Fortinet black logo

External Systems Configuration Guide

Tenable Nessus Vulnerability Scanner

Tenable Nessus Vulnerability Scanner

What is Discovered and Monitored

Protocol

Metrics collected

Used for

Nessus API

Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence

Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "nessus" to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In RESOURCES > Reports, search for "nessus" in the main content panel Search... field to see the reports associated with this device.

Configuration

To configure a Tenable Nessus Security Scanner, take the following steps:

  1. Deploy a Nessus server (5, 6, 7, or 8).

  2. Generate an API key. For Nessus 7 or Nessus 8, obtain the Access Key and Secret Key.
    Note: If using Nessus (5) or Nessus 6, create a username and password that FortiSIEM can use to access the API and make sure the user has permissions to view the scan report files on the Nessus device. You can check if your user has the right permissions by running a scan report as that user.

  3. Add a target device IP that will be scanned.

  4. Login to the FortiSIEM GUI.

  5. Navigate to CMDB > Devices.

  6. Add the target device IP to CMDB > Devices in FortiSIEM.

  7. Navigate to ADMIN > Setup, and click the Credentials tab.

  8. In Step 1: Enter Credentials, click New:

    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.

    2. Enter these Nessus credential settings in the Access Method Definition dialog box and click Save:

      Setting Value
      Name <set name>
      Device Type

      Choose the appropriate device type:

      -Tenable Nessus Security Scanner
      -Tenable Nessus6 Security Scanner
      -Tenable Nessus7 Security Scanner
      -Tenable Nessus8 Security Scanner

      Access Protocol

      The access protocol will auto populate based off the device type selected:

      -Nessus API
      -Nessus6 API
      -Nessus7 API
      -Nessus8 API

      Pull Interval (minutes) 5 (default 60 minutes)
      Port 8834
      User Name (for Nessus and 6) A user who has permission to access the device over the API
      Password (for Nessus and 6) The password associated with the user
      Access Key (for Nessus7 and 8) Obtain the Access Key from Nessus
      Secret Key (for Nessus7 and 8) Obtain the Secret Key from Nessus
  9. In Step 2: Enter IP Range to Credential Associations, click New.

    1. Select the credential you created earlier from the Credentials drop-down list.

    2. In the IP/Host Name field, enter the IP/IP Range or Host Name.

    3. Click Save.

  10. Select the new mapping and click the Test drop-down list and select Test Connectivity without Ping to start the polling.

  11. Navigate to ADMIN > Setup > Pull Events. The yellow star besides the Nessus pull job should turn the color green.

  12. Scan the target device IP in the Nessus server, and export the scan report.

  13. Navigate to ANALYTICS in FortiSIEM, and query the Nessus events with the condition Event Type = Nessus-Vuln-Detected.

  14. Compare the events in the FortiSIEM with the scan report exported from the Nessus server.

Note that the severity matching rule between Nessus8 and AO Event are as follows:

Nessus Status

FortiSIEM Event Severity Number

Critical Event Severity 10
High Event Severity 9
Medium Event Severity 6
Low Event Severity 2
None Event Severity 3


If Vulnerability CVE ID in FortiSIEM events is not NULL, the target device IP will be added to INCIDENTS > Risk in FortiSIEM.

Tenable Nessus Vulnerability Scanner

What is Discovered and Monitored

Protocol

Metrics collected

Used for

Nessus API

Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence

Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "nessus" to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In RESOURCES > Reports, search for "nessus" in the main content panel Search... field to see the reports associated with this device.

Configuration

To configure a Tenable Nessus Security Scanner, take the following steps:

  1. Deploy a Nessus server (5, 6, 7, or 8).

  2. Generate an API key. For Nessus 7 or Nessus 8, obtain the Access Key and Secret Key.
    Note: If using Nessus (5) or Nessus 6, create a username and password that FortiSIEM can use to access the API and make sure the user has permissions to view the scan report files on the Nessus device. You can check if your user has the right permissions by running a scan report as that user.

  3. Add a target device IP that will be scanned.

  4. Login to the FortiSIEM GUI.

  5. Navigate to CMDB > Devices.

  6. Add the target device IP to CMDB > Devices in FortiSIEM.

  7. Navigate to ADMIN > Setup, and click the Credentials tab.

  8. In Step 1: Enter Credentials, click New:

    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.

    2. Enter these Nessus credential settings in the Access Method Definition dialog box and click Save:

      Setting Value
      Name <set name>
      Device Type

      Choose the appropriate device type:

      -Tenable Nessus Security Scanner
      -Tenable Nessus6 Security Scanner
      -Tenable Nessus7 Security Scanner
      -Tenable Nessus8 Security Scanner

      Access Protocol

      The access protocol will auto populate based off the device type selected:

      -Nessus API
      -Nessus6 API
      -Nessus7 API
      -Nessus8 API

      Pull Interval (minutes) 5 (default 60 minutes)
      Port 8834
      User Name (for Nessus and 6) A user who has permission to access the device over the API
      Password (for Nessus and 6) The password associated with the user
      Access Key (for Nessus7 and 8) Obtain the Access Key from Nessus
      Secret Key (for Nessus7 and 8) Obtain the Secret Key from Nessus
  9. In Step 2: Enter IP Range to Credential Associations, click New.

    1. Select the credential you created earlier from the Credentials drop-down list.

    2. In the IP/Host Name field, enter the IP/IP Range or Host Name.

    3. Click Save.

  10. Select the new mapping and click the Test drop-down list and select Test Connectivity without Ping to start the polling.

  11. Navigate to ADMIN > Setup > Pull Events. The yellow star besides the Nessus pull job should turn the color green.

  12. Scan the target device IP in the Nessus server, and export the scan report.

  13. Navigate to ANALYTICS in FortiSIEM, and query the Nessus events with the condition Event Type = Nessus-Vuln-Detected.

  14. Compare the events in the FortiSIEM with the scan report exported from the Nessus server.

Note that the severity matching rule between Nessus8 and AO Event are as follows:

Nessus Status

FortiSIEM Event Severity Number

Critical Event Severity 10
High Event Severity 9
Medium Event Severity 6
Low Event Severity 2
None Event Severity 3


If Vulnerability CVE ID in FortiSIEM events is not NULL, the target device IP will be added to INCIDENTS > Risk in FortiSIEM.