Deploying Qualys Virtual Scanner Appliance in IBM Cloud

Document created by Alex Mandernack Employee on Aug 13, 2019Last modified by Qualys Documentation on May 8, 2020
Version 12Show Document
  • View in full screen mode

This document describes briefly how to quickly deploy the Qualys Virtual Scanner Appliance in IBM Cloud. This scanner, once deployed, will function as a standard Virtual Scanner and can scan based on IP address or CIDR block.



Customers will have an active Qualys subscription.

Scanner personalization code (14 digits) obtained from your Qualys account. (Documentation)
Qualys Virtual Scanner Appliance VM must be able to reach the Qualys Cloud Platform over HTTPS port 443

Qualys Scanner image must be shared with your IBM account using a private image share by Qualys. Contact Qualys support to have the image shared with your IBM account.


Some things to consider... 

The following features are not supported and are disabled in all cloud (private and public) platforms:

  • WAN/Split network SETTINGS - “WAN Interface” option for split network settings is not available from Scanner UI/console. Only LAN/single network settings from Cloud UI, used for both scanning and connecting to Qualys servers, are supported 
  • NATIVE VLAN - “VLAN on LAN” option for configuring Native VLAN is not available from scanner UI/console
  • STATIC VLAN (IPV4 AND IPV6) - "VLANs" option for configuring static VLANs is not available from Qualys UI
  • STATIC ROUTES (IPV4 AND IPV6) - Option to configure “Static Routes” is not available from Qualys UI
  • IPV6 ON LAN - Option to configure “IPv6 on LAN” is not available from Qualys UI


What do I need to get started?

The Virtual Scanner option must be turned on for your account. Contact Qualys Support or your Technical Account Manager if you would like us to turn on this option for you.

You must be a Manager or a sub-user with the “Manage virtual scanner appliances” permission. This permission may be granted to Unit Managers. Your subscription may be configured to allow this permission to be granted to Scanners.

Qualys Scanner image shared to your IBM account.


Configuration in Qualys

You'll add a new Virtual Scanner Appliance and get your personalization code.


Follow these steps:

1) Go to Scans > Appliances and select New > Virtual Scanner Appliance. Choose "I have my image" and click Continue.

2) Give your scanner a name. If you’re a sub-user then you’ll need to pick an asset group that has been assigned to your business unit by a Manager user. Not seeing any asset groups? Please ask a Manager to assign an asset group (other than the All group) to your business unit.

3) Follow the on-screen instructions to configure your virtual scanner and get your personalization code. You'll need this to launch your Qualys Scanner instance in IBM Cloud.


Get personalization code


Configuration in IBM Cloud

Create Qualys Scanner VM using private Qualys qVSA image shared with you by Qualys. In Classic Infrastructure, Image Templates are stored under Devices->Manage->Images. qVSA-IBM-X.X.X-X image should be available in your list of Private images.



From the Actions drop down for the Qualys qVSA image choose one of Order ... VSI, then complete your order based on your requirements. 

Type of Virtual server: More info about the IBM virtual servers could be found here: 

Instance Info: Fill in the requested info about your virtual server  

Hostname and Domain: Give a name of your Qualys scanner. This name is not DNS resolvable, it is for tagging purposes only. 

Location: Choose a Data center where the scanner(s) will be deployed. 

ProfileQualys Scanner Appliance supports up to 16GB RAM and up to 16 CPU cores, so choose instance flavor based on this requirement.  

SSH keys: Keep the default option “none”. Qualys Scanners Appliance is locked down and SSH access is not allowed on the scanner. 

Image: Custom image should be already preselected. 

Add-ons:  We use User data field to “inject’ PERSCODE and PROXY server info into the Qualys scanner. You can configure the scanner to use SSL proxy for all outbound communication with the Qualys Cloud Platform. We support both IP and FQDN for the proxy server configuration.


You'll specify the proxy server URL using this format:



Please note that PERSCODE and PROXY_URL should be placed on separate lines with no extra whitespaces or blank lines, just like this: 



 Personalization code and proxy url

Attached storage disksNo additional storage disks should be attached.  

Network Interface: Currently Qualys Scanner Appliance doesn’t support IPv6 addresses. Your VSI will get two network interfaces: a Private IPv4 address will be assigned on the first interface while a Public IPv4 address will be assigned on the second one.  

Security Groups:  It is important to configure your Security Groups for the scanner’s private and public network interfaces properly. Please check the "Configuring Security Groups for your Virtual Scanner Appliance" section near the bottom of this document for more details. 

Finally, verify Order summery and press Create button to complete your Virtual Server order. 


Access your Qualys scanner on the private network 

This step is optional. If you want to access your Virtual Scanner on its KVM console, you need to install and configure IBM VPN software tool and VNC client. For step by step instructions you might want to follow this document provided by IBM. 


This is how Qualys scanner looks like after being successfully deployed and personalized. 


Scanner console


Once launched, the Virtual Appliance connects to the Qualys Cloud Platform

This step registers the Virtual Scanner Appliance with your Qualys account. Also your appliance will download all the latest software updates right away, so it’s ready for scanning.

Configuring Security Groups for your Virtual Scanner Appliance

  • If you are using proxy server then ensure you have outbound rule allowing access on port 443 and the port used to communicate with proxy server.
  • If scanner appliance has direct internet connectivity, then ensure that there is an outbound rule that allows access on port 443 to Qualys Security Operations Center (SOC) IP address. You can get the SOC IP address range by logging in to Qualys Portal and navigating to Help > About option.
  • Scanner should be able to reach out to all the target instances for running the scan. It is recommended to configure outbound rule that allows access to all ports and subnets of the instances that the scanner is going to scan.


How do I know my scanner is ready to use?

Check your virtual scanner status in Qualys. Go to Scans > Appliances, and find your scanner in the list.

Tip - It can take several minutes for the Qualys user interface to get updated after you add a new appliance. Please refresh your browser periodically to ensure that you are seeing the most up to date details.


Active icon tells you the virtual scanner is ready to use. Now you can start internal scans! (Next to this you'll see the busy icon which is grayed out until you launch a scan using this scanner.)


Appliances list in UI



For any errors and troubleshooting tips, please visit Scanner Appliance Troubleshooting and FAQs.


Looking for more information on Qualys in IBM Cloud? 

See the Help Center for IBM Cloud