Qualys Offline Scanner Appliance lets you scan for vulnerabilities in secure air gap networks that do not have Internet access. This is distributed as a virtual appliance for VMware Workstation. Once you've successfully configured your scanner it'll be ready for scanning.
A few things to consider...
1) You'll need VMware Workstation. We support v9.0 or greater on Windows 7 x64. It should be expected to work on other virtualization platforms, but Qualys can only assist with troubleshooting on this supported platform.
2) You should have already 1) downloaded the offline scanner image file (.ova) and 2) obtained a personalization code.
I'm ready to get started. What are the steps?
Start your virtualization platform. Locate the offline scanner image file starting with qVSA-O (.ova) on your local system, open the image and power on the virtual machine.
Personalize the scanner. Follow these steps in the Console Interface.
Press the Right arrow to select "Personalize this scanner" and then type in your personalization code. Don't have your personalization code? Go to the Qualys UI and get it from the Scans > Appliances list.
Now your scanner will connect to the Qualys Cloud Platform to complete the activation and download the latest software. You’ll see the activation progress.
Having trouble activating your scanner? 1 - Check settings in VMware (see VMware Configuration below). 2 - Check network access to scanners. Log into the Qualys UI and go to Help > About to see a list of URLs (at the SOC) that your scanner must be able to contact on port 443.
Upon success you'll see the scanner's name and IP address. That's it! You've added your offline scanner to your account. (Note the Web UI URL. You'll need this to log in to the Scanner's Web UI.)
The Qualys Offline Scanner Appliance should be configured with two virtual network adapters using your virtualization platform (i.e. VMware Workstation).
Your virtualization software should automatically create an instance of the appliance with the correct network adapters in place.
On VMware Workstation, these interfaces will be Network Adapter and Network Adapter 2. Initially, Network Adapter should default as type NAT; and Network Adapter 2 should default as type Host-only.
Network Adapter 1 must be configured for Bridged networking when in OFFLINE SCANNING MODE. It can be NAT or Bridged when in CLOUD SYNC MODE. Network Adapter 2 should always be configured for Host-only networking.
Here are the required network settings, depending on the mode you’re in.
|Virtual NIC #1||Network Adapter||eth0||CLOUD SYNC||Communicate with the Qualys Cloud Platform||NAT*|
- or -
|OFFLINE SCANNING||Scan hosts||Bridged**||n/a||n/a|
|Virtual NIC #2||Network Adapter 2||eth1||any||Local scanner web UI||Host-only||enabled||enabled|
* NAT configuration. NAT is practically the only choice if your external connection goes over a VPN. Bridging from a virtual machine will not work over host VPN adapters.
** Bridging to external networks. VMware Workstation may be installed on a host system with multiple network adapters (wired, wireless, VPN). In the Virtual Network Editor, you’ll need to determine which network adapter is appropriate for the external connection and select it. We do not recommend leaving the Bridged virtual network in "Automatic" mode because it almost never works and it is often problematic over wireless adapters.
Sample Network Configurations
If you have plugged into the physical network with an Ethernet cable, it is strongly recommended that you manually bridge your virtual network to the physical NIC of your host machine. Leaving the "Bridged to:" setting in Automatic mode allows for the possibility that your virtual network will instead bind to a VPN port or other network adapter.
How to find your offline scanner appliance’s current IP address(es)
The Console Interface of the offline appliance, viewable only from within VMware Workstation, will display the current IP address(es) of your offline appliance.
Use a standard web browser running on your host OS to navigate to the Web UI URL (https://x.x.x.x:8080/) of the appliance. Please note that both https and the 8080 port number must be included when you enter the address into your browser.