Deploying Qualys Virtual Scanner Appliances in Google Compute Engine (GCE)

Document created by Hari Srinivasan on Mar 11, 2017Last modified by Qualys Documentation on Oct 1, 2019
Version 16Show Document
  • View in full screen mode

Users can now scan their Google Cloud compute engine instances along with all other global elastic cloud and on-premise assets from within the Qualys Cloud Platform. Qualys Virtual Scanner Appliance (QVSA) is now available to be directly deployed from the Google Cloud Launcher to GCP - as a Compute Engine instance. 



1) You require a Qualys subscription to able to complete the deploy successfully. If you are a new user, you can sign up for a free 30-day trial account.

2) Get a personalization code from your Qualys subscription to register every new appliance instance. For detailed steps, scroll down to the section "Generating a Personalization Code".


Some things to consider... 

The following features are not supported and are disabled in all cloud (private and public) platforms:

  • WAN/Split network SETTINGS - “WAN Interface” option for split network settings is not available from Scanner UI/console. Only LAN/single network settings from Cloud UI, used for both scanning and connecting to Qualys servers, are supported 
  • NATIVE VLAN - “VLAN on LAN” option for configuring Native VLAN is not available from scanner UI/console
  • STATIC VLAN (IPV4 AND IPV6) - "VLANs" option for configuring static VLANs is not available from Qualys UI
  • STATIC ROUTES (IPV4 AND IPV6) - Option to configure “Static Routes” is not available from Qualys UI
  • IPV6 ON LAN - Option to configure “IPv6 on LAN” is not available from Qualys UI


About managing instances

Instance Snapshots/Cloning Not Allowed

Using a snapshot or clone of a virtual scanner instance to create a new instance is strictly prohibited. The new instance will not function as a scanner. All configuration settings and platform registration information will be lost. This could also lead to scans failing and errors for the original scanner.


Moving/Exporting Instance Not Allowed

Moving or exporting a registered scanner instance from a virtualization platform (HyperV, VMware, XenServer) in any file format to a GCE cloud platform is strictly prohibited. This will break scanner functionality and the scanner will permanently lose all of its settings.



Deploy Qualys Virtual Scanner Appliance Instance from Google Cloud Launcher

1) Log into Google Cloud with your account, and navigate to launcher

2) Search for Qualys or open up this URL

3) Click "Launch on Compute Engine" 
Qualys Appliance in Google Cloud Launcher


4) Fill out the details for the virtual scanner appliance instance you will launch on compute engine.


Deployment name: Specify the same name used in Qualys while generating a personalization code.


Zone: Select a zone depending upon on the zone of the instances you want to scan. Recommend colocating the appliance and the compute engine instances it will perform a remote scan on. If you want scanner appliances to reach other zones, setup connectivity with appropriate network configurations.


Perscode: Provide the 14 digit Personalization code generated from Qualys.


Proxy URLAdd the proxy server URL to communicate with Qualys Cloud Platform via SSL proxy. We support both IP and FQDN for the proxy server configuration. Specify the proxy server URL as username:password@proxyhost:port


If you have a domain user, the format is domain\username:password@proxyhost:port
If authentication is not used, the format is proxyhost:port
where proxyhost is the IPv4 address or the FQDN of the proxy server, port is the port the proxy server is running on





Machine type:  It has a preset list or can be customized. For pre-set, recommended a basic type of 2 vCPUs and 7.5 GB. Note the appliance only supports up to 16 cores and 16GB memory. If you customize pick core to memory in the ratio of 1:3.5.


Do not change "Boot disk type" or "Size (GB)" unless instructed by Qualys Support (default value - 40GB)
Deploy Scanner Appliance in GCE



5) Click "Deploy"


The appliance deployment takes few to 10 minutes.  Upon completion, the VM instance will be deployed.

Upon the creation of the virtual machine, the appliance uses the personalization code to configure itself from the Qualys platform. As a part of this step, it also checks for updates and applies it.

You can monitor the progress of the instance creation in the GCE VM instances. In GCE, you can also check VM status graphs



To view further progress of the appliance configuration or to diagnose any issues, look at the serial output console. Click 'View Serial port' at the bottom of the VM instance.


Serial Output Link


Serial o/p log lines


Serial Output Log Success


From your Qualys portal, you could check for Activation. Click 'Check Activation' in the dialog where you copied the Personalization code from.


CheckActivationSuccessful Activation


If you have any issues in deploying the appliances. Check for the information in the section below.



Diagnosing Common Errors in Scanner Deployment

Check for errors in the output in the Serial Output console.  



If you find issues with personalization code, shut down the VM, fix Metadata PERSCODE value and start it up again. If the problem persists and the appliances are not communicating with Qualys, contact Qualys support.  Include your Qualys portal URL, username and attach the serial output logs to the support ticket.



Generating a Personalization Code

Get a personalization code from your Qualys subscription to register every new appliance instance.

1) Log into the Qualys UI.

2) Choose Vulnerability Management or Policy Compliance, depending on your need.

3) Go to Scans > Appliances and select New > Virtual Scanner Appliance...



4) Choose 'I have my image'. Then specify a name for your scanner (note: GCP expects lowercase letters, numbers, and hyphens.) 


5) Click Next and scroll down, then copy the personalization code.

Generate Qualys Scanner Appliance Personalization Code

6) Leave the window open and switch to your google cloud portal to Launch the appliance.  You can check for activation status in the same window after deployment.

4 people found this helpful