Deploying Qualys Virtual Scanner Appliance in Google Compute Engine (GCE)

Document created by Hari Srinivasan on Mar 11, 2017Last modified by Qualys Documentation on May 20, 2020
Version 19Show Document
  • View in full screen mode

Users can scan their Google Cloud compute engine instances along with all other global elastic cloud and on-premise assets from within the Qualys Cloud Platform. Qualys Virtual Scanner Appliance can be directly deployed from the Google Marketplace.

 

Prerequisites

1) You require a Qualys subscription to able to complete the deploy successfully. If you do not have an active Qualys subscription, contact Qualys Support or sign up on the Qualys website.

2) Get a personalization code from your Qualys subscription to register every new appliance instance. For detailed steps, scroll down to the section "Generating a Personalization Code".
3) For Customers on Private Cloud Platforms requires SAS link to download qVSA image.

 

Some things to consider... 

The following features are not supported and are disabled in all cloud (private and public) platforms:

  • WAN/Split network SETTINGS - “WAN Interface” option for split network settings is not available from Scanner UI/console. Only LAN/single network settings from Cloud UI, used for both scanning and connecting to Qualys servers, are supported 
  • NATIVE VLAN - “VLAN on LAN” option for configuring Native VLAN is not available from scanner UI/console
  • STATIC VLAN (IPV4 AND IPV6) - "VLANs" option for configuring static VLANs is not available from Qualys UI
  • STATIC ROUTES (IPV4 AND IPV6) - Option to configure “Static Routes” is not available from Qualys UI
  • IPV6 ON LAN - Option to configure “IPv6 on LAN” is not available from Qualys UI

 

About managing instances

Instance Snapshots/Cloning Not Allowed

Using a snapshot or clone of a virtual scanner instance to create a new instance is strictly prohibited. The new instance will not function as a scanner. All configuration settings and platform registration information will be lost. This could also lead to scans failing and errors for the original scanner.

 

Moving/Exporting Instance Not Allowed

Moving or exporting a registered scanner instance from a virtualization platform (HyperV, VMware, XenServer) in any file format to a GCE cloud platform is strictly prohibited. This will break scanner functionality and the scanner will permanently lose all of its settings.

 

Generating a Personalization Code

Get a personalization code from your Qualys subscription to register every new appliance instance.

1) Log into the Qualys UI.

2) Choose Vulnerability Management or Policy Compliance, depending on your need.

3) Go to Scans > Appliances and select New > Virtual Scanner Appliance.

 

New virtual scanner appliance

 

4) Choose 'I have my image'. Specify a name for your scanner (note: GCP expects lowercase letters, numbers, and hyphens.) 

 

enter a scanner name

 

5) Click Next to walk through the wizard. Copy the personalization code.

 

Copy the personalization code

 

6) Leave the window open and switch to your google cloud portal to Launch the appliance.  You can check for activation status in the same window after deployment.

 

Deploy Qualys Virtual Scanner Appliance

There are two ways you can deploy the Qualys Virtual scanner Appliance. We'll describe both methods.

- Via Google Cloud Marketplace

- Custom Image deployment for Customers on Private Cloud Platforms

 

Via Google Cloud Marketplace

1) Log into Google Cloud with your account, and navigate to Marketplace.
2) Search for “Qualys”, select “Qualys Virtual scanner Appliance”.
3) Click "Launch".

 

Launch scanner

 

4) Provide the following details for the virtual scanner appliance instance.

 

Deployment name: It is advised to specify the same name used in Qualys UI while generating a personalization code.

 

Zone: Select a zone that will co-locate the scanner instance with scan target instances. For the scanner to reach other zones, setup connectivity with appropriate network configurations is needed.

 

Perscode: Provide the 14 digit Personalization code generated from Qualys UI.

 

Proxy URLAdd the proxy server URL to communicate with Qualys Cloud Platform via SSL proxy. We support both IP and FQDN for the proxy server configuration. Specify the proxy server URL as username:password@proxyhost:port

 

Formatting:
If you have a domain user, the format is domain\username:password@proxyhost:port
If authentication is not used, the format is proxyhost:port
where proxyhost is the IP address or the FQDN of the proxy server and port is the proxy port

 

Examples:

jdoe:abc12345@10.40.1.123:3128
jdoe:abc12345@myproxy.qualys.com:3128

 

Machine type: The default pre-set is 2 vCPUs and 7.5 GB and can be customized. Note: The appliance supports a maximum of 16 cores and 16GB memory. For customization, choose core to memory in the ratio of 1:3.5.

 

Do not change "Boot disk type" or "Size (GB)" unless instructed by Qualys Support (default value - 56GB)

 

Deploy scanner

 

5) Click "Deploy" and follow to the section “Post-deployment Progress and monitoring”. 

 

Custom Image deployment for Customers on Private Cloud Platforms

Here Customers are expected to build a Qualys scanner image specific to their private platform.
1) Download the qVSA image file (tar.gz) using the SAS link provided by Qualys Operations.
2) Create a Google Storage Bucket.
3) Upload the downloaded qVSA image file to your storage bucket.
4) Create the Qualys Scanner Image using the uploaded QVSA Image file (tar.gz) file.

 

Name: Provide the unique name to identify the Qualys Scanner appliance Image
Source: Select “Cloud Storage File” which will allow you to select the Qualys Scanner image file stored in Storage Bucket. In the image, qualys-scanner is a bucket name and qVSA-GCE-xxxxxxx.tar,gz is the Qualys scanner image file.

 

Create the image

 

5) Generate a Personalization code. Follow the steps on how to generate a personalization code earlier in this document. 

6) Deploy Qualys Virtual Scanner Appliance Instance. 

 

Deployment name: It is advised to specify the same name used in Qualys UI while generating a personalization code.

 

Zone: Select a zone that will co-locate the scanner instance with scan target instances. For the scanner to reach other zones, setup connectivity with appropriate network configurations is needed.

 

Machine type: The default pre-set is 2 vCPUs and 7.5 GB and can be customized. Note: The appliance supports a maximum of 16 cores and 16GB memory. For customization, choose core to memory in the ratio of 1:3.5.

 

Boot Disk: Change the boot disk to the newly created Qualys Scanner appliance image disk.

 

Do not change "Boot disk type" or "Size (GB)" unless instructed by Qualys Support (default value - 56GB)

 

scanner on private cloud platform

 

Metadata :

Perscode: Provide the 14 digit Personalization code generated from Qualys UI.
Proxy URL (Optional): Add the proxy server URL to communicate with Qualys Cloud Platform via SSL proxy. We support both IP and FQDN for the proxy server configuration. Specify the proxy server URL as username:password@proxyhost:port


Formatting:
If you have a domain user, the format is domain\username:password@proxyhost:port
If authentication is not used, the format is proxyhost:port

where proxyhost is the IP address or the FQDN of the proxy server and port is the proxy port.

 

Examples:

jdoe:abc12345@10.40.1.123:3128
jdoe:abc12345@myproxy.qualys.com:3128

 

enter metadata

 

7) Click the Create button.

 

Post-deployment Progress and monitoring

The appliance deployment can take up to 10 minutes. Upon deployment, the appliance will connect with the Qualys Cloud Platform to complete registration. The appliance will also download the latest software and vulnerability signatures.

 

You can monitor the progress of the instance creation in the GCE VM instances.

 

To view further progress of the appliance configuration or to diagnose any issues, look at the serial console output. Click 'Serial port 1(console)' in the logs section.

 

Logs

VM instances

 

In GCE, you can also check VM status graphs for instance resources like CPU Utilization, Disk IO and Network stats:

 

Monitoring

 

From Qualys UI, you can check for Activation of the scanner appliance. Click 'Check Activation' in the dialog from where you copied the Personalization code.

 

check activation from Qualys UI

 

How do I know my scanner is ready to use?

Check your virtual scanner status in the Qualys UI. Go to Scans > Appliances, and find your scanner in the list. Tip - It can take several minutes for the Qualys user interface to get updated after you add a new appliance. Please refresh your browser periodically to ensure that you are seeing the most up to date details.

 

Appliances list in UI

 

Active icon tells you your virtual scanner is ready. Now you can start internal scans! (Next to this, you’ll see the busy icon is grayed out until you launch a scan using this scanner). 

 

Diagnosing Common Errors in Scanner Deployment

Check for errors in the output in the Serial Output console.

 

Diagnose errors

 

If you find issues with the personalization code, shut down the VM, fix Metadata PERSCODE value and start it up again. If the problem persists and the appliances are not communicating with Qualys, please contact Qualys Support. Include your Qualys portal URL, username and attach the serial output logs to the support ticket.


For any errors and troubleshooting tips, please visit Scanner Appliance Troubleshooting and FAQs.


4 people found this helpful

Attachments

    Outcomes