Configure vSphere Scanning
Required Tenable Vulnerability Management User Role: Scan Manager or Administrator
You can configure a scan to scan the following virtual environments:
-
ESXi/vSphere that vCenter manages
-
ESXi/vSphere that vCenter does not manage
-
Virtual machines
Note: You must provide an IPv4 address when scanning an ESXi host. Otherwise, the scan fails.
About VMware Credentialed Checks
Configuring the vCenter API or ESXi API credentials enables the collection of VMware Installation Bundle (VIB) package details for ESXi servers, which are used in the ESX Local Security Checks plugin family. Both of these credentials enable the collection of ESXi VIBs. Configuring an SSH credential to a targeted ESXi server also enables the collection of VIBs.
In addition to collection of ESXi VIBs, the vCenter credential enables auto-discovery of ESXi servers and vCenter compliance checks. In the case of vCenter compliance checks, the vCenter server must be configured as a target.
These credentials do not collect any host-level data about the vCenter server. To collect host-level data, configure an additional credential to the vCenter server (for example, SSH or Windows).
Tenable also collects ESXi and vCenter versions by detecting the software on the targeted hosts using remote, unauthenticated checks. Current vCenter and ESXi vulnerability results are based on this data.
For more information on VMware/vCenter, refer to the VMware integration documentation.
Scenario 1: Scanning ESXi/vSphere Not Managed by vCenter
To configure an ESXi/vSphere scan that vCenter does not manage:
- Create an advanced network Tenable Vulnerability Management scan.
-
In the left navigation menu, in the Settings section, click Basic.
The Basic settings appear.
-
In the Targets section, type the IP address or addresses of the ESXi host or hosts.
-
In the left navigation menu, click Credentials.
The Credentials page appears. This page contains a table of credentials configured for the scan.
- Next to Add Credentials, click the
button.The Select Credential Type plane appears.
-
In the Miscellaneous section, select VMware ESX SOAP API.
-
In the Username box, type the username associated with the local ESXi account.
-
In the Password box, type the password associated with the local ESXi account.
-
If your vCenter host includes an SSL certificate (not a self-signed certificate), disable the Do not verify SSL Certificate toggle. Otherwise, leave the toggle enabled.
-
Click Save.
-
Do one of the following:
-
If you want to save without launching the scan, click Save.
Tenable Vulnerability Management saves the scan.
-
If you want to save and launch the scan immediately, click Save & Launch.
Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.
Note: If you are editing an imported scan, the Save & Launch option is not available.
Tenable Vulnerability Management saves and launches the scan.
-
Note: When scanning vCenter-managed ESXis with API credentials, the Nessus Scan information plugin always shows Credentialed Checks: No in the vCenter scan results. To verify that the authentication was successful, check to see that the Nessus Scan Information plugin shows Credentialed Checks: Yes in the scan results of the ESXis.
Scenario 2: Scanning vCenter-Managed ESXi/vSpheres
Note: The SOAP API requires a vCenter admin account with read and write permissions. The REST API requires a vCenter admin account with read permissions, and a VMware vSphere Lifecycle manager account with read permissions.
To configure an ESXi/vSphere scan managed by vCenter:
- Create an advanced network Tenable Vulnerability Management scan.
-
In the left navigation menu, in the Settings section, click Basic.
The Basic settings appear.
-
In the Targets section, type the IP addresses of:
-
the vCenter host
-
the ESXi host or hosts
Note: Listing the vCenter as a target results in the scan collecting the vCenter version and its vulnerabilities, but not operating system-level details. Listing the vCenter server as a target is also required for vCenter compliance scanning.
-
-
In the left navigation menu, click Credentials.
The Credentials page appears. This page contains a table of credentials configured for the scan.
- Next to Add Credentials, click the button.
The Select Credential Type plane appears.
-
In the Miscellaneous section, select VMware vCenter SOAP API.
-
In the vCenter Host box, type the IP address of the vCenter host.
-
In the vCenter Port box, type the port for the vCenter host. By default, this value is 443.
-
In the Username box, type the username associated with the vCenter account.
-
In the Password box, type the password associated with the vCenter account.
-
If the vCenter host is SSL enabled, enable the HTTPS toggle.
-
If your vCenter host includes an SSL certificate (not a self-signed certificate), enable the Verify SSL Certificate toggle. Otherwise, leave the toggle disabled.
-
Click Save.
-
Do one of the following:
-
If you want to save without launching the scan, click Save.
Tenable Vulnerability Management saves the scan.
-
If you want to save and launch the scan immediately, click Save & Launch.
Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.
Note: If you are editing an imported scan, the Save & Launch option is not available.
Tenable Vulnerability Management saves and launches the scan.
-
Section 3: Scanning Virtual Machines
You can scan virtual machines just like any other host on the network. Be sure to include the IP address or addresses of your virtual machines in the Targets text box. For more information, see Create a Scan.
VMware vCenter Support Matrix
| Feature | Requires Authentication | Supported vCenter Version |
|---|---|---|
|
Vulnerability Management |
No |
7.x, 8.x |
|
Auto Discovery |
Yes |
7.0.3+, 8.x |
|
Audit / Compliance |
Yes |
6.x, 7.x, 8.x |
|
VIB Enumeration |
Yes |
7.0.3+, 8.x |
| Active / Inactive VMs | Yes | 7.0.3+, 8.x |