Deploying Scanner Appliances in Microsoft Azure - Classic environment

Document created by Qualys Documentation Employee on Jun 23, 2016Last modified by Hari Srinivasan on Mar 15, 2017
Version 6Show Document
  • View in full screen mode

This document describes briefly how to deploy the Qualys Virtual scanner in a Microsoft Azure Classic portal.  This scanner, once deployed, will function as a standard Virtual Scanner and can scan based on IP address or CIDR block in Microsoft Azure Classic environment.

 

Pre-requisites

  1. Download the Virtual Scanner Appliance Image (VHD format) from your Qualys subscription
    • Log into your Qualys portal
    • Choose the module either Vulnerability Management or Policy Compliance depending on your need
    • Under the module navigate to Scans > Appliances > select "New"  >  choose category "Virtual Scanner Appliances" > select Download  > Virtual Scanner Appliance...
      • Choose "Download Image Only" > click 'Download' for "Microsoft Azure Classic Image"AzureClassicImageDownload
  2. A personalization code from your Qualys subscription to register every new appliance instance.
    • Log into your Qualys portal
    • Choose the module either Vulnerability Management or Policy Compliance depending on your need
    • Under the module navigate to Scans > Appliances > select New > Virtual Scanner Appliance...
    • Choose "I have my image" > specify a name > Click 'Next' to generate a code 

                 Generate Qualys Scanner Appliance Personalization Code

  3. Azure components (like Service, Storage, Virtual Networks,...) to host the image and deploy the appliance.  Note: If you are a user already using existing cloud services (storage accounts, virtual networks, and storage containers) and you do not want to create a new one - you can skip steps 1-4 in the next section.
  4. You could either use the UI or the CLI, if you use Azure CLI please download and install the SDK. The steps in the section below covers both the mechanisms.

Deploying Virtual Scanner Appliance in Azure Classic


1. Create a Cloud Service

 

Azure classic portal

 

img1.png

 

Azure CLI

All the values in the fields are just an example, update with the actual values from your usage.

 

azure service create --location "East US" --description "My test cloud service" --serviceName "cloud-service-1"

 

Usage: service create [options] <serviceName>

Options:

-h, --help                       output usage information

-v, --verbose                    use verbose output

-vv                              more verbose with debug output

--json                           use json output

--serviceName <serviceName>      the cloud service name

--description <description>      the description. Defaults to 'Service host'

--location <location>            the location. Optional if affinitygroup is specified

--affinitygroup <affinitygroup>  the affinity group. Optional if location is specified

--label <label>                  the label. Defaults to serviceName

-s, --subscription <id>          the subscription id

 

 

2.  Create a Virtual Network

 

Azure classic portal

 

img2.png

 

Azure CLI

All the values in the fields are just an example, update with the actual values from your usage.

 

azure network vnet create --vnet TestVNet1 -e 10.1.0.0 -i 16 -n FrontEnd -p 10.1.1.0 -r 24 -l "East US"

 

Usage: network vnet create [options] <vnet>

Options:

-h, --help                       output usage information

-v, --verbose                    use verbose output

-vv                              more verbose with debug output

--json                           use json output

--vnet <vnet>                    the name of the virtual network

-e, --address-space <ipv4>       the address space for the virtual network

-m, --max-vm-count <number>      the maximum number of VMs in the address space

-i, --cidr <number>              the address space network mask in CIDR format

-p, --subnet-start-ip <ipv4>     the start IP address of subnet

-n, --subnet-name <name>         the name for the subnet

-c, --subnet-vm-count <number>   the maximum number of VMs in the subnet

-r, --subnet-cidr <number>       the subnet network mask in CIDR format

-l, --location <name>            the location

-f, --create-new-affinity-group  creates a new affinity group at the location specified in --location

-a, --affinity-group <name>      the affinity group

-d, --dns-server-id <dns-id>     the name identifier of the DNS server

-s, --subscription <id>          the subscription id

 

3. Create a Storage Account

 

Azure classic portal

 

img3.png

 

Azure CLI

All the values in the fields are just an example, update with the actual values from your usage.

 

azure storage account create -d "My test storage account" -l "East US" -s "abcdefgh4-abcd-123e-adcd-12345678e8fe" --type "LRS"  storageaccounteastus1

 

Usage: storage account create [options] <name>

Options:

-h, --help                            output usage information

-v, --verbose                         use verbose output

-vv                                   more verbose with debug output

--json                                use json output

-e, --label <label>                   the storage account label

-d, --description <description>       the storage account description

-a, --affinity-group <affinityGroup> the affinity group

-l, --location <location>             the location

--type <type>                         the account type(LRS/ZRS/GRS/RAGRS/PLRS)

-s, --subscription <id>               the subscription id

 

 

4. Create a Storage Container

 

Azure classic portal

 

img4.png

 

Azure CLI

All the values in the fields are just an example, update with the actual values from your usage.

 

azure storage container create -a "storageaccounteastus1" -k "ySfRTzE31sIvs81c19YOfg2xTs9YyaJdktupF+AvCcGmYpVeLnni2+yldGGXOuLyd9Y2FJBaN4WbvPM5zMAsTw==" --container "vhds"

 

Usage: storage container create [options] [container]

Options:

-h, --help                                  output usage information

-v, --verbose                               use verbose output

--json                                      use json output

--container <container>                     the storage container name

-p, --permission <permission>               the storage container ACL permission(Off/Blob/Container)

-a, --account-name <accountName>            the storage account name

-k, --account-key <accountKey>              the storage account key

-c, --connection-string <connectionString> the storage connection string

-vv                                         run storage command in debug mode

 

5. Upload a disk in the Storage Container

 

Azure classic portal doesn’t provide a way for uploading a disk (blob) in a storage container. For UI tools you can use either the free Microsoft tool Azcopy (https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/) or CloudExplorer (http://clumsyleaf.com/products/cloudxplorer) to copy the qVSA disk from Qualys Azure storage account to your storage container.

 

Azure CLI:

 

azure vm disk upload "SAS URL from the header of this document" "https://storageaccounteastus1.blob.core.windows.net/vhds/qVSA.i386.open-2.3.19-1-test1" "ySfRTzE31sIvs81c19YOfg2xTs9YyaJdktupF+AvCcGmYpVeLnni2+yldGGXOuLyd9Y2FJBaN4WbvPM5zMAsTw=="

 

Usage: vm disk upload [options] <source-path> <blob-url> <storage-account-key>

Options:

-h, --help               output usage information

-v, --verbose            use verbose output

-vv                      more verbose with debug output

--json                   use json output

-p, --parallel <number>  the maximum number of parallel uploads [96]

-m, --md5-skip           skip MD5 hash computation

-f, --force-overwrite    Force overwrite of prior uploads

-b, --base-vhd <blob>    the base vhd blob url

-k, --source-key <key>   the source storage key if source-path

is a Microsoft Azure private blob url

-s, --subscription <id>  the subscription id

 

6. Create an Image from VHD file

 

Azure classic portal

 

img6.png

Azure CLI:

 

azure vm image create qVSA.i386-2.3.19-1-test1 -l "East US" -d "This is a test image" -o linux --blob-url  https://storageaccounteastus1.blob.core.windows.net/vhds/qVSA.i386-2.3.19-1-test1

 

Usage: vm image create [options] <name> [source-path]

Options:

-h, --help                   output usage information

-v, --verbose                use verbose output

-vv                          more verbose with debug output

--json                       use json output

-u, --blob-url <url>         the target image blob url

-l, --location <name>        the location

-a, --affinity-group <name>  the affinity group

-o, --os <type>              the operating system [linux|windows]

-p, --parallel <number>      the maximum number of parallel uploads [96]

-m, --md5-skip               skip MD5 hash computation

-f, --force-overwrite        Force overwrite of prior uploads

-e, --label <about>          the image label

-d, --description <about>    the image description

-b, --base-vhd <blob>        the base vhd blob url

-k, --source-key <key>       the source storage key if source-path

is a Microsoft Azure private blob url

-s, --subscription <id>      the subscription id

 

 

7. Create a Virtual Scanner

 

Prior to deploying the Qualys Virtual Scanner in Azure, you must first create a virtual scanner in the Qualys platform, assign it distinct scanner name and record the exact personalization code.

 

Azure classic portal:

 

img7.png

 

Azure CLI:

 

azure vm create -E -z "Small" -w "TestVNET" -c "cloud-service-1" -l "East US" -g "u20094150483930" -p "W1n1Saj0k3!" -n "vScanner-1" "qVSA.i386-2.3.19-1-test1"

 

Notes:

  • Username is your personalization code, retrieved from Qualys platform, with a 'u' prepended: u2009XXXXXXXXXX
  • Since Qualys Virtual Scanner is a locked-down Linux appliance, managed completely from Qualys Cloud Platform, Azure username and password are not used for any kind of authentication but rather as a mechanism to pass configuration information from Azure Cloud to the appliance
  • Azure passwords should not contain these 2 special characters:  ":" and "@". 
  • Passwords that look like "[proxy://][user[:password]@]IP[:port]" URLs could be used to configure Qualys Scanner to use SSL proxy for all outbound communication with Qualys Cloud Platform

 

Usage: vm create [options] <dns-name> <image> [userName] [password]

Options:

-h, --help output usage information

-v, --verbose                                           use verbose output

-vv                                                     more verbose with debug output

--json use json output

-g, --userName <userName> the user name

-p, --password <password> the password

-o, --community                                         the <image> is a community image

-c, --connect connect to an existing cloud service

-l, --location <name> the location

-a, --affinity-group <name>                             the affinity group

-u, --blob-url <url> the blob url for OS disk

-z, --vm-size <size> the virtual machine size [Small]

-n, --vm-name <name> the virtual machine name

-e, --ssh [port] the ssh port to enable [22]

-t, --ssh-cert <openssh-rsa-file|pem-file|fingerprint> the SSH certificate

-P, --no-ssh-password            indicates that the password should be removed when using --ssh-cert

-E, --no-ssh-endpoint                                   indicates that no public SSH endpoint should be created

-G, --generate-ssh-keys                                 Auto generate SSH keys, will be ignored if --ssh-cert is specified.

-r, --rdp [port] indicates that RDP should be enabled [3389]

-w, --virtual-network-name <name>                       the virtual network name

-b, --subnet-names <list> the comma-delimited subnet names

-i, --public-ip <name> the name of the public IP address assigned to the virtual machine

-S, --static-ip <ip-address>                            the static IP address assigned to the virtual machine

-R, --reserved-ip <name> the name of the reserved IP address assigned to the virtual machine

-A, --availability-set <name>                           the name of availability set to create or use

-s, --subscription <id> the subscription id

-d, --custom-data <custom-data-file> CustomData file

-f, --nic-config <nic-config> the NIC configuration, comma separated list of NIC definition

Each NIC definition will be in the form "<nicName>:<subnetName>:[vnetStaticIP]:[nsgName]:[ipForwarding]"

The VM must be created in a virtual network using --virtual-network-name option

The subnetName in each NIC definition must be an existing subnet in this virtual network

 

 

After that's complete, your scanner will update and connect to the Qualys Platform.  This process may take some time, particularly on a smaller Azure image size. Once connected, you'll be able to use your Azure scanner from the Qualys Platform as you would any virtual scanner appliance.

2 people found this helpful

Attachments

    Outcomes