How to create and deploy a Virtual Patch

Document created by Steve McBride on Mar 31, 2015Last modified by Rémi Le Mer on Oct 9, 2019
Version 8Show Document
  • View in full screen mode

Virtual Patches are meant for protecting unitary vulnerabilities that are not already protected by the current WAF Security Policy.


Virtual Patching is the first step toward a tight integration between the Qualys WAS and WAF modules. This functionality allows a user to identify a vulnerability detected by Web Application Scanning (WAS), and flag it for automatic creation of a Web Application Firewall (WAF) rule. The WAF rule is then automatically generated and deployed to the WAF cluster(s) that protect the application in question, and all the appliances that are part of the cluster(s) will update their configuration.


The requirement for virtual patching a vulnerability is to have the application shared between WAS and WAF (you can check this on AssetView by running the query: activatedForModules:"WAS" and activatedForModules:"WAF".


Virtual Patches (or vpatch) are in fact based on User Custom Rules (UCR). Same with Exceptions. This is important to note because users can add their own criterias to the conditions computed by WAS.


The workflow for creating and deploying a vpatch is very simple; start on the "Detections/Detection List" tab of the WAS module, and identify the vulnerability that is to be patched.

Using the "Quick Actions" drop-down, choose "Install Patch":



The vpatch will be automatically generated by Portal. Press "OK" to continue:


Creation of the virtual patch can be confirmed in two places, in the Detections list, with the patch icon, and also in the Preview on the bottom of the screen, where a vpatch number is displayed:



To confirm deployment of the patch, we can check in two different locations.

   First, if we run a Web Application Report within the WAS module, the vulnerability can be found and the patch creation verified:



   Additionally, in the WAF module, go to Security/Rules will allow us to confirm that the rule has been created and that the rule number matches the WAS patch number - 123201 in this example:



Rules within WAF (both virtual patches and exceptions) are deployed to the WAF appliances independently of the applicable policy protecting an application. This is important to note because even if the Security Policy is changed, the WAF Rule will remain active unless removed. Now the vpatch has been created and deployed, and the WAF appliances will always block any attempt to exploit this vulnerability until the vpatch is explicitly removed by a user. Note that vpatches are not meant to stay indefinitely: vulnerabilities should be fixed at dev, and vpatch removed. Really, virtual patching is a seamless mitigation process offered to WAS administrators in order to shorten the mitigation operation to a simple click. Qualys does not recommend stacking virtual patches without removing them at some point.