How to configure a virtual scanner using Amazon EC2/VPC

Document created by Qualys Documentation Employee on Jan 10, 2013Last modified by Hari Srinivasan on May 16, 2017
Version 28Show Document
  • View in full screen mode

It just takes a couple minutes to launch a Qualys Virtual Scanner Appliance (AMI instance) within Amazon AWS. We'll help you with the steps! You’ll need to enter the personalization code for your virtual appliance, obtained from the Qualys UI, as part of the instance configuration.


Good to Know: Configurations for VLANs, static routes and IPv6 support are not supported for the Amazon EC2/VPC distribution of the virtual scanner appliance.


Before you begin

Go to Qualys Products page at the AWS Marketplace

Choose Qualys Scanner AMI (see Choosing The Correct Scanner AMI )

Click Continue

Login to your AWS account (if you haven't already)
Generate a personalization code from your Qualys subscription, to personalize or activate the Scanner appliance 


How to launch an AMI instance from the AWS Marketplace

1) Go to Qualys Virtual Scanner Appliance page at AWS Marketplace if you're not already there. Your options are:

Qualys Virtual Scanner Appliance HVM on AWS Marketplace

Qualys Virtual Scanner Appliance (Pre-Authorized Scanning) HVM on AWS Marketplace


Pricing: BYOL (Scanner Appliance and the security modules are sold by Qualys) + EC2 Infrastructure costs (paid directly to AWS)


2) Launch the virtual scanner AMI in a region. Under “Select a Version”, find the region you want to launch in and click the button “Launch with EC2 Console” next to it.


3) Use the wizard to enter AMI settings. You must enter the scanner’s personalization code you obtained from the Qualys user interface (see Configure Instance).


4) Click "Review and Launch".


How to launch an AMI instance using the AWS Management Console

1) Sign in to AWS Management Console if you haven't already at


2) Go to Services > EC2.


3) Launch the virtual scanner AMI instance. Choose one of these methods

Navigate to INSTANCES > Instances, click the Launch Instance button, go to Community AMIs, then find and select the Qualys AMI.


Navigate to IMAGES > AMIs. Find and select the Qualys AMI, and then click Launch.


4) Use the wizard to enter AMI settings. You must enter the scanner’s personalization code you obtained from the Qualys user interface (see Configure Instance). Also if you select VPC the Instance Type must be at least set to “Small” (“Small” or above).


5) Click "Review and Launch".


Configure Instance Step

When using the wizard to enter AMI settings, it is required to enter the personalization code for your virtual scanner in Step 3 - Configure Instance step. Where do I get this code? Login to your Qualys account, go to Scans > Appliances, then New Virtual Scanner Appliance.




Personalization Code. (Required) In the User Data field (under Advanced Details) enter the Personalization Code for your virtual scanner that you obtained from Qualys preceded by PERSCODE=. For example, PERSCODE=12345678901234

(Personalization code is needed to activate the scanner appliance and communicate to Qualys. Refer to the section 'Generate personalization code'


Proxy. (Optional) In the User Data field, enter the Proxy server if a Proxy server is used. The format for specifying the Proxy server is user:pass@ip:port, where user is the username, pass is the password, IP is the IP address and port is the port number. If authentication is not used the format is ip:port. The Proxy server is preceded by PROXY_URL= and it is entered on a separate line from the PERSCODE entry. For example:





Additional Settings

Additional Network Interface. (Optional) The LAN interface services all network traffic unless you select a second interface from the Additional Network Interface menu. When an additional interface is selected, only scanning traffic is routed through the LAN interface and the additional interface is used for management traffic (job pickup, software updates and health checks).


Create Key Pair. (Not used by the virtual scanner AMI) Select “Proceed without a Key Pair”. Once installed, the virtual scanner AMI instance does not use any key pair. If a key pair is selected it is ignored.


Configure Firewall. Select security groups if groups are required to permit the virtual scanner access to the IP addresses that will be scanned.


How to assign a static private IP address using VPC

First complete the steps to launch a virtual scanner AMI instance and define settings within the AWS Management Console. When launching into Amazon VPC you will be presented with the option of assigning a static private IP address as part of the AMI instance settings.


After completing the wizard, the virtual scanner instance AMI is launched and it appears in the Instances section within the AWS Management Console. The virtual scanner AMI instance will attempt to connect to the Qualys Cloud Platform and will continue to make these attempts. These attempts will fail until you configure an elastic IP address. Using the AWS Management Console select an elastic IP address for the virtual scanner AMI instance as follows. Navigate to NETWORK & SECURITY > Elastic IPs. The elastic IPs in your account will be displayed. You can select an existing elastic IP or allocate a new one. Remember 1 elastic IP can be used for 1 network interface at a time (of course you can associate and disassociate as often as you’d like). Once the elastic IP you’d like to use is in your list, then associate the elastic IP with the AMI instance and interface, as appropriate.


Troubleshooting connectivity issues

Qualys Cloud Platform logs results of its connectivity checks and the overall process of scanner personalization on Amazon EC2 System Console (System Log in AWS Management Console). To view the System Console output, go to Instances > Instance Actions > Get System Console.


Normal personalization process will look like this:




If you see "No connectivity to - please fix." messages, please verify that your VPN Network ACLs and Security Groups allow outbound HTTPS (TCP port 443) access. And if you are running VPC with Internet Gateway, please make sure that an Elastic IP is assigned to your new virtual scanner.


In a case where there are connectivity problems, the personalization process will try to connect to the Qualys Cloud Platform multiple times for 30 minutes. If this fails after multiple attempts, a final error message will be logged to System Log explaining that the virtual scanner appliance has given up and will require a reboot to restart the process. Due to current limitations of AWS System Log collector, most of the Qualys progress messages will be lost. It is recommended to reboot the virtual scanner if any messages like “No connectivity to - please fix.” appear in the System Log and the appliance status is Not Connected within the Qualys user interface.




Generate Personalization Code

A personalization code from your Qualys subscription to register every new appliance instance.

  • Log into your Qualys portal
  • Choose the module either Vulnerability Management or Policy Compliance depending on your need
  • Under the module navigate to Scans > Appliances > select New > Virtual Scanner Appliance...
  • Choose "I have my image" > specify a name

                                          Generate Qualys Scanner Appliance Personalization Code

2 people found this helpful