See vulnerabilities data from Nessus vulnerabilty scanner

Nessus Scanners are among the most used vulnerability scanners to identify and report the vulnerabilities on the assets. We have built Xshield to fetch CVE-based vulnerability exposure data from Nessus Scanners using Nessus APIs. This integration helps you see the known vulnerabilities on your assets that are managed from Xshield.

How Nessus integration works

Integrate a commercial version of the Nessus Vulnerability Scanner with Xshield.

Add the Nessus scanner’s FQDN or IP address and the administrative login credentials to Xshield.
Xshield maps the probe results that the agents on the assets collected (when the agents were installed or when probes were run on demand) with the open ports and the vulnerabilities listed in the Nessus scan results.
Xshield fetches the Nessus scan results of the hosts it manages (by the hostnames of the assets) from the setup where Nessus is hosted.
Nessus scan results are fetched automatically, once every 24 hours at 12:00 EST. Scan results can also be fetched on an on-demand and a per-resource basis within a few seconds.

You must wait until 12 AM EST to see the first set of data after integrating Nessus Scanner.
CVE-IDs and CVSS 3.0 base scores of the vulnerabilities are displayed on a per asset basis on the fly panel of the asset. By design, Xshield only lists vulnerabilities above a CVSS base score of 7.0.

On Flow Explorer, traffic flows can be filtered by flows associated with vulnerable ports. See Monitor and investigate vulnerable flows for more details.
The open ports on the vulnerable assets can be closed from Xshield by enforcing policies on the asset or by deleting the Xshield policies’ allow-rules that use the open ports.

The vulnerable ports are not removed from the fly panel when they are blocked or remediated. They still appear on the fly panel to indicate the progress in the efforts to subside or fix the vulnerabilities.

See Shield vulnerable ports on assets for more details.

Usage guidelines

The Nessus setup must always be reachable to Xshield. Xshield performs a reachability check to the Nessus setup only during the integration.

If the Nessus setup is unreachable, you may not be seeing the latest vulnerability data for your assets.
Allow the Nessus Scanner to scan all the assets that you are managing from Xshield. This ensures the best possible protection for your network and assets from Xshield.
To see vulnerabilities data from the Nessus setup, you must have run Nessus Scanner for your assets at least once, after integrating it with Xshield.

Xshield only fetches data from the Nessus Scanner's vulnerabilities report; it does not probe or scan the assets for vulnerabilities.

Activate and configure Nessus Scanner

By design, ColorTokens Scanner is enabled for your Xshield tenant.

You must activate Nessus Scanner to use it. Xshield deactivates ColorTokens Scanner when you activate the Nessus scanner.

Go to Settings > Tools > Risk assessment tools.
Click Activate in the Nessus tile.
Click Configure in the Nessus tile.
In the URL text box on the fly panel, enter the FQDN or IP address of the Nessus setup.
In the Login text box, add the administrative username for the Nessus setup.
In the Password text box, add the administrative password for the Nessus setup.
Click Save.

If the Nessus setup is reachable, Xshield fetches vulnerabilities data in the upcoming sync cycle (12 AM UTC).

From here on, Xshield refreshes the vulnerabilities data every day.

The timestamp and status of the everyday refreshes are displayed in the fly panel.

Interpret vulnerabilities data for an asset

Vulnerabilities data is displayed on the fly panels of the assets.

Click an asset on the Assets page.
Click the Security tab on the fly panel.
See when the exposure data was last refreshed for this asset at the top of the fly panel.

If there are ongoing efforts to fix vulnerabilities on assets locally, you may have to click Fetch now to fetch the latest exposure data of the asset.

Click Refresh at the top-right corner of the fly panel to see the latest vulnerabilities data.
See the following details in the Security on open ports listing on the fly panel.
- Ports - the number and protocol used on the port
- Process - the process running on the port
- Vulnerabilities - the list of vulnerabilities by their CVE IDs
- Exposure (Probe) - the probe mapped with this open port

Click a port in the fly panel to see the complete list of CVEs on the port in the Vulnerability details pop-up.

You will see the CVE IDs, CVSS scores, and the names and descriptions of the vulnerabilities on the port.

Disconnect and re-connect Nessus Scanner

Disconnect Nessus Scanner when you want to stop fetching vulnerabilities data from the Nessus setup temporarily.

Go to Settings > Tools > Risk assessment tools.
Click Configure in the Nessus tile.
Click Disconnect in the fly panel.

To re-connect Xshield with the Nessus setup, click Connect in the fly panel.

Fetch the latest vulnerability status from Nessus Scanner

To see the most current exposure status of your assets, we recommend that you run the Nessus Scanner for your assets once every day before Xshield fetches CVSS data or immediately after you make critical changes on the assets.