Configure the Tenable Connector

These topics explain how to configure the Tenable connector.

Get the Tenable API key and secret

To configure the Tenable connector, you must create an API key and secret as described in this topic.


Note

API keys inherit the permissions of the user account that generates them. Create the API key and secret using an account with full visibility to all hosts and vulnerabilities. For more information, see Permissions.

Procedure

Step 1

Log in to Tenable as an administrator.

Step 2

Click your profile image in the top right of the page.

Step 3

Click My Profile > API Keys.

Step 4

Click Generate.

You are required to confirm the action.

Step 5

Under Custom API keys, click (Copy to clipboard) to copy both the access key and secret key to the clipboard.

Step 6

Save these values for later use.

What to do next

See Create a Tenable connector.

Create a Tenable connector

This task explains how to configure the Tenable connector in Security Cloud Control. After you configure the connector, you must also configure an adapter to receive the dynamic object.

Before you begin

We support Tenable Vulnerability Management only. We do not support Tenable Security Center.

Required User Role:

  • Super Admin

Procedure

Step 1

Log in to Security Cloud Control.

Step 2

Click Firewall.

Step 3

Click Administration > Dynamic Attributes Connector > Connectors.

Step 4

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit a connector: click Edit icon (edit icon).

  • Delete a connector: click Delete icon (delete icon).

Step 5

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

Pull Interval

(Default 21600 seconds or six hours.) Interval at which IP mappings are retrieved from Tenable.

We recommend a minimum value of 3600 seconds (one hour) to avoid issues with Tenable rate limiting.

Integration Key

Enter the API key you got in Get the Tenable API key and secret.

Secret Key

Enter the secret key obtained in Get the Tenable API key and secret.

Dynamic Object Name

Enter a name to identify the dynamic object created by this connector.

Severity Score

Click the minimum vulnerability severity level for the dynamic attributes connector to send IP addresses to the Cloud-Delivered Firewall Management Center. (For example, if you click high, IP addresses of hosts with either high or severe vulnerabilities are sent.)

Choices:

  • severe

  • high

  • medium

  • low

Severity System

Choices:

  • VPR: (Vulnerability priority rating.) Proprietary Tenable vulnerability rating that dynamically scores threats.

    VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit:

    • VPR severe is 9.0 and greater

    • VPR high is 7.0 and greater

    • VPR severe is 4.0 and greater

    • VPR low is 0.1 and greater

  • CVSSv3: (Common vulnerability scoring system version 3.) Industry-standard system that retrieves values from the national vulnerability database to describe risk associated with vulnerabilities. CVSS scores power a vulnerability's severity and risk value.

For more information, see CVSS vs. VPR.

Step 6

Click Test. Save the connector only after the test succeeds.

Step 7

Click Save.

Step 8

Make sure Ok is displayed in the Status column.

What to do next

See Create an adapter.

Create an adapter

An adapter is a secure connection to Cloud-Delivered Firewall Management Center or an On-Prem Firewall Management Center to which you push network information from cloud objects for use in access control policies.

You can create the following adapters:

  • On-Prem Firewall Management Center for an on-premises Secure Firewall Management Center.

  • Cloud-Delivered Firewall Management Center for devices managed by Security Cloud Control.


Note

You must have a Super Admin user role to create the first adapter. To view or modify existing adapters, you must have an Admin or Super Admin user role.

How to create an On-Prem Firewall Management Center adapter

This topic discusses how to create an adapter to push dynamic objects from the dynamic attributes connector to Security Cloud Control.

Before you begin

Onboard the firewall manager to Security Cloud Control as discussed in Onboard a Management Center in the Managing Security and Network Devices with online help.

Note

Support for the Tenable connector with the On-Prem Firewall Management Center is currently limited to creating the dynamic object. The On-Prem Firewall Management Center does not receive network map entries from the Tenable connector, and therefore cannot be used with intrusion policy recommendations.

Required User Role:

  • Super Admin

Procedure

Step 1

Log in to Security Cloud Control as a user with the Super Admin role.

Step 2

Click Firewall.

Step 3

To add an adapter, click Add icon (add icon) > On-Prem Firewall Management Center.

Step 4

To edit or delete an adapter, click Edit icon (edit icon), or Delete icon (delete icon).

Step 5

Add or edit the following information.

Value

Description

Name

(Required.) Enter a unique name to identify this adapter.

Description

Optional description of the adapter.

Primary Device

From the list, click the IP address of a management center associated with your tenant.

Secondary Device

(Optional.) If you have a secondary On-Prem Firewall Management Center, click its name from the list.

Step 6

Click OK.

How to create a Cloud-Delivered Firewall Management Center adapter

This topic discusses how to create an adapter to push dynamic objects from the dynamic attributes connector to Security Cloud Control.

Before you begin

Required User Role:

  • Super Admin

Procedure

Step 1

Click Firewall.

Step 2

To add an adapter, click Add icon (add icon) > Cloud-Delivered Firewall Management Center.

Step 3

To edit or delete an adapter, click Edit icon (edit icon), or Delete icon (delete icon).

Step 4

Edit the following information.

Value

Description

Name

(Required.) Enter a unique name to identify this adapter.

Description

Optional description of the adapter.

Cloud FMC URL

From the list, click the URL for your Cloud-Delivered Firewall Management Center.

Step 5

Click Save.

About Tenable dynamic objects in IDS, IPS, and access control policies

You can use IPS, IDS, and access control policies and rules to monitor or block traffic to and from servers with vulnerabilities identified by the Tenable connector:

  1. To monitor traffic and inform you about vulnerabilities without blocking the traffic, create an intrusion detection system (IDS) policy with recommendations.

  2. To monitor traffic, inform you about vulnerabilities, and block matching traffic, create an intrusion prevention system (IPS) policy with recommendations.

  3. Create a new access control policy or add rules to an existing policy. Associate your IDS or IPS policy with an access control rule.

More information about intrusion policies:

More information about access control policies: