Nexpose Quick Start Guide

Run scans to extensively probe your devices for known vulnerabilities, exploits, and policy rules. Create sites to logically group your assets for targeted scans. The Security Console uses Scan Engines to perform the actual scan job, and you can configure/distribute them in a way that is best for your environment. Choose between several built-in Scan Templates (such as CIS policy compliance or Full audit without Web Spider) to determine which checks are performed for a particular scan. You can also tailor your own Scan Templates to quickly search for the vulnerabilities and policies that matter the most to your organization. Create scan schedules to automate your scan jobs and keep your security team informed on a regular basis.

Organize your scanned assets into dynamic or static asset groups according to a variety of traits, such as location, operating system, and owner. Use the Security Console’s tagging system to adjust risk scores and prioritize remediation for your most critical assets. Run filtered asset searches to find scanned assets based on over 40 unique parameters.

Generate reports of your scan results so your security teams know what to fix and how. Make use of our built-in report templates or leverage SQL query exports for fully customizable reports. The following example cases highlight some of our most popular report templates:

• Leverage the Top Remediation report to prioritize the remediations that lead to the greatest reduction in risk.
• If you’re a business that handles credit card transactions, use the PCI report to prepare for an upcoming PCI audit.
• Generate the Vulnerability Trends report to examine your total detected assets, vulnerabilities, and exploits over custom date ranges.

The Security Console and Scan Engine hardware requirements are different because the Security Console uses significantly more resources.

The Security Console does not support running in a container. However, the Scan Engine is available as a container image on Docker Hub.

Security Console requirements:

At this time, we only support x86_64 architecture.

Scan Engine requirements:

At this time, we only support x86_64 architecture.

We require an English operating system with English/United States regional settings.

64-bit versions of the following platforms are supported:

We support the most recent version of the following browsers:

• Google Chrome (Recommended)
• Mozilla Firefox
• Mozilla Firefox ESR
• Microsoft Edge

Security Console firewall requirements:

You must configure your firewall rules to allow outbound connectivity using Port 443. This ensures you can successfully upload data from the Security Console to the Insight Platform.

For additional IP addresses for each region see Connectivity requirements.

You must also allow the Security Console to make outbound connections to updates.rapid7.com on Port 443. The Security Console connects to updates.rapid7.com regularly to check for new product versions (every 6 hours) and vulnerability/policy content (every 2 hours). With every connection, the console uploads a JSON file containing license and usage information that helps Rapid7 understand how the Security Console is being used. This upload does not contain any vulnerability assessment data from your assets or any other sensitive information on your environment.

Scan Engine firewall requirements:

If firewalls are present on your network, make sure you whitelist the necessary ports for your Security Console and Scan Engine host according to the communication method of your choice. Consult the following table for port whitelist requirements.

The integration of scan data from Scan Engines can be memory-intensive depending on how many assets are being scanned at once. For this basic deployment, your host machine must have a minimum of 16GB RAM.

Proper disk space allocation for the database is essential. The biggest storage impact on your host machine will come from scans, reports, and database backups. Scan data alone can have varying levels of storage impact depending on your configuration, including scan frequency and whether or not you are authenticating to the target assets.

For this basic deployment, your host machine must have a minimum of 100GB of free storage space in order to accommodate your future scan data and reports. At least 1TB of free storage space is recommended for small-scale deployments.

Consider this example deployment situation: Scanning 1000 assets on a monthly basis with authentication, generating a single report, and storing the data for one year will take 76GB of storage.

Don’t underestimate your storage needs

As you prepare your deployment plan, think about how your network and security needs could change over time. Allocate free storage so you can scan additional assets, increase your scanning frequency, and create database backups. Your Security Console host should be prepared for these events! If you find yourself making a decision between two numbers, go for the larger one.

Check our System Requirements  page for details. Note the supported operating systems and browsers in particular. Also, you can run the Security Console and Scan Engine on a virtualized instance of any of our supported operating systems as long as they meet the system requirements.

You can deploy using Ubuntu Linux or Windows.

The IP address of your host machine must be statically assigned. You will use this address to access the Security Console’s web interface.

The Security Console communicates through these ports in order to perform the following tasks:

|Port|Task|Direction|Destination| ||||| |3780 (HTTPS protocol)|Web interface access to the Security Console|Inbound|Security Console| |40814|Management of scan activity on Scan Engines and the retrieval of scan data|Outbound|Scan Engine| |443|Upload of PGP-encrypted diagnostic information|Outbound|support.rapid7.com| ||Allows the Security Console to download content and feature updates.

You must allow the server hosting Nexpose to make outbound connections to updates.rapid7.com on port 443. The Security Console connects to updates.rapid7.com regularly to check for new product versions (every 6 hours) and vulnerability/policy content (every 2 hours). With every connection, the console uploads a JSON file containing license and usage information that helps Rapid7 understand how Nexpose is being used. This upload does not contain any vulnerability assessment data from your assets or any other sensitive information on your environment.

You can see the contents of this JSON file yourself by running the generate statistics command in the command console.|Outbound|updates.rapid7.com| |25, 465 (These ports are optional and feature-related)|If report distribution through an SMTP relay is enabled, the Security Console must be able to communicate through these channels to reach the relay server|Outbound|SMTP relay server|

During your installation, you’ll create a default account with Global Administrator privileges. When you configure these credentials, store them in a safe place where you can reference them in the future.

Enabled by default, this option will initialize the Security Console after it’s been installed. Initialization configures the application for use and updates the vulnerability database. If you enable initialization, your installation time will increase respective to that process. Initialization time ranges from 10 to 30 minutes.

While most organizations do not require this configuration, ensure that you DO NOT initialize the console during your installation if you intend to use FIPS mode. FIPS mode must be configured before the Security Console is started for the first time.

See Enabling FIPS mode  for instructions.

If you are installing both the Scan Engine and the Security Console, the automatic start option is enabled by default. If you do not want automatic initialization to occur, you must disable it. The benefit to leaving this option enabled is that you can start using the Nexpose application immediately after the installation is complete. This is because it has to initialize before the process prepares the application for use by updating the database of vulnerability checks and performing the initial configuration. Leaving this option enabled increases total installation time by 10 to 30 minutes. Although disabling the option shortens the installation time, it takes longer to start the application because it will have to initialize before you can begin to use it.

Your preferred communication direction between console and engine depends on network configuration:

• (Recommended) Engine to Console. The Scan Engine will actively inform the Security Console that it is available for communication. This configuration allows a configured console that is behind a firewall to allow inbound connections to establish a communication channel.
• Console to Engine. The Scan Engine will listen for communication from the security console. This configuration is most effective when the engine and console are on the same area of the network.

• The latest Linux installer .
• The corresponding checksum file  for your installer, which helps ensure that installers are not corrupted during download.
• A product key, which is needed to activate your license upon login.
• Disable SELinux before you install the application.
• We recommend installing the tmux or screen package to provide an interactive terminal with the Security Console and Engine.
• Check the installer file to make sure it was not corrupted during the download.
• Uninstall any previously installed versions of Nexpose.

Contact your account representative if you are missing any of these items. You should have received an email containing the download links and product key if you purchased Nexpose or registered for an evaluation. We recommend adding Nexpose to your email client allowlist to ensure you are receiving all future emails regarding Nexpose.

If you intend to install the Security Console on a Linux host, you can verify whether or not SELinux is disabled, and take action to disable it if it isn’t, with the following procedure:

1. Check the status of SELinux by opening its configuration file using a text editor of your choice. Enter the following command in a terminal: vi /etc/selinux/config.
2. Navigate to the line beginning with SELINUX=. If the value of this line shows enforcing, you will need to make an edit to disable SELinux.
3. To do so, modify the value of SELINUX= from enforcing to disabled: SELINUX=disabled.
4. When finished, save and close the configuration file.
5. Run the following command in your terminal to restart the Linux host so the changes can take effect: shutdown -r now

If you are using a Graphical User Interface, omit the -c switch at the end of the installer run command. You’ll use a wizard similar to the Windows version instead.

If you want to enable FIPS mode, do not select the option to initialize the application after installation. FIPS mode must be enabled before the application runs for the first time.

If you are only installing the Scan Engine, you may need to specify the Shared Secret to pair it with a Security Console. Global Administrators can generate a Shared Secret in the Administration section of the Security Console. Select Manage scan engines under Scans, click Generate next to Shared Secret, and copy and paste the Shared Secret into the Installation Wizard.

• The Windows installer .
• The corresponding checksum file for your installer, which helps ensure that installers are not corrupted during download: sha512sum for Windows download 
• A product key, which is needed to activate your license upon login.
• You have administrator privileges and are logged onto Windows as an administrator.
• Your system meets the minimum installation requirements.
• You have uninstalled any previously installed copies of the application.

Contact your account representative if you are missing any of these items. You should have received an email containing the download links and product key if you purchased Nexpose or registered for an evaluation. We recommend adding Nexpose.

If you want to enable FIPS mode, do not select the option to initialize the application after installation. FIPS mode must be enabled before the application runs for the first time.

If you are only installing the Scan Engine, you may need to specify the Shared Secret to pair it with a Security Console. Global Administrators can generate a Shared Secret in the Administration section of the Security Console. Select Manage scan engines under Scans, click Generate next to Shared Secret, and copy and paste the Shared Secret into the Installation Wizard.

Welcome to the Home page!

Read on to familiarize yourself with the Security Console Home page and get an introduction to some of the features you’ll use on a regular basis. This article will cover some initial functions, display objects, navigation, and quick links to features, settings, and other resources.

Use the following keyed screenshot to locate each part of the interface along the way.

1a. Default Items

The Home page of the Security Console includes several informational panels reflecting the assessment of risk in your environment along with your existing configurations. The data you accumulate and settings you configure during the course of this guide will populate this space later.

These default items include:

• Risk and Assets Over Time - This chart is a combination of two line graphs: one representing your total asset count, and one representing your total assessed risk score. This chart can give you a general idea of how your risk is being managed over time relative to the number of assets in your network.
• Sites - This table shows all the sites you have configured along with their current metrics, status, and quick links to site functions. A site is a collection of assets that are targeted for a scan. You’ll create your first site in the next article of this guide.
• Current Scans for All Sites - This table displays any in-progress scans. You’ll run your first scan after creating your site.
• Asset Groups - Your configured asset groups are shown here. Asset groups are used for monitoring and reporting purposes and are based on the assessment results of your scans.
• Asset Tags - You can tag your assets, sites, and asset groups with several built-in or custom tags to provide additional context in your network as you see fit. All default and configured tags are shown in this table.

1b. Item Collapse, Expand, and Removal Controls

You can collapse, expand, and remove any default item using the item controls shown in this corner of the item panel.

1c. Re-add Removed Items

If you need to re-add removed items back to your Home page, click the Items dropdown shown in the upper right corner of your screen.

2. Filtered Asset Search

Click the filter icon to launch the Filtered Asset Search function. Filtered assets searches are used to organize your scanned assets according to a variety of parameters. You’ll create your first asset group with a filtered asset search later on in this guide.

3. Left Navigation Menu

The left navigation menu contains quick links to program features and settings. Hover your mouse cursor over this area to expand it.

4. Create Dropdown

The Create dropdown contains quick links for creating some of the most common Security Console objects, including sites, asset groups, reports, and tags. This helpful shortcut will save you from navigating through the web interface for common tasks.

5. Calendar

Click the Calendar icon to view a calendar that shows all your current scan schedules, report schedules, and blackout periods.

6. Help Dropdown

The Help dropdown contains quick links to different kinds of resource material, including product documentation, API documentation, and release notes. The Content Updates option lists all new and modified vulnerability coverage content that was applied to the Security Console within the last seven days.

7. Notification Center

Expand the Notification Center to browse all in-product notifications posted to your Security Console, color-coded by importance. Some notifications may suggest that you take action to address your settings or a condition in your environment and will provide shortcut links to assist you.

8. Search Field

Separate from Filtered Asset Search, use this general search field to find sites, assets, asset groups, tags, vulnerabilities, and Common Configuration Enumerations (CCEs) according to the string value you specify. Use asterisks to wildcard portions of your string to return additional results.

9. User Dropdown

The User dropdown displays your username. Click here to quickly access your user preferences or log out.

Launch the product installer to get started. Follow the initial prompts until you reach the component selection and communication direction step.

Select Components

After going through the necessary acknowledgements, you’ll be prompted to select which components you want to install.

Select Scan Engine only. This tells the installer that you intend to deploy a distributed Scan Engine.

Select a Communication Direction

After selecting your components, you’ll be prompted to select a communication direction.

If you select the Engine-to-Console method, you will have the opportunity to configure a reverse pair with your Security Console during the Scan Engine installation. Although you can skip this pairing step if you want to, Rapid7 recommends that you take advantage of this pairing opportunity since the post-install reverse pairing procedure involves more complicated steps.

To configure a reverse pair during a Scan Engine installation:

1. Select Yes to pair the Scan Engine with the Security Console.
2. When prompted by the install wizard, enter the IP address for the Security Console. Then, proceed with the default settings for Console TCP Port [40815].
3. Provide the installer with the Security Console shared secret.
   • You can generate a shared secret in the Security Console by navigating to the Administration tab > “Scans” section **> Manage scan engines ** next to “Engines” > “Generate Scan Engine Shared Secret” section > Generate.

4. Test your connection to ensure that your Security Console and Scan Engine can communicate properly.
5. Continue with the rest of the Scan Engine installation.
6. When the install wizard completes you will be prompted to start the Scan Engine service. This may take a few minutes for the Scan Engine service to finish loading.
   • Linux - systemctl start nexposeengine.service
7. After your Scan Engine finishes installing, proceed directly to the Refresh Your New Scan Engine section of this guide.

If you select the Console-to-Engine method, you’ll need to configure a standard pair with your Security Console after the Scan Engine installation completes. Continue with the rest of the installation at this time. After your Scan Engine finishes installing, proceed to the Pair Your Scan Engine to the Security Console section of this guide.

All new Scan Engines must be paired to the Security Console in order to be usable for scanning. These engine pairing procedures differ based on the method of communication you want to implement.

Consult one of the following pairing procedures for your communication method of choice:

• Standard Pair (Console-to-Engine)
• Reverse Pair (Engine-to-Console)

Standard Pair (Console-to-Engine)

In order to configure a console-to-engine pairing, the Security Console must be made aware that a new Scan Engine is available for use and must be provided with instructions on how to reach it. Consequently, the first step of all standard pairing procedures is to add your new Scan Engine to the Security Console.

To add a Scan Engine through the Administration tab:

1. Browse to and click on the Administration tab in your left navigation menu.
2. In the “Scans” section, click Mange scan engins.
3. On the General tab, name your Scan Engine.
4. Enter the IP address of your Scan Engine in the “Address” field.
5. Click Save when finished.

Properly added Scan Engines generate a consoles.xml file on the Scan Engine host. You will modify this file in the next step.

Modify consoles.xml

The consoles.xml file generated on your Scan Engine host in the previous step contains an entry for the Security Console that added the Scan Engine. You must enable the console to complete the pairing.

To modify the consoles.xml file for a Linux or Windows host:

1. Browse to the consoles.xml file in your Scan Engine directory. By default, this file is located in the following places according to the operating system of your Scan Engine host:
   • Linux - /opt/rapid7/nexpose/nse/conf/consoles.xml
   • Windows - Files\Rapid7\NeXpose\nse\conf\consoles.xml
2. Open consoles.xml with a text editor of your choice. Navigate to the <consoles> element. The Security Console that added the Scan Engine appears as a <console> element with several attributes.
   • You can identify the correct Security Console by checking that the lastAddress attribute matches the IP address of the Security Console you want to pair with.
3. Change the value for the enabled attribute from 0 to 1.
4. Save and close the consoles.xml file.
5. Restart the Scan Engine host so your changes can take effect.

Reverse Pair (Engine-to-Console)

If you took advantage of the reverse pairing configuration opportunity during your Scan Engine installation, then you’ve already completed this step! Proceed directly to the Refresh Your New Scan Engine section of this guide to verify that your Scan Engine is ready for use.

However, if you installed a Scan Engine with the Engine-to-Console method selected without completing the reverse pairing step, you must complete the pairing with a separate procedure. See the Post-Installation Engine-to-Console Pairing page for instructions on how to do this.

1. Browse to and click on the Administration tab in your left navigation menu.
2. In the “Scans” section, click **Mange scan engins.
3. In the “Scan Engines” section, click Refresh Displayed Engines. This ensures that your Scan Engine table is up-to-date.
4. Locate the distributed Scan Engine that you paired to the Security Console.
5. Click the icon in the “Refresh” column to complete the verification process.

If you have properly configured and paired your Scan Engine, it now displays up-to-date version and communication status information. The “Communication Status” column itself indicates both the current communication method by arrow and connection state by color. Arrows pointing to “Engine” indicate a standard pairing, while arrows pointing to “Console” indicate reverse pairing. Additionally, arrow icons can have the following color codes:

• Green - Scan Engine is active
• Orange - Scan Engine status is unknown
  • An “unknown” status indicates that the Security Console and the Scan Engine could not communicate even though no error was recorded. This is often the result of a significant lapse between pings. Refresh the Scan Engine status to attempt communication again.
• Red - There are three possibilities associated with this color code:
  • Pending Authorization - This state indicates that the Security Console has not yet been enabled on the Scan Engine. Consoles must be enabled on the Scan Engine during the pairing procedure.
  • Incompatible - This state indicates that the Security Console and Scan Engine are on different versions. Consoles and engines must be on the same version in order to communicate properly.
  • Down - This state indicates that the Scan Engine is offline.

1. On the Home page of the Security Console, click Create and select Site.
2. On the Site Configuration page, set your configuration options:
   • Info & Security: Name and describe your site.
   • Assets: Enter the name, IP address, or IP range to specify which assets to include in the site.
3. To configure your authentication and set credentials: a. Click Authentication>Add credentials>General. Add a name and description. This name helps you easily identify the credentials from the Manage Authentication tab later. b. On the Account tab, select the authentication service you want to use. Enter the username and password. c. On the Add Credentials tab, click the Test Credentials dropdown. Specify the IP address or FQDN of the asset you want to test. Specify the port number for the authentication service. d. Click Test Credentials.

e. Click Create to save the credentials.

For your first scan, you complete a full scan of your site for all risks. This gives you a baseline understanding of what risks exist. You can run and schedule more specific scans later, but for the purpose of onboarding, you complete a full scan first.

1. On the Select Scan Template tab, select Full Audit without Web Spider.
2. On the Select Engine tab, select the scan engine.
3. Click Save & Scan.

After initiating your first scan, the Security Console displays the site details page. The Scan Progress section at the top gives you a live look at the progress of the ongoing scan as it runs. Upon completion, the Scan Status column displays Completed successfully.

If your scan does not complete successfully, you can review statuses to understand why and troubleshoot why this issue is occuring. See Understanding different scan engine statuses and states  for more information.

On the same site details page, browse to the Completed Assets section and click the address link for your asset. The scanned asset detail view contains information about your asset, including the type of operating system it’s running, whether it’s a physical or virtual machine, and its calculated risk score. Risk scores help you determine which vulnerabilities pose the most risk to your business so you can prioritize remediation accordingly.

You can also examine each individual vulnerability that was detected on the asset by reviewing the Vulnerabilities table.

1. Click the Administration tab.
2. On the Administration page, click Manage shared credentials for scans.
3. Click New.
4. Enter a name for the new set of credentials.
5. Enter a description for the new set of credentials.
6. Continue with configuring the account, as described in the next section.

Configuring the account involves selecting an authentication method or service and providing all settings that are required for authentication, such as a username and password.

If you do not know what authentication service to select or what credentials to use for that service, consult your network administrator.

1. Go to the Account page of the Shared Scan Credentials Configuration panel.
2. Select an authentication service or method from the drop-down list.
3. Enter all requested information in the appropriate text fields.
4. If you want to test the credentials or restrict them see the following two sections. Otherwise, click Save.

You can verify that a target asset will authenticate a Scan Engine with the credentials you’ve entered. It is a quick method to ensure that the credentials are correct before you run the scan.

For shared scan credentials, a successful authentication test on a single asset does not guarantee successful authentication on all sites that use the credentials.

1. Go to the Account page of the Credentials Configuration panel.
2. Expand the Test Credentials section.
3. Select the Scan Engine with which you will perform the test.
4. Enter the name or IP address of the authenticating asset.
5. To test authentication on a single port, enter a port number.
6. Click Test credentials.

Note the result of the test. If it was not successful, review and change your entries as necessary, and test them again.

1. Upon seeing a successful test result, configure any other settings as desired.
2. If you want to restrict the credentials to a specific asset or port, see the following section. Otherwise, click Save.

For more information on managing shared credentials, see our documentation .

You can also deploy our Scan Assistant instead of setting up shared credentials. For more information on Scan Assistant, see our documentation .

During days 1-15 you would have initiated a scan. You can schedule scans to occur at times that best suit you and your organization. You can schedule them to occur during times of lower site traffic, etc.

1. Click the site’s Edit icon in the Sites table on the Home page.

2. Click the Schedules tab of the Site Configuration.

3. Click Create Schedule. Complete the form as follows:

   1. Name the schedule.
   2. Select the Enable check box.
   3. Select the date and time the schedule should start.
   4. Select a template for the scheduled scan. See Scheduling scans to run with different templates  for more information.
   5. Select a Scan Engine for the scheduled scan. This allows you to create your schedules in a way that lets you take advantage of what you know about the availability and performance of your Scan Engines at particular times.
   6. If you want to set a maximum duration, enter a numeral for the number of minutes the scan can run. When the scan reaches the duration limit, it will pause. If you don’t enter a value, the scan will simply run until it completes.
   7. Select an option for what you want the scan to do after it reaches the duration limit. If you select the option to continue where the scan left off, the paused scan will continue at the next scheduled start time. If you select the option to restart the paused scan from the beginning, the paused scan will stop and then start from the beginning at the next scheduled start time.
   8. To make it a recurring scan, select an option from the Frequency dropdown. Select Other… for additional customization options.

4. Click Save. The newly scheduled scan appears in the Scan Schedules table, which you can access by clicking Manage Schedules.

For this example, you create a Top Remediations with Details report scoped to the scan results of the site you created previously.

1. On the Reports tab in the left navigation menu, click the Create a report tab.
2. Give your report a name. Report names often indicate the asset scope and the report template in use so that the report is easily recognizable.
3. (Optional) Adjust the time zone that will be stamped on the report by making a selection in the provided dropdown list. By default, the Security Console chooses the time zone according to what is detected on its host machine.
4. On the Template > Document tab, browse to and select the Top Remediations with Details report template.
5. In File format, make sure PDF is selected. RTF and HTML formats are also available for this report template, but Rapid7 recommends the PDF format for readability and portability.
6. In Scope, click Select Scan. A site selection window displays.
7. Find the site you created previously and click its corresponding radio button to select it.
8. Click Select Scan.
9. On the Select Scan window, select the most recent scan for this site and click OK.
10. In Frequency, ensure Do not run a recurring report is selected. Recurring reports are a great idea for production scanning environments. That being said, you only need a single report for this exercise.
11. Review your report configuration and verify that everything is correct.
12. Click Save & Run the Report.

You can tag an asset individually on the details page for that asset. You also can tag a site or an asset group, which would apply the tag to all member assets. The tagging workflow is identical, regardless of where you tag an asset:

1. From the Create dropdown, select Tags. In Asset Tags click Add tags.
2. Select a tag type.
3. If you select Custom Tag, Location, or Owner, type a new tag name to create a new tag. To add multiple names, type one name, press ENTER, type the next, press ENTER, and repeat as often as desired. If you are creating a new custom tag, select a color in which the tag name will appear. All built-in tags have preset colors.

4. If you select Criticality, select a criticality level from the list.
5. Click Add.

1. Go to the Assets > Asset Groups page.
2. At the bottom of the page, click New Static Asset Group to create a new static asset group.

3. The console displays the Filtered Asset Search page. Filter the assets you require using the criteria provided in the dropdown. Click Search.
4. Click Create Asset Group.
5. Ensure the Static radio button is selected. Type a group name and description in the appropriate fields.
6. If you want to, add business context tags to the group. Any tag you add to a group will apply to all of the member assets.
7. Click Save.