Qualys Virtual Scanner Appliance in Oracle Cloud Infrastructure

Document created by Alex Mandernack Employee on Feb 6, 2019Last modified by Qualys Documentation on Oct 1, 2019
Version 11Show Document
  • View in full screen mode

Summary

This document describes briefly how to quickly deploy the Qualys Virtual Scanner Appliance in Oracle Cloud Infrastructure from the Oracle Cloud Marketplace. This scanner, once deployed, will function as a standard Virtual Scanner and can scan based on IP address or CIDR block.

 

Prerequisites

Customers will have an active Qualys subscription.

Scanner personalization code (14 digits) obtained from your Qualys account.

Qualys Virtual Scanner Appliance VM must be able to reach the Qualys Cloud Platform over HTTPS port 443

 

Some things to consider... 

The following features are not supported and are disabled in all cloud (private and public) platforms:

  • WAN/Split network SETTINGS - “WAN Interface” option for split network settings is not available from Scanner UI/console. Only LAN/single network settings from Cloud UI, used for both scanning and connecting to Qualys servers, are supported 
  • NATIVE VLAN - “VLAN on LAN” option for configuring Native VLAN is not available from scanner UI/console
  • STATIC VLAN (IPV4 AND IPV6) - "VLANs" option for configuring static VLANs is not available from Qualys UI
  • STATIC ROUTES (IPV4 AND IPV6) - Option to configure “Static Routes” is not available from Qualys UI
  • IPV6 ON LAN - Option to configure “IPv6 on LAN” is not available from Qualys UI

 

What do I need to get started?

The Virtual Scanner option must be turned on for your account. Contact Qualys Support or your Technical Account Manager if you would like us to turn on this option for you.

You must be a Manager or a sub-user with the “Manage virtual scanner appliances” permission. This permission may be granted to Unit Managers. Your subscription may be configured to allow this permission to be granted to Scanners.

 

Configuration in Qualys

You'll add a new virtual scanner appliance and get your personalization code.

1) Go to Scans > Appliances and select New > Virtual Scanner Appliance. Choose "I have my image" and click Continue.

2) Give your scanner a name. If you’re a sub-user then you’ll also need to pick an asset group that has been assigned to your business unit by a Manager user. Not seeing any asset groups? Please ask a Manager to assign an asset group (other than the All group) to your business unit.

3) Follow the on screen instructions to configure your virtual scanner and get your personalization code. You'll need this to launch your instance.

 

pers code

 

Configuration in OCI

The Scanner image can be found at the OCI marketplace. A SAS URL which is signed and valid for a short duration is shared when there is no access to marketplace. We’ll see in the following 2 subsections how to launch an instance using marketplace and using SAS URL.

 

How to launch an instance from the Oracle Cloud Marketplace

1) Go to Qualys Virtual Scanner Appliance page in the Oracle Cloud Marketplace, and login to your OCI Compute Classic account. The Oracle Cloud Marketplace lists two virtual scanner appliances. One for OCI (select this one for this guide), the other for OCI Classic Compute.

https://cloudmarketplace.oracle.com/marketplace/app/qualys-oci_scanner

2) Launch the virtual scanner by selecting “Get App”.

 

oracle cloud marketplace

3) Configure the instance launched from the OCI marketplace. See "Using the wizard for instance settings" below.

 

How to launch an instance from a Custom image created from SAS URL

1) Get SAS URL of the latest qVSA Scanner Image from Qualys. Please note that this SAS URL is valid only for a limited time.

2a) Create a custom scanner image using the OCI UI (jump to step 2b to create the image using CLI)

Once you have the SAS link, create a Custom Image.

Fill out all the details (as shown below) and then click the "Import Image" button to upload the image. 

- Provide a Name

- Copy the SAS URL to the Object Storage URL field

- Select Image Type "QCOW2"

 

2b) Create a custom scanner image through CLI using this command:

Oci compute image import from-object-uri -c <COMPARTMENT ID> --display-name <IMAGE NAME> --launch-mode <PARAVIRTUALIZED> --source-image-type QCOW2 --uri <OBJECT URL PATH>

 

COMPARTMENT ID - This can be obtained from the IDENTITY section or by running the oci iam compartment list command from the CLI.

OBJECT URL PATH - This is the SAS URL provided by Qualys.

You should see the image uploading in the custom image page in OCI.

 

3) Now you need to configure the instance launched from the custom image. See "Using the wizard for instance settings" below.

 

Using the wizard for instance settings

1) Name your instance - Choose a distinctive name and label of your scanner.

2) Choose instance shape - Select a shape that doesn’t exceed 16GB of RAM and 16 CPU Cores.

3) Add SSH key - The Qualys Scanner appliance is a locked appliance, login into it is disabled. Leave the SSH key section empty.

4) User data - Enter your Personalization code and Proxy, if any, in the following format:

 

Example:

PERSCODE=12345678910

PROXY_URL=username:password@proxyhost:port

 

Proxy formatting:

If you have a domain user, the format is: domain\username:password@proxyhost:port

If authentication is not used, the format is: proxyhost:port

Where “proxyhost” is the IPv4 address or the FQDN of the proxy server.

 

advanced options

Notes:

  • User data settings cannot be updated after deployment. If you need to alter the PERSCODE and/or PROXY_URL, you will have to redeploy the scanner
  • You can keep the default storage size or you can increase it based on your requirements.

 

5) After filling out all the details, click on create for deploying the instance.

 

Track the progress through Qualys Scanner Console

Once you click on create instance and if all the settings are configured correctly the scanner will be activated successfully. You can track the progress via the Scanner Console available through VNC Viewer.

 

Connecting to Scanner console via VNC

For connecting to the VNC console you need to have a public / private key pair. Create Console Connection and upload the public key, as shown below.

 

Get the VNC connection details

Run the command provided in the popup on the host machine you have. Commands are provided both for Linux ( Terminal ) and Windows ( Windows Powershell ) machines.

Note: When you are running the provided command on the respective terminals make sure the private key is already loaded.

 

Provide localhost:5900 as the Address in order to view the VNC console. Here's an example of the console:

 

Once launched, the Virtual Appliance connects to the Qualys Cloud Platform

This step registers the Virtual Scanner Appliance with your Qualys account. Also your appliance will download all the latest software updates right away, so it’s ready for scanning.

 

Configuring Security Lists for your Virtual Scanner Appliance

  • If you are using proxy server then ensure you have outbound rule allowing access on port 443 and the port used to communicate with proxy server.
  • If scanner appliance has direct internet connectivity, then ensure that there is an outbound rule that allows access on port 443 to Qualys Security Operations Center (SOC) IP address. You can get the SOC IP address range by logging in to Qualys and navigating to Help > About.
  • Scanner should be able to reach out to all the target instances for running the scan. It is recommended to configure outbound rule that allows access to all ports and subnets of the instances that the scanner is going to scan.

 

How do I know my scanner is ready to use?

Check your virtual scanner status in Qualys. Go to Scans > Appliances and find your scanner in the list.
Tip - It can take several minutes for the Qualys user interface to get updated after you add a new appliance. Please refresh your browser periodically to ensure that you are seeing the most up to date details.

If you are deployed on Oracle Compute Classic, refer to

Deploying Qualys Virtual Scanner Appliances in Oracle Cloud Infrastructure Compute Classic 

 

Please note that we don't support Oracle compute classic from Scanner version 2.5 and onwards.

Attachments

    Outcomes