Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Nessus Now Audits Palo Alto Networks PAN-OS Configurations


In recent years, Palo Alto firewalls have gained popularity within enterprise networks. Tenable Nessus ProfessionalFeed® customers can now audit the configuration of PAN-OS™-based Palo Alto Networks firewalls. Nessus can audit the firewall operational configurations and allow Palo Alto firewall reports to be embedded into Nessus reports.

Nessus communicates with the Palo Alto XML API to access the configuration and report data. The web interface must be enabled (either HTTP or HTTPS) on the firewall. Nessus requires credentials to the devices being audited; Superuser or Superuser (readonly) accounts for PAN-OS less than or equal to version 4.1.0 and Superuser admins on PAN-OS versions less than 4.1.0. The new Nessus plugins, Palo Alto Networks PAN-OS Compliance Checks (ID 64095) and Palo Alto Networks PAN-OS Settings (ID 64286), must also be enabled.

Verify Firewall Security Settings

Scanning firewalls across your network, while providing valuable data, doesn’t give you the full picture of vulnerabilities and exposures. Configuration auditing provides you with information that can only be obtained by logging into the system directly. For example, Nessus can check for operational settings on the firewall, such as whether or not the HTTP management service has been disabled, as shown below.

Nessus PAN-OS detection

Auditing the firewall management settings allows you to harden the firewall itself. Ensuring all management protocols are using encryption is just one example. Several more checks exist for DNS, NTP, and update server settings.

For example, the Palo Alto firewall will implement anti-virus techniques that will "protect against malware embedded within compressed files and web content". In order to provide these services, the firewall must maintain a set of anti-virus policies. Using the configuration auditing now available in Nessus, you can detect when the anti-virus policies on your firewall are missing or out of date.

Nessus PAN-OS detection

Nessus also includes checks to ensure the Palo Alto device is running the latest threat information, URL filtering, and global protect information.

Auditing Palo Alto Reports

One of the nice features of a Palo Alto firewall is that it continuously profiles its network and generates 40+ pre-defined reports on a daily basis. Reports include Top Applications, Top Attackers, Spyware Infected Hosts, and more. Administrators can also generate dynamic reports for different time periods, for example, the last hour. Nessus can now directly query these Palo Alto reports and include them in a Nessus report. For example, here’s a sample of the "Spyware Infected Hosts" report:

Nessus PAN-OS detection

Palo Alto firewalls also have application detection, collecting data on which users are using certain applications (e.g., Facebook). Here’s a sample of the “Top Applications” report:

Nessus PAN-OS detection

The compliance state of a check can be determined by comparing the output of the 'expect' or 'not_expect' keywords in the .audit file. For example, you can check the "Top Applications" and create a high-severity alert if "ping" is in the list of discovered applications.

Nessus PAN-OS detection

This feature has two benefits. First, users don't need to access different interfaces to get the same data. Second, you can now audit information from the report. For example, if you don’t want Facebook to be used on your network, then administrators can generate a failed report if Facebook appears on the “Top Applications” report.


Nessus ProfessionalFeed customers can download all the latest compliance checks from the Tenable Support Portal.

Auditing the configuration of Palo Alto firewalls further extends Nessus’ capabilities to help secure your company’s infrastructure. For further information about using Nessus to audit your router and firewall configurations, view the following posts:

If you like this feature and plan to use it, please leave us a comment!

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.