Here are a few best practices related to internal scanning from our Support team.
Consult your network group for scanner placement
It's highly recommended that you work with your network group to determine where to place scanner appliances in your environment. Some things to consider: place scanner appliances as close to target machines as possible, and make sure to monitor and identify any bandwidth restricted segments or weak points in the network infrastructure. Scanning through layer 3 devices (such as routers, firewalls and load balancers) could result in degraded performance so you may consider using our VLAN tagging feature (VLAN trunking) to circumvent layer 3 devices to avoid potential performance issues.
Avoid scanning through a firewall from the inside out
Problems can arise when scan traffic is routed through the firewall from the inside out, i.e. when the scanner appliance is sitting in the protected network area and scans a target which is located on the other side of the firewall. We recommend placing scanner appliances in your network topology in a way that scanning and mapping through a firewall from the inside out is avoided if possible.
Verify scanner connectivity to Qualys Cloud Platform
Go to Help > About in the application. The Scanner Appliances section lists cloud platform URLs that your appliances must be able to contact using HTTPS on port 443. For Private Cloud Platform deployments, the URLs displayed are appropriate to your local on-site Platform. For more on this topic, see Scanner Appliance: Management Communications.