This document describes briefly how to quickly deploy the Qualys Virtual Scanner Appliance in IBM Cloud. This scanner, once deployed, will function as a standard Virtual Scanner and can scan based on IP address or CIDR block.
Customers will have an active Qualys subscription.
Scanner personalization code (14 digits) obtained from your Qualys account. (Documentation)
Qualys Virtual Scanner Appliance VM must be able to reach the Qualys Cloud Platform over HTTPS port 443
What do I need to get started?
The Virtual Scanner option must be turned on for your account. Contact Qualys Support or your Technical Account Manager if you would like us to turn on this option for you.
You must be a Manager or a sub-user with the “Manage virtual scanner appliances” permission. This permission may be granted to Unit Managers. Your subscription may be configured to allow this permission to be granted to Scanners.
Configuration in Qualys
You'll add a new virtual scanner appliance and get your personalization code.
Go to Scans > Appliances and select New > Virtual Scanner Appliance. Choose "I have my image" and click Continue.
Give your scanner a name. If you’re a sub-user then you’ll need to pick an asset group that has been assigned to your business unit by a Manager user. Not seeing any asset groups? Please ask a Manager to assign an asset group (other than the All group) to your business unit.
Follow the on screen instructions to configure your virtual scanner and get your personalization code. You'll need this to launch your instance.
Configuration in IBM Cloud
Create Qualys Scanner VM using private Qualys qVSA image shared with you by Qualys. In Classic Infrastructure, Image Templates are stored under Devices->Manage->Images. qVSA-IBM-X.X.X-X image should be available in your list of Private images.
From the Actions drop down for the Qualys image choose one ... VSI“, then complete your order based on your requirements.
Type of Virtual server: More info about the IBM virtual servers could be found here:
Instance Info: Fill in the requested info about your virtual server
Hostname and Domain: Give a name of your Qualys scanner. This name is not DNS it is for tagging purposes only.
Location: Choose a Data center where the scanner(s) will be deployed.
Profile: Qualys Scanner Appliance supports up to 16GB RAM and up to 16 CPU cores, so choose instance flavor based on this requirement.
SSH keys: Keep the default option “none”. Qualys Scanners Appliance is locked down and SSH access is not allowed on the scanner.
Image: Custom image should be already preselected.
Add-ons: We use User data field to “inject’ PERSCODE and PROXY server info into the Qualys scanner. You can configure the scanner to use SSL proxy for all outbound communication with the Qualys Cloud Platform. We support both IP and FQDN for the proxy server configuration. You'll specify the proxy server URL using this format: PROXY_URL=
Please note that PERSCODE and PROXY_URL should be placed on separate lines with no extra whitespaces or blank lines, just like that:
Attached storage disks: No additional storage disks should be attached.
Network Interface: Currently Qualys Scanner Appliance doesn’t support IPv6 addresses. Your VSI will get two network interfaces: Private IPv4 address will be assigned on the first interface while a Public IPv4 address will be assigned on the second one.
Security Groups: It is important to configure your Security Groups for the scanner’s private and public network interfaces properly. Please check the Requirements section for more details.
Finally, verify Order summery and press Create button to complete your Virtual Server order.
Access your Qualys scanner on the private network
This step is optional. If you want to access your Virtual Scanner on its KVM console, you need to install and configure IBM VPN software tool and VNC client. For step by step instructions you might want to follow this document provided by IBM. https://cloud.ibm.com/docs/infrastructure/iaas-vpn?topic=VPN-getting-started
This is how Qualys scanner looks like after being successfully deployed and personalized.
Once launched, the Virtual Appliance connects to the Qualys Cloud Platform
This step registers the Virtual Scanner Appliance with your Qualys account. Also your appliance will download all the latest software updates right away, so it’s ready for scanning.
Configuring Security Groups for your Virtual Scanner Appliance
- If you are using proxy server then ensure you have outbound rule allowing access on port 443 and the port used to communicate with proxy server.
- If scanner appliance has direct internet connectivity, then ensure that there is an outbound rule that allows access on port 443 to Qualys Security Operations Center (SOC) IP address. You can get the SOC IP address range by logging in to Qualys Portal and navigating to Help > About option.
- Scanner should be able to reach out to all the target instances for running the scan. It is recommended to configure outbound rule that allows access to all ports and subnets of the instances that the scanner is going to scan.
How do I know my scanner is ready to use?
Check your virtual scanner status in Qualys. Go to Scans > Appliances, and find your scanner in the list.
Tip - It can take several minutes for the Qualys user interface to get updated after you add a new appliance. Please refresh your browser periodically to ensure that you are seeing the most up to date details.
See the Help Center for IBM Cloud