Web Proxy communication (customizable)
Outgoing TCP Port 8834 - HTTPS for Nessus and Nessus Manager communication (customizable)
Outgoing TCP Port 8835 - HTTPS for Nessus Network Monitor communication (customizable)
Outgoing UDP Port 53 - DNS resolution

Note: The remote repository process starts on port 443. All additional requests regarding the remote repository will go through port 22.

Tenable Security Center (TSC+)

All the ports listed for Tenable Security Center above, plus the ports below, only if deploying LCE:

Outgoing TCP Port 22 - SSH for LCE event query
Outgoing TCP Port 1243 - LCE Event Vulnerability Data Reporting (customizable)

Tenable Nessus (includes Professional, Scanner, and Manager variants)

Incoming TCP Port 8834 - HTTPS for User Interface, Tenable Security Center communication, agent communication, and API calls (customizable)
Outgoing TCP Port 25 - SMTP email notification
Outgoing TCP Port 389 - LDAP Authentication (may also use 636 for LDAPS)
Outgoing TCP Port 443 - HTTPS for Plugin updates and Tenable Vulnerability Management communication
Outgoing TCP Port 3128 - Web Proxy communication (customizable)
Outgoing UDP Port 53 - DNS resolution, required for some plugins

Nessus Agents

Outgoing TCP Port 443 - HTTPS for Tenable Vulnerability Management or Sensor Proxy communication
Outgoing TCP Port 8834 - HTTPS for Nessus Manager communication (customizable)

Note: The Agent will initiate the conversation with the Manager. The Manager will need to respond to the Agent's messages but it will not need to start the conversation. Once installed, Nessus Agents are automatically updated by their manager.

Sensor Proxy

Incoming TCP Port 443 - HTTPS for Agent communication
Outgoing UDP Port 123 - NTP synchronization
Outgoing TCP Port 443 - HTTPS for Tenable Vulnerability Management communication and OS updates
Outgoing UDP Port 53 - DNS resolution

LCE (Log Correlation Engine)

LCE Server

Incoming TCP Port 8836 - HTTPS for User Interface
Incoming TCP Port 1243 - Event Vulnerability Data Reporting (may also use 8080 or any other custom port)
Incoming TCP Port 31300 - LCE Client/Monitor Communication
Incoming TCP Port 601 - Receive Reliable Syslog
Incoming TCP Port 22 - SSH for Tenable Security Center event query
Outgoing TCP Port 25 - SMTP Email Notification
Outgoing TCP Port 443 - HTTPS for Plugins update and TVM Communication
Outgoing TCP Port 601 - Forward Reliable Syslog
Incoming UDP Port 162 - SNMP
Incoming UDP Port 514 - Receive Syslog
Outgoing UDP Port 53 - DNS Resolving
Outgoing UDP Port 514 - Forward Syslog

LCE Client

Outgoing TCP 31300 - LCE Server - Communication between LCE and LCE clients
Outgoing TCP 135 - Windows Targets - Communication between WMI Monitor and targets
Outgoing TCP 445 - Windows Targets - Communication between WMI Monitor and targets
Outgoing TCP 443 - AWS, GCP, Salesforce - Communication between Web Query Monitor and web host
Incoming TCP 9800 - Splunk - Communication between Splunk and the Splunk Client
Incoming TCP 18185 - Checkpoint Firewall - Communication between Checkpoint Firewalls and the OPSEC client
Incoming TCP 1468 - Network Devices - Communication between network devices and the network monitor
Incoming UDP 514 - Network Devices - Communication between network devices and the network monitor
Incoming UDP 2055 - Routers - Communication between routers and Netflow Monitor

Nessus Network Monitor (formerly Passive Vulnerability Scanner)

Incoming TCP Port 8835 - HTTPS for User Interface and Tenable Security Center Communication
Outgoing TCP Port 443 - Plugins update and Nessus Cloud Manager Communication
Outgoing UDP Port 514 - Forward Syslog
Outgoing TCP Port 601 - Forward Reliable Syslog
Outgoing UDP Port 53 - DNS Resolving

Tenable OT Security (TOT)

Tenable OT Security Enterprise Manager (IEM)

Incoming TCP Port 22 - SSH and IEM pairing
Incoming TCP Port 443 - Web UI access and IEM pairing
Outgoing TCP Port 22 - SSH and IEM pairing
Outgoing TCP Port 443 - Web UI access and IEM pairing
Incoming TCP Port 28305 - ICP pairing
Incoming TCP Port 8000 - ICP update distribution

Tenable OT Security Industrial Core Platform (ICP)

Incoming TCP Port 22 - SSH, Sensor pairing, IEM pairing
Incoming TCP Port 443 - Web UI access, Sensor pairing, IEM pairing
Incoming TCP Port 28303 - Sensor pairing (TOT version 3.14 and lower)
Incoming TCP Port 28304 - Sensor pairing (TOT version 3.16 and higher)
Outgoing TCP Port 28305 - Enterprise Manager pairing
Outgoing TCP Port 22 - SSH, Sensor pairing, IEM pairing
Outgoing TCP Port 443 - Web UI access, Sensor pairing, IEM pairing, communication with TSC, HTTPS fingerprinting
Outgoing TCP Port 80 - HTTP fingerprinting
Outgoing TCP Port 102 - S7/S7+ protocol
Outgoing TCP Port 389 - LDAPS communication
Outgoing TCP Port 636 - LDAPS communication
Outgoing TCP Port 445 - WMI queries
Outgoing TCP Port 502 - Modbus protocol
Outgoing ICMP - Asset discovery
Outgoing TCP Port 5432 - PostgreSQL queries
Outgoing TCP Port 44818 - CIP protocol
Outgoing TCP Port 53 - DNS
Outgoing UDP Port 53 - DNS
Outgoing TCP Port 25 - SMTP email
Outgoing UDP Port 514 - Syslog forwarding
Outgoing UDP Port 161 - SNMP queries
Outgoing UDP Port 137 - NBNS queries
Outgoing UDP Port 138 - NetBIOS queries

Tenable OT Security Sensor

Incoming TCP Port 22 - SSH, Sensor pairing
Incoming TCP Port 443 - Sensor pairing
Outgoing TCP Port 28303 - Sensor pairing (TOT version 3.14 and lower)
Outgoing TCP Port 28304 - Sensor pairing (TOT version 3.16 and higher)
Outgoing TCP Port 22 - SSH, Sensor pairing
Outgoing TCP Port 443 - Sensor pairing
Outgoing TCP Port 80 - HTTP fingerprinting
Outgoing TCP Port 102 - S7/S7+ protocol
Outgoing TCP Port 389 - LDAPS communication
Outgoing TCP Port 636 - LDAPS communication
Outgoing TCP Port 445 - WMI queries
Outgoing TCP Port 502 - Modbus protocol
Outgoing ICMP - Asset discovery
Outgoing TCP Port 5432 - PostgreSQL queries
Outgoing TCP Port 44818 - CIP protocol
Outgoing TCP Port 53 - DNS
Outgoing UDP Port 53 - DNS
Outgoing TCP Port 25 - SMTP email
Outgoing UDP Port 514 - Syslog forwarding
Outgoing UDP Port 161 - SNMP queries
Outgoing UDP Port 137 - NBNS queries
Outgoing UDP Port 138 - NetBIOS queries

Tenable Core

Incoming TCP Port 22 - Command-line interface
Incoming TCP Port 8000 - Management Interface
Incoming TCP Port 8090 - Used to upload archives for restoration and migrations. This port will only be enabled during the archive uploads process.
Outgoing TCP Port 22 - Backup remote storage
Outgoing TCP Port 443 - Appliance Update
Incoming UDP Port 161 - SNMP communication
Outgoing UDP Port 53 - DNS Resolving
Outgoing UDP Port 123 - NTP synchronization

Note: The ports required for the application(s) hosted on Tenable Core will also be required.

Tenable Cloud Security (TCS)

On-Premise Code Scanner - Incoming TCP Port 9020 - Receive jobs from SCM, Web UI, receive authorization from SCM authorizer
On-Premise Code Scanner - Outgoing TCP Port 443 (to internet) - Send data to TCS cloud service

Additional ports

Ports that may be required for hosts to be scanned (not an exhaustive list)

TCP Port 22 - SSH
TCP Port 139 - SMB
TCP Port 445 - SMB
UDP Port 161 - SNMP

Site connections for updates

See Which Tenable sites should I allow?

Published 12 days ago

Version 1.0

Tenable Connect Support

Knowledge Base Article