Static Route Configuration for Qualys Appliances

Document created by Martin Walker Employee on Jan 5, 2018Last modified by Martin Walker Employee on Mar 28, 2019
Version 4Show Document
  • View in full screen mode


Static routes are a special configuration required when the default gateway for the LAN NIC on the scanner appliance cannot route traffic to a target network for scanning, and instead a specific non-default gateway on the local network must be used.


Split Network Configuration

The configuration of scanner LAN and WAN NICs has no bearing on the use of static routes; however, the subjects are often conflated. The Qualys scanner appliance does not normally require the WAN NIC to be configured. Typically both scan and management traffic is carried over the LAN interface. However, in the event the scanner cannot reach the Internet/Qualys POD from the local LAN, a split configuration must be used. This is known as a "split network configuration" in which the WAN interface is connected to a different network that can reach the Internet/Qualys POD.  The WAN interface then carries all management traffic.


In either the Split or non-split network configuration only the LAN interface is used to scan your networks, no scan traffic is, or can be, routed through the WAN interface regardless of configuration.  In the split network configuration no management traffic is carried by the LAN interface. Management traffic consists of heartbeat check ins, signature updates, scan jobs, and scan results, all of which connections are initiated from the scanner, and can be proxied.


Static route configuration on the scanner is not used by the appliance to decide which NIC to egress traffic to Qualys. The scanner does not behave like a typical dual-homed host in this respect, it is intelligent enough to separate scan traffic from management traffic appropriately. 


Static Routes

Static routes are only used by the appliance for scan traffic, and are only needed when the default gateway on the local LAN cannot route scan traffic correctly to a target network and a VLAN configuration is not possible or appropriate. If the default gateway for the LAN interface can properly route this traffic then static routes should not be configured for that network--- only use static routes when a specific non-default gateway is needed. One use case might be a transit network that contains multiple routers used to connect a remote site or partner networks. In this case a static route entry would be configured with the CIDR block representing each target network and with the IP of the router that carries traffic to that network.


To configure static routes from the portal, navigate to Scans->Appliances, scroll to the scanner you wish to modify, and select Edit and then the Static Routes tab on the left. Enter the IP address of the router, and a target network in CIDR format. The target network must have a valid starting IP address for the target mask provided. The gateway/target network pair must be unique per appliance. This means the same gateway/target network pair cannot be defined in another static route configuration for the same appliance. You will also need to enter a route name to identify the static route configuration in the static routes list.


Note: There should be no active scans on the appliance when these changes are made, as they will be terminated.

1 person found this helpful