Skip to main content

Greenbone Enterprise Appliance Setup

What this covers

This guide walks operators through the purpose of the Greenbone Enterprise Appliance, the available hardware and virtual models, the setup requirements for each, and the initial configuration. It follows the appliance from first power-on through the first setup wizard — network, HTTPS certificate, web administrator, feed subscription key, and feed download — up to the first login to the web interface.

Source scope

Based on the Greenbone Enterprise Appliance manual (GOS 22.04 / OPENVAS SCAN 22.04), chapters 1–5, verified June 2026. Cited manual sections (for example "see manual §5.2.3") refer to that manual.

This guide is appliance-specific — it applies to the hardware and virtual Greenbone Enterprise Appliances. The free Community Edition is set up differently; see the Ubuntu/Docker guide for that variant.

1. Vulnerability management and the appliance​

1.1 What vulnerability management does​

In IT security, three elements together shape the attack surface of an infrastructure: capable attackers, access to the infrastructure, and vulnerabilities caused by application or operating-system errors or by misconfiguration. When all three come together, a successful attack becomes likely (manual §1.1).

Because most vulnerabilities are already known and can be fixed, the attack surface can be actively reduced through vulnerability management — looking at the infrastructure from the outside, as an attacker would, to find every vulnerability that could exist. The process identifies weaknesses, assesses their risk potential, and recommends concrete remediation measures. It runs continuously, from recognition through remedy to monitoring.

1.2 Components and field of application​

The Greenbone Enterprise Appliance is a dedicated vulnerability-management appliance, available as hardware and virtual models. It consists of (manual §1.2.1):

  • the Greenbone Operating System (GOS),
  • the Greenbone Enterprise Feed, which provides the vulnerability tests (VTs),
  • a scan service that uses those VTs to detect vulnerabilities on the inspected network,
  • the web interface, and
  • on a physical appliance, dedicated hardware.

New vulnerabilities appear daily, so new VTs are added constantly. Greenbone analyzes CVE entries and vendor security advisories and develops new VTs; the feed is updated daily to detect the newest vulnerabilities. Thanks to its master-sensor technology, the appliance scales from small and medium-sized companies up to large enterprises, and can also be deployed in high-security sectors.

1.3 Types of scans​

The appliance discovers vulnerabilities from the different perspectives an attacker might take (manual §1.2.2):

  • External — simulates an external attack to identify outdated or misconfigured firewalls.
  • Demilitarized zone (DMZ) — identifies vulnerabilities that could be exploited by an attacker who has passed the firewall.
  • Internal — identifies exploitable vulnerabilities in the internal network, such as those targeted by social engineering or worms. Given the potential impact, this perspective is particularly important.

DMZ and internal scans can be unauthenticated or authenticated. An authenticated scan uses credentials and can find vulnerabilities in applications that are not running as a service but still carry high risk, such as web browsers, office applications, or PDF viewers.

1.4 Classification and remediation​

Detected vulnerabilities are rated by severity using the Common Vulnerability Scoring System (CVSS), which helps prioritize remediation toward the critical risks first. There are fundamentally two ways to deal with a vulnerability (manual §1.2.3):

  • Eliminate it — update the software, remove the vulnerable component, or change the configuration.
  • Virtual patching — apply a compensating control such as a firewall or intrusion-prevention rule.
note

Virtual patching only apparently removes the vulnerability — the real vulnerability still exists and remains exploitable if the compensating control fails or is bypassed. An actual patch or update of the affected software is always preferred.

2. Read before use​

2.1 Run a supported GOS version​

The appliance should always run a GOS version (including patch level) that Greenbone still supports. Running an unsupported version risks feed incompatibilities, unfixed bugs, missing functionality required for VTs, reduced scan coverage or missed detections, and unfixed security vulnerabilities in the components themselves (manual §2.1).

2.2 Effects on the scanned network​

The appliance contains a full-featured vulnerability scanner. It is designed to minimize adverse effects, but it must still interact with the target systems — to a degree it has to behave like a real attacker would. The default and recommended settings keep the impact minimal, but side effects can still occur (manual §2.2):

  • Log and alert messages may appear on target systems, network devices, monitoring solutions, firewalls, and IDS/IPS.
  • Firewall rules and other intrusion-prevention measures may be triggered.
  • Scans may increase latency on the target or network — in extreme cases resembling a denial-of-service (DoS) condition.
  • Scans may trigger bugs in fragile or insecure applications, causing faults or crashes. Embedded systems and operational-technology elements with weak network stacks are especially at risk.
  • Logins (for example via SSH or FTP) are attempted for banner grabbing, and probes are sent to exposed services for service detection.
  • Testing default username/password combinations may lock user accounts.
caution

Verify the required authorization to execute scans before scanning any target. Because the behavior above is expected and desired for scanning, add the scanner's IP address(es) to the allow list of the affected systems and services. Note that configuring invasive scan behavior increases the probability of these effects.

2.3 Scanning through network equipment​

Avoid scanning through an IDS/IPS, WAF, proxy, or firewall. Such devices can interfere with the scan and cause false positives and negatives, slow scanning, too many ports reported open, dropped packets from connection or session limits, and either excessive or completely suppressed logs (a blind spot). The same can happen when the maximum number of checks per host is limited (manual §2.3.1).

warning

A firewall may run additional modules — such as deep packet inspection and DoS protection — that are only switchable per interface, hidden, or not configurable at all. Scanning through it can raise the firewall load significantly; in a worst case the entire firewall functionality is impaired, leading to a denial of service (manual §2.3.2).

3. Hardware appliance models​

The appliance is offered in several performance levels. The hardware models below all use a Cisco-compatible RS-232 serial console port for management in addition to their Ethernet management port(s) (manual §3.1).

ModelTarget organization / roleKey facts from the manual
Greenbone Enterprise 5400 / 6500Large organizations2U 19" chassis; two-line LC display (16 characters per line); redundant hot-swappable power supplies, 4 HDDs and fans; software RAID 6; serial port plus two out-of-band management Ethernet ports; up to 4 connection modules (8× GbE-Base-TX copper, 8× 1 GbE SFP, or 2× 10 GbE SFP+) in any order. Can act as master (controlling sensors) and as remote scanner.
Greenbone Enterprise 400 / 450 / 600 / 650Medium-sized organizations and larger branches1U 19" chassis; two-line LC display (16 characters per line); redundant fans; serial port plus one management Ethernet port; ten ports total, fixed (non-modular): 8× GbE-Base-TX copper and 2× 10 GbE SFP+, one of which also serves as management port. Can act as master and as remote scanner.
Greenbone Enterprise 150Small organizations and small-to-medium branches1U steel chassis; optional RACKMOUNT150 kit; no display; serial port plus one management Ethernet port; 4× GbE-Base-TX copper ports total, one also serving as management. Can be controlled as a remote scanner, but does not control sensors.
Greenbone Enterprise 35Sensor for distributed scan systemsSensor mode only — managed by a master and has no web interface of its own; masters from Greenbone Enterprise 400/DECA can manage it. 1U steel chassis; optional RACKMOUNT35 kit; no display; serial port plus one management Ethernet port; 4× GbE-Base-TX copper ports total, one also serving as management.
note

The estimated scan capacity stated for each model is a guide value only. The actual achievable number depends on the scan pattern, the scan targets, the network infrastructure, and the scan frequency, and cannot be guaranteed (manual §3.1, §3.2).

4. Virtual appliance models​

Virtual appliances are delivered as OVA images and activated with a unique subscription key. Each comes with dynamic virtual ports, one of which also serves as the management port (manual §3.2).

ModelTarget organization / roleKey facts from the manual
Greenbone Enterprise DECAMedium-sized organizations and larger branches4 dynamic virtual ports. Can act as master and as remote scanner.
Greenbone Enterprise TERA / PETA / EXAMedium-sized organizations and larger branches8 dynamic virtual ports. Can act as master and as remote scanner.
Greenbone Enterprise CENOSmall organizations and small-to-medium branches4 dynamic virtual ports. Can be controlled as a remote scanner, but does not control sensors.
Greenbone Enterprise 25VSensor for distributed scan systems4 dynamic virtual ports. Sensor mode only — managed by a master and has no web interface of its own; masters from Greenbone Enterprise 400/DECA can manage it.
Greenbone Enterprise ONESpecial use cases — audit-via-laptop and trainingOne virtual port for management, scan, and updates. Optimized for use on a mobile computer. Cannot act as master or as a sensor, and does not support VLANs on the virtual port.
note

The Greenbone Enterprise ONE has the functions of the medium and large appliances except master mode, sensor mode, and VLANs. Enterprise features such as remote scan engines are only available on the full-featured appliances (manual §3.2.4).

5. Setup requirements​

All requirements for a given model must be met before deployment (manual §5.1).

5.1 Hardware appliances​

The hardware models are 19-inch mountable. The 5400/6500 require two rack units; the 400/450/600/650, the 150, and the 35 require one rack unit. Rack holders are supplied for the rack-mountable models; the 150 and 35 use the optional RACKMOUNT150 / RACKMOUNT35 kits, or self-sticking rubber pads for stand-alone use. Each model ships with a Cisco-compatible RS-232 serial port and an enclosed serial cable, plus USB ports and a video output (VGA on the 5400/6500 and 400/450/600/650; HDMI on the 150 and 35).

note

Installation requires either a monitor and keyboard, or a serial console connection with a terminal application (manual §5.1.1–§5.1.4).

5.2 Virtual appliances​

The virtual models have fixed resource requirements and supported hypervisors. The required boot mode is EFI/UEFI in all cases. For Microsoft Hyper-V, the CENO/DECA/TERA/PETA/EXA are delivered as generation 2 virtual machines, as is the 25V (manual §5.1.5–§5.1.8).

ModelvCPUsRAMVirtual diskSupported hypervisors
Greenbone Enterprise DECA48 GB220 GBHyper-V 5.0+, VMware vSphere/ESXi 6.0+, Huawei FusionCompute 8.0
Greenbone Enterprise TERA68 GB220 GBHyper-V 5.0+, VMware vSphere/ESXi 6.0+, Huawei FusionCompute 8.0
Greenbone Enterprise PETA816 GB220 GBHyper-V 5.0+, VMware vSphere/ESXi 6.0+, Huawei FusionCompute 8.0
Greenbone Enterprise EXA1224 GB225 GBHyper-V 5.0+, VMware vSphere/ESXi 6.0+, Huawei FusionCompute 8.0
Greenbone Enterprise CENO28 GB135 GBHyper-V 5.0+, VMware vSphere/ESXi 6.0+
Greenbone Enterprise 25V26 GB70 GBHyper-V 5.0+, VMware vSphere/ESXi 6.0+, Huawei FusionCompute 8.0
Greenbone Enterprise ONE26 GB130 GBOracle VirtualBox 6.1+, VMware Workstation Player 16.0+, VMware Workstation Pro 16.0+

6. Bringing the appliance online​

6.1 Hardware appliance — serial access and first boot​

The enclosed console cable connects to the serial port; a blue Cisco rollover cable also works. A terminal application configured to 9600 bits/s (baud) is required. On Linux, screen can access the serial port (manual §5.2.1):

screen /dev/ttyS0       # for the serial port
screen /dev/ttyUSB0 # for a USB adapter

After starting screen it may help to press Enter several times to get a prompt. To close the connection, press Ctrl+a and then \. On Microsoft Windows, PuTTY can be used with the appropriate serial port selected.

Once the appliance is fully wired and the terminal is set up, power it on. It boots and shows a login prompt (manual §5.2.2). Log in with the default credentials:

User:     admin
Password: admin
caution

Change this default password during the first setup (see manual §7.2.1.1).

6.2 Virtual appliance — verify, deploy, and first boot​

Greenbone provides the virtual appliance as an OVA image, activated with a unique subscription key.

warning

Do not clone the appliance or run several instances in parallel — this is not permitted and can cause inconsistencies and unwanted side effects (manual §5.3.2).

Verify integrity (optional). On request, Greenbone Enterprise Support provides an integrity checksum for the OVA, given the subscription number. Calculate the checksum locally and compare (manual §5.3.1):

# Linux — replace FILE with the OVA file name
sha256sum FILE

# Windows PowerShell — replace PATH and FILE
Get-FileHash 'C:\PATH\FILE' -Algorithm SHA256

If the calculated checksum does not match the one provided by Support, the image has been modified and must not be used.

Deploy on VMware ESXi/vCenter (manual §5.3.2.1):

1. Open the VMware ESXi web interface and log in.
2. Navigator > Virtual Machines > Create / Register VM.
3. Choose "Deploy a virtual machine from an OVF or OVA file" > Next.
4. Enter a VM name, then select the appliance OVA file > Next.
5. Choose a storage location > Next.
6. Adjust deployment options as needed (defaults are acceptable) > Next.
7. Review the configuration > Finish.
8. Wait for import (up to 10 minutes) — do NOT refresh the browser.
9. Navigator > Virtual Machines, select the appliance > Power on.

Deploy on Oracle VirtualBox (manual §5.3.2.2):

1. Install and start Oracle VirtualBox.
2. File > Import Appliance...
3. Select the appliance OVA file.
4. Review the configuration in "Appliance settings" (double-click a value to change it).
5. Click Import and wait (up to 10 minutes).
6. Select the appliance > Start.

In both cases the appliance boots to a login prompt. Log in with the default credentials and change the password during first setup (manual §5.3.2):

User:     admin
Password: admin

7. The first setup wizard​

When the appliance is delivered, or after a factory reset, the GOS administration menu shows the first setup wizard after login (manual §5.2.3 for hardware, §5.3.3 for virtual). Select Yes and press Enter to open it.

note

The wizard is dynamic and shows only the steps the specific model needs, so not every step below appears in every case. After a factory reset, all steps must be carried out.

Selecting No closes the wizard and the incomplete steps reappear at the next login. Selecting Cancel also closes it, but the incomplete steps are then not shown again. Any individual step can be skipped with Skip or No; skipped steps reappear at the next login.

7.1 Configuring the network​

The network must be set up for the appliance to be fully functional.

note

Virtual appliances ship with DHCP enabled on the eth0 interface as a factory setting, so this step is omitted for them (manual §5.3.3.1).

When using DHCP, the appliance transmits a DHCP Unique ID (DUID) rather than the MAC address. Modern DHCP servers handle this, but some older ones (for example Windows Server 2012) may not. The workaround is to register the DUID on the DHCP server, or to assign the appliance a static IP address (manual §5.2.3.1).

On a hardware appliance with no configured IP address, the wizard asks whether to adjust the network settings:

1. Select Yes > Enter.
2. Select Interfaces > Enter.
3. Select the desired interface > Enter.

For DHCP:
4. Select DHCP (IPv4 or IPv6) > Enter.
5. Select Save > Enter.
6. Select Back > Enter (twice).
7. Select Ready > Enter.

For a static IP address:
4. Select Static IP (IPv4 or IPv6) > Enter.
5. Enter the IP address including the prefix length, then press Enter.
6. Press Enter to close the "changes must be saved" message.
7. Select Save > Enter.
8. Select Back > Enter (twice).
9. Select Ready > Enter.

7.2 Importing or generating an HTTPS certificate​

An HTTPS certificate must be present so the web interface can be used securely. The wizard offers three options — import an existing certificate, generate one, or create a certificate signing request (manual §5.2.3.2, §5.3.3.2).

Import a PKCS#12 file:

1. Select Import > Enter.
2. Select Continue > Enter.
3. Open the displayed URL in a web browser.
4. Click "Browse...", select the PKCS#12 file, then click Upload.
5. Verify the displayed fingerprint and confirm by pressing Enter.

Generate a certificate on the appliance:

1. Select Generate > Enter.
2. Select Continue > Enter.
3. Provide the certificate settings.
4. Select OK > Enter.
The certificate is created and can be downloaded later.

Create a certificate signing request (CSR):

1. Select CSR > Enter.
2. Select Continue > Enter.
3. Provide the certificate settings.
4. Select OK > Enter.
5. Open the displayed URL in a web browser.
6. Download the PEM file.
7. Verify the information by pressing Enter.
note

A certificate may be generated without a common name, but it should not be created without one or more Subject Alternative Names (SANs). If a common name is used, it should match one of the SANs.

Downloading a generated certificate and uploading a signed CSR are not done inside the wizard — they are handled later in the GOS administration menu (see manual §7.2.4.1.7.1 and §7.2.4.1.7.2).

7.3 Creating a web administrator​

If no web administrator exists, the wizard asks whether to create one (manual §5.2.3.3, §5.3.3.3).

1. Select Yes > Enter.
2. Enter the user name.
3. Enter the password twice.
4. Select OK > Enter.
5. Press Enter to close the confirmation message.
note

A web administrator is required to use the web interface. The first web administrator created automatically becomes the Feed Import Owner (see manual §7.2.1.10).

The user name may contain only alphanumeric characters and the dash, underscore, and full stop. The password may use any characters and be at most 30 characters long. When using special characters, make sure they are available on all keyboards and supported by all client software and operating systems — copy-pasting special characters can produce invalid passwords depending on those factors.

7.4 Entering the Greenbone Enterprise Feed subscription key​

Without a valid subscription key the appliance uses only the public Greenbone Community Feed, not the Greenbone Enterprise Feed (manual §5.2.3.4, §5.3.3.4).

note

A newly delivered appliance already has a key pre-installed, so this step is not needed on delivery.

Using the editor:
1. Select Editor > Enter.
2. Enter the subscription key.
3. Press Ctrl+S to save.
4. Press Ctrl+X to close the editor.

Using HTTP upload:
1. Select HTTP Upload > Enter.
2. Open the displayed URL in a web browser.
3. Click "Browse...", select the subscription key, then click Upload.

7.5 Downloading the feed​

If no feed is present yet, download it (manual §5.2.3.5, §5.3.3.5).

1. Select Yes > Enter.
A message confirms the feed update started in the background.
2. Press Enter to close the message.

7.6 Finishing the wizard​

After the last step a status check runs (manual §5.2.3.6, §5.3.3.6).

1. When the check finishes, press Enter to see the results.
2. Press Enter again.

The GOS administration menu is then ready for use (see manual §7). If any steps were left unfinished or skipped, the wizard reappears at the next login.

8. Logging into the web interface​

The main interface of the appliance is the web interface, also called the Greenbone Security Assistant (GSA). It is accessed as described in manual §8.1.

note

This step does not apply to the sensor-only models, the Greenbone Enterprise 35 and the Greenbone Enterprise 25V, which have no web interface of their own (manual §5.2.4, §5.3.4).