This document describes briefly how to deploy the Qualys Virtual Scanner Appliance using Microsoft Azure Resource Manager (ARM). This scanner, once deployed, will function as a standard Virtual Scanner and can scan based on IP address or CIDR block. Want to learn more about Microsoft Azure? Check out the Azure Support page.
We'll help you with these steps:
About Managing Instances
Instance Snapshots/Cloning Not Allowed
Using a snapshot or clone of a virtual scanner instance to create a new instance is strictly prohibited. The new instance will not function as a scanner. All configuration settings and platform registration information will be lost. This could also lead to scans failing and errors for the original scanner.
Moving/Exporting Instance Not Allowed
Moving or exporting a registered scanner instance from a virtualization platform (HyperV, VMware, XenServer) in any file format to Microsoft Azure cloud platform is strictly prohibited. This will break scanner functionality and the scanner will permanently lose all of its settings.
We recommend you create one resource group per location for your Qualys virtual scanners. Give your resource group a name that will be easy to recognize and represents the group location. Once created, the name cannot be changed.
If you don't already have a storage account for your Qualys virtual scanners you'll need to create one at this time. 1) Give the storage account a name following Microsoft Azure guidelines. The name cannot be changed later. 2) Choose the deployment model "Resource manager". 3) Choose "Use existing" for the resource group, and select the group created in the previous step. Other recommended settings are shown in the image below.
You may already have a virtual network set up for your Qualys virtual scanners. If not, create a new virtual network. 1) Give your network a name. We recommend including the location in the name so you know where the network is. 2) Choose "Use existing" for the resource group, and select the group created in the first step.
Prior to deploying the Qualys Virtual Scanner in Azure, you must first create a virtual scanner in the Qualys Cloud Platform, assign it a distinct scanner name and record the exact personalization code.
Find and select Qualys Virtual Scanner Appliance in the Marketplace.
Review the requirements on the screen. When you're ready to proceed, click Create to set up your virtual scanner.
Make these settings:
1) Give the virtual scanner a name. This is the name that will appear in the Virtual machines list in Microsoft Azure. Tip - Use the scanner name assigned to the virtual scanner in Qualys for easy identification.
2) The User name is your personalization code, retrieved from the Qualys platform, with a 'u' prepended: “u2009XXXXXXXXXX”.
3) Choose "Use existing" for the resource group, and select the group created in the first step.
- Since Qualys Virtual Scanner is a locked-down Linux appliance, managed completely from the Qualys Cloud Platform, Azure username, password and SSH public key are not used for any kind of authentication but rather as a mechanism to pass configuration information from Azure Cloud to the appliance.
- Azure passwords should not contain these special characters: : @ & < > - " ' \
Proxy server configuration
You can configure the Qualys Scanner to use SSL proxy for all outbound communication with the Qualys Cloud Platform. We support both IP and FQDN for the proxy server configuration. You'll specify the proxy server URL in the Password field using this format: proxy://username:password@proxyhost:port
If you have a domain user, the format is proxy://domain\username:password@proxyhost:port
If authentication is not used, the format is proxy://proxyhost:port
where proxyhost is the IPv4 address or the FQDN of the proxy server, port is the port the proxy server is running on
Choose a size for your virtual scanner - up to 16 cores and no more than 16 GB. We recommend a ratio of 3-4 GB of memory per core. Other storage settings like number of data disks, max IOPS, load balancing, etc can be ignored and should not factor into your decision. For instance, the disk options will not have a significant impact on the performance of your scanner.
Be careful to choose the correct storage account and the network created in the previous steps for your Qualys virtual scanners. We do not use Azure extensions or availability sets.
Confirm your virtual scanner settings and hit OK.
Review the Offer details and hit Purchase. Your virtual scanner will appear on the Virtual machines list in Microsoft Azure.
The Qualys Virtual Scanner Appliance will appear on your Microsoft Azure Dashboard.
Your scanner will update and connect to the Qualys Cloud Platform. This process may take some time, depending on location. Once connected, you'll be able to use your Azure scanner from the Qualys Cloud Platform as you would any virtual scanner appliance.
Check your virtual scanner status in Qualys. Go to Scans > Appliances, and find your scanner in the list. Tip - It can take several minutes for the Qualys user interface to get updated after you add a new appliance. Please refresh your browser periodically to ensure that you are seeing the most up to date details.
Enable boot diagnostics to troubleshoot issues with your scanner. Diagnostics will include log output from the scanner. It's easy to do. Set Status to On, select the storage account created for your Qualys scanners, select the Boot diagnostics check box, and hit Save (appears above the settings).
Check out these sample diagnostics.
It could take hours to download the latest qVSA image from Qualys cloud storage account to your machine and then upload it to your Azure storage account using the Azure GUI. Save time by copying the image directly from Qualys cloud storage to your Azure account with Azure CLI tools.
Here are the steps: 1) Qualys Operations will provide you with a link to the qVSA image. 2) Set up Azure CLI tools and log in to your Azure subscription using the Azure CLI "azure login" command. 3) Copy the qVSA image from Qualys to your Azure subscription using this format:
azure storage blob copy start [sourceUri] [options] [destContainer]
[sourceUri] is the qVSA image link provided by Qualys Operations
-a, --account-name <accountName> the storage account name
-k, --account-key <accountKey> the storage account key
[destContainer] is the destination container in the "storage" specified with option "-a"
azure storage blob copy start "https://qvsacq5itlevnuiuku.blob.core.windows.net/images/qVSA.i386-2.4.26-2.vhd?st=2018-02-07T01%3A20%3A01Z&se=2019-02-09T01%3A20%3A01Z&sp=rl&sv=2015-02-21&sr=c&sig=abcDefgy6cy3DgZY6Ch3vAJqMp1keWIpn5qG%2Fo7qXVsY%9D" -a "storagevirginia" -k "AbcdEfgh9piNUT1ZtVg8qEGp7KTlrlht3syhO8FjCNcaoqWkAqlZ3Sp+YXrJ4rBAuJ6+QflCwfhzXsz0yNBr99==" images
Looking for more help?
Check out our Help Center