Deploy the InsightVM Console

The Security Console is an on-premises vulnerability scanner and management system. Its core features allow you to identify risk in your environment, organize your devices, and prioritize remediation.

Scanning

Run scans to extensively probe your devices for known vulnerabilities, exploits, and policy rules. Create sites to logically group your assets for targeted scans. The Security Console uses Scan Engines to perform the actual scan job, and you can configure/distribute them in a way that is best for your environment.

Choose between several built-in Scan Templates (such as CIS policy compliance or Full audit without Web Spider) to determine which checks are performed for a particular scan. You can also tailor your own Scan Templates to quickly search for the vulnerabilities and policies that matter the most to your organization. Create scan schedules to automate your scan jobs and keep your security team informed on a regular basis.

Asset organization

Organize your scanned assets into dynamic or static asset groups according to a variety of traits, such as location, operating system, and owner. Use the Security Console’s tagging system to adjust risk scores and prioritize remediation for your most critical assets. Run filtered asset searches to find scanned assets based on over 40 unique parameters.

Reporting

Generate reports of your scan results so your security teams know what to fix and how. Make use of our built-in report templates or leverage SQL query exports for fully customizable reports. The following example cases highlight some of our most popular report templates:

  • Leverage the Top Remediation report to prioritize the remediations that lead to the greatest reduction in risk.
  • If you’re a business that handles credit card transactions, use the PCI report to prepare for an upcoming PCI audit.
  • Generate the Vulnerability Trends report to examine your total detected assets, vulnerabilities, and exploits over custom date ranges.
Advanced features

InsightVM offers far more advanced functionality than we can cover in the scope of this guide, but we can talk about those features later. For now, just keep these core features in mind as they are the tools you’ll be using day to day.

Core Components

Your InsightVM installation has the following components:

ComponentDescription
Security ConsoleThis is the component you’ll use to create sites, run scans, generate reports, and much more. The Security Console is accessed via a web-based user interface through any of our supported browsers.
Scan EngineScan Engines are responsible for performing scan jobs on your assets. Note that Scan Engines only store scan data temporarily before sending it back to the Security Console for integration and long-term storage.

Requirements

Before you start, ensure you have the following in place.

System requirements

The following system requirements are necessary to ensure you have the best experience with InsightVM and Nexpose.

Hardware requirements

The Security Console and Scan Engine hardware requirements are different because the Security Console uses significantly more resources.

InsightVM does not support running the Security Console in a container. However, the Scan Engine is available as a container image on Docker Hub.

Security Console requirements

At this time, we only support x86_64 architecture.

Asset volumeProcessorMemoryStorage
5,0004 cores16 GB1 TB
20,00012 cores64 GB2 TB
150,00012 cores128 GB4 TB
400,00012 cores256 GB8 TB

Scan Engine requirements

At this time, we only support x86_64 architecture.

Asset volume per dayProcessorMemoryStorage
5,000 assets/day2 cores8 GB100 GB
20,000 assets/day4 cores16 GB200 GB

Operating Systems

We require an English operating system with English/United States regional settings.

64-bit versions of the following platforms are supported:

PlatformVersions
Linux
  • Ubuntu Linux 22.04 LTS (Recommended)
  • Ubuntu Linux 20.04 LTS
  • Ubuntu Linux 18.04 LTS
  • Ubuntu Linux 16.04 LTS
  • Oracle Linux 8
  • Oracle Linux 7
  • SUSE Linux Enterprise Server 12
Microsoft Windows
  • Windows Server Desktop experience only. Core not supported.
    • Microsoft Windows Server 2022
    • Microsoft Windows Server 2019
    • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows 8.1
RedHat
  • Red Hat Enterprise Linux Server 9
  • Red Hat Enterprise Linux Server 8
  • Red Hat Enterprise Linux Server 7
  • Red Hat Enterprise Linux Server 6
CentOS
  • CentOS 7

Browsers

We support the most recent version of the following browsers:

  • Google Chrome (Recommended)
  • Mozilla Firefox
  • Mozilla Firefox ESR
  • Microsoft Edge

Firewall requirements

Security Console firewall requirements

You must configure your firewall rules to allow outbound connectivity using Port 443. This ensures you can successfully upload data from the Security Console to the Insight Platform.

RegionRegion URL
United States - 1https://us.api.endpoint.ingress.rapid7.com:443
us.deployment.endpoint.ingress.rapid7.com
United States - 2https://us2.api.endpoint.ingress.rapid7.com:443
us2.deployment.endpoint.ingress.rapid7.com
United States Westhttps://us3.api.endpoint.ingress.rapid7.com:443
us3.deployment.endpoint.ingress.rapid7.com
Europehttps://eu.api.endpoint.ingress.rapid7.com:443
eu.deployment.endpoint.ingress.rapid7.com
Canadahttps://ca.api.endpoint.ingress.rapid7.com:443
ca.deployment.endpoint.ingress.rapid7.com
Japanhttps://ap.api.endpoint.ingress.rapid7.com:443
ap.deployment.endpoint.ingress.rapid7.com
Australiahttps://au.api.endpoint.ingress.rapid7.com:443
au.deployment.endpoint.ingress.rapid7.com

For additional IP addresses for each region see Connectivity requirements.

Scan Engine firewall requirements

If firewalls are present on your network, make sure you whitelist the necessary ports for your Security Console and Scan Engine host according to the communication method of your choice. Consult the following table for port whitelist requirements.

SourceDestinationPortProtocol
Console-to-EngineConsoleScan Engine40814TCP
Engine-to-ConsoleEngineConsole40815TCP

Ports

The ports shown in this table are the default ports used by the Security Console and Scan Engine. If you modify these default ports during the deployment procedure, make sure your firewall rules match your port modifications.

Memory and Disk Space

Memory

The integration of scan data from Scan Engines can be memory-intensive depending on how many assets are being scanned at once. For this basic deployment, your host machine must have a minimum of 16GB RAM.

Note

If you intend to deploy on a virtual machine, ensure that you provision the virtual machine with sufficient reserved memory according to the system requirements. Configuring a virtual machine with shared memory may cause negative performance impact.

Disk space

Proper disk space allocation for the database is essential. The biggest storage impact on your host machine will come from scans, reports, and database backups. Scan data alone can have varying levels of storage impact depending on your configuration, including scan frequency and whether or not you are authenticating to the target assets.

Note

Authenticated scans require roughly ten times the disk space of unauthenticated scans.

For this basic deployment, your host machine must have a minimum of 100GB of free storage space in order to accommodate your future scan data and reports. At least 1TB of free storage space is recommended for small-scale deployments.

Consider this example deployment situation: Scanning 1000 assets on a monthly basis with authentication, generating a single report, and storing the data for one year will take 76GB of storage.

Don’t underestimate your storage needs

As you prepare your deployment plan, think about how your network and security needs could change over time. Allocate free storage so you can scan additional assets, increase your scanning frequency, and create database backups. Your Security Console host should be prepared for these events! If you find yourself making a decision between two numbers, go for the larger one.

Check our System Requirements page for details. Note the supported operating systems and browsers in particular. Also, you can run the Security Console and Scan Engine on a virtualized instance of any of our supported operating systems as long as they meet the system requirements.

You can deploy using Ubuntu Linux or Windows.

Network requirements

Host IP address

The IP address of your host machine must be statically assigned. You will use this address to access the Security Console’s web interface.

Ports

The Security Console communicates through the following ports in order to perform the following tasks.

PortTaskDirectionDestination
3780 (HTTPS protocol)Web interface access to the Security ConsoleInboundSecurity Console
40814Management of scan activity on Scan Engines and the retrieval of scan dataOutboundScan Engine
443Upload of PGP-encrypted diagnostic informationOutboundsupport.rapid7.com
Allows the Security Console to download content and feature updates.

You must allow the server hosting InsightVM to make outbound connections to updates.rapid7.com on port 443. The Security Console connects to updates.rapid7.com regularly to check for new product versions (every 6 hours) and vulnerability/policy content (every 2 hours). With every connection, the console uploads a JSON file containing license and usage information that helps Rapid7 understand how InsightVM is being used. This upload does not contain any vulnerability assessment data from your assets or any other sensitive information on your environment.

You can see the contents of this JSON file yourself by running the generate statistics command in the command console.
Outboundupdates.rapid7.com
25 or 465 (These ports are optional and feature-related)If report distribution through an SMTP relay is enabled, the Security Console must be able to communicate through these channels to reach the relay serverOutboundSMTP relay server

Opt into the Insight platform

InsightVM’s platform-only features like Dashboards and Remediation Projects require some additional connectivity in order to function properly. See our communications page for detailed platform connectivity requirements.

Programs and services

Several programs and services must be disabled for the Security Console to function. In general, the following services may interfere with network scanning and may also prevent checks from loading or executing:

  • Anti-virus / malware detectors: If disabling your anti-virus or malware detection software is not an option, make sure that you configure the software to bypass the Rapid7 installation directory on your Security Console host (the default location for this directory on Windows is C:\Program Files\Rapid7). This ensures that InsightVM can operate without interference from this kind of software.
  • Intrusion Detection Systems (IDS)
  • Personal firewalls
  • Executable blocking products
  • SELinux

Installation Options

Default account creation

During your installation, you’ll create a default account with Global Administrator privileges. When you configure these credentials, store them in a safe place where you can reference them in the future.

Username and password creation.

Credentials are case-sensitive. As you create credentials, complexity requirements are displayed to ensure that your credentials are secure. Even if your password meets the minimum requirements, it is recommended that you make your password as strong as possible for additional security. A “heat bar” is displayed that gradually changes color from red to green as you make your password stronger. Global Administrators can create and modify accounts after installation.

Avoid conflicts with other authentication source accounts

As a general guideline, the username for your default account should be totally unique from any other account name that you may have already configured in other external authentication sources. The Security Console requires that all user accounts have unique usernames. If you intend to configure an external authentication source for console access (such as Active Directory or SAML), do not use one of your external authentication accounts as the default account username.

Recovery of credentials is not supported.

After installation is complete, you will be able to log in to the InsightVM application. Recovery of credentials is not supported. If you forget your username or password, you will have to reinstall the program.

Enable/disable initialization

Enabled by default, this option will initialize the Security Console after it’s been installed. Initialization configures the application for use and updates the vulnerability database. If you enable initialization, your installation time will increase respective to that process. Initialization time ranges from 10 to 30 minutes.

FIPS Mode requirements

While most organizations do not require this configuration, ensure that you DO NOT initialize the console during your installation if you intend to use FIPS mode. FIPS mode must be configured before the Security Console is started for the first time.

See Enabling FIPS mode for instructions.

Application initialization and automatic start option

If you are installing both the Scan Engine and the Security Console, the automatic start option is enabled by default. If you do not want automatic initialization to occur, you must disable it. The benefit to leaving this option enabled is that you can start using the InsightVM application immediately after the installation is complete. This is because it has to initialize before the process prepares the application for use by updating the database of vulnerability checks and performing the initial configuration. Leaving this option enabled increases total installation time by 10 to 30 minutes. Although disabling the option shortens the installation time, it takes longer to start the application because it will have to initialize before you can begin to use it.

Communication direction between console and engine

Your preferred communication direction between console and engine depends on network configuration:

  • (Recommended) Engine to Console. The Scan Engine will actively inform the Security Console that it is available for communication. This configuration allows a configured console that is behind a firewall to allow inbound connections to establish a communication channel.
  • Console to Engine. The Scan Engine will listen for communication from the security console. This configuration is most effective when the engine and console are on the same area of the network.

Download and install on Linux

Linux installation requirements
  • The latest Linux installer.
  • The corresponding checksum file for your installer, which helps ensure that installers are not corrupted during download.
  • A product key, which is needed to activate your license upon login.
  • Disable SELinux before you install the application.
  • We recommend installing the tmux or screen package to provide an interactive terminal with the Security Console and Engine.
  • Check the installer file to make sure it was not corrupted during the download.
  • Uninstall any previously installed versions of InsightVM.

Contact your account representative if you are missing any of these items. You should have received an email containing the download links and product key if you purchased InsightVM or registered for an evaluation. We recommend adding InsightVM to your email client allowlist to ensure you are receiving all future emails regarding InsightVM.

Verify and Disable SELinux

If you intend to install the Security Console on a Linux host, you can verify whether or not SELinux is disabled, and take action to disable it if it isn't, with the following procedure:

  1. Check the status of SELinux by opening its configuration file using a text editor of your choice. Enter the following command in a terminal: vi /etc/selinux/config.
  2. Navigate to the line beginning with SELINUX=. If the value of this line shows enforcing, you will need to make an edit to disable SELinux.
  3. To do so, modify the value of SELINUX= from enforcing to disabled: SELINUX=disabled.
  4. When finished, save and close the configuration file.
  5. Run the following command in your terminal to restart the Linux host so the changes can take effect: shutdown -r now
  1. Download the latest Linux installer: Linux installer
  2. Use the following checksum file to verify the integrity of your installer and ensure that it wasn't corrupted during the download process: sha512sum for Linux download
  3. Make sure your installer and checksum file are in the same directory.
  4. Open a terminal and browse to the directory where your installer and checksum file are located.
  5. Run the following command, substituting with the appropriate value: sha512sum -c <installer_file_name>.sha512sum</installer_file_name>. Do not close command line window A command line window will appear during installation. You do not need to interact with it, but do not close this window.
  6. If this command returns an OK message, the file is valid. If the check fails, the file was found to be invalid. Download the installer again and retry.
  7. Modify the permissions of the installer to make it executable: chmod +x <installer_file_name></installer_file_name>
  8. Run the installer: ./<installer_file_name> -c</installer_file_name>
  9. Follow the instructions prompted by the installer.
Using a GUI?

If you are using a Graphical User Interface, omit the -c switch at the end of the installer run command. You’ll use a wizard similar to the Windows version instead.

(Optional) Enable FIPS mode

If you want to enable FIPS mode, do not select the option to initialize the application after installation. FIPS mode must be enabled before the application runs for the first time.

Install the Local Scan Engine

If you are only installing the Scan Engine, you may need to specify the Shared Secret to pair it with a Security Console. Global Administrators can generate a Shared Secret in the Administration section of the Security Console. Select Manage scan engines, click Generate next to Shared Secret, and copy and paste the Shared Secret into the Installation Wizard.

Download and install on Windows

Windows installation requirements
  • The Windows installer.
  • The corresponding checksum file for your installer, which helps ensure that installers are not corrupted during download: sha512sum for Windows download
  • A product key, which is needed to activate your license upon login.
  • You have administrator privileges and are logged onto Windows as an administrator.
  • Your system meets the minimum installation requirements.
  • You have uninstalled any previously installed copies of the application.

Contact your account representative if you are missing any of these items. You should have received an email containing the download links and product key if you purchased InsightVM or registered for an evaluation. We recommend adding InsightVM.

  1. Download the latest installer Windows installer
  2. Use the following checksum files to verify the integrity of your installer and ensure that it wasn't corrupted during the download process: sha512sum for Windows download
  3. Make sure your installer and checksum file are in the same directory.
  4. Open a command prompt and browse to the directory where your installer and checksum are located.
  5. Run the following command, substituting with the appropriate value: certutil -hashfile <installer_file_name> sha512</installer_file_name>
  6. Run the installer. Do not close command line window A command line window will appear during the installation, but you will not need to interact with it. Do not close this window.
  7. Double-click the installer icon. A message displays while the wizard is preparing. Once the wizard is done preparing, you will be sent to the Welcome page to begin installation.
  8. Follow the steps as the wizard guides you. This is where you will decide on the considerations mentioned previously throughout the process.
(Optional) Enable FIPS mode

If you want to enable FIPS mode, do not select the option to initialize the application after installation. FIPS mode must be enabled before the application runs for the first time.

Install the Local Scan Engine

If you are only installing the Scan Engine, you may need to specify the Shared Secret to pair it with a Security Console. Global Administrators can generate a Shared Secret in the Administration section of the Security Console. Select Manage scan engines next under Scans, click Generate next to Shared Secret, and copy and paste the Shared Secret into the Installation Wizard.

Log in and activate

Initialization progress

If you just started to initialize after installation, it may still be in progress when you connect to the Security Console. You must wait for this process to complete before you can log in.

  1. Open your supported browser and connect to the following address, substituting <console_address> with the FQDN or IP address of the machine where your Security Console is installed: https://<console_address>:3780
  2. A login prompt will display. Enter the credentials that you set up during the Security Console installation and click LOG ON.
  3. After you log in successfully, an activation prompt will appear. Enter your activation key in the provided field to activate.

Accessing the Security Console from the same machine that it’s installed on?

In this case, you can quickly access the web interface by connecting to https://localhost:3780.