Knowledge Base Article
Which Tenable sites should I allow?
INFORMATION
There are times when traffic needs to be allowed for specific sites. If this is the case, use the following list of sites to allow traffic the correct traffic through for Tenable products.
Notes:
- Tenable Support is unable to provide a list of IPs as these servers are dynamic. Allowing these URLs is the recommended practice.
- SSL inspection on traffic to and from the Tenable update sites is not supported. While access to the update sites can be established, it may not be able to complete updates due to SSL inspection of the traffic.
DETAILS
Tenable products
- https://plugins.nessus.org
- https://downloads.nessus.org
- https://plugins-customers.nessus.org
- https://plugins-us.nessus.org
- https://plugins.cloud.tenable.com
- https://appliance.cloud.tenable.com
- https://tenablesecurity.com
- https://cloud.tenable.com
- https://sensor.cloud.tenable.com
- https://sensor.cloud.tenablecloud.cn
If NIAP support is needed:
- ocsp.digicert.com
- ocsp.google.com
- o.pki.goog
For retrieving Tenable Docker images for restricted environments or automated updates, please see the allow list published by Docker.
Tenable Vulnerability Management
By default, Tenable.io is configured with region-specific Cloud Scanners.
The Tenable Vulnerability Management User Guide lists cloud scanners and regions for guidance on what to allow. Their IP address ranges can be found in the Cloud Sensors section of the Tenable Vulnerability Management User Guide.
This documentation also lists other sites and IPs that will need to be allowed in order for linked Nessus Scanners and Nessus Agents to communicate with Tenable Vulnerability Management.
Further detail about incoming and outgoing ports required for Tenable products linked to Tenable Vulnerability management can be found in the Tip section of the Port Requirements documentation.
With Tenable Vulnerability Management utilizing hCaptcha, provide access to https://hcaptcha.com/
Plugins
- Many Log4Shell plugins require that the following wildcard domains be allowed in order to perform remote checks successfully:
- *.w.nessus.org
- *.r.nessus.org