Re-Numbering IPs Without Losing Asset History

Document created by Martin Walker Employee on Jan 23, 2017Last modified by Robert Dell'Immagine on Jan 30, 2017
Version 5Show Document
  • View in full screen mode

Problem Statement

Data center is moving to a new IP numbering scheme.  Assets in Qualys are currently IP tracked.  We want to move assets to their new IP addresses without losing asset history.  This can be a lot of work depending on the state of DNS and the number of assets, so be sure it is worthwhile before starting down this path.  

 

Note: There is no way to move assets between Qualys Networks or in or out of the Global Default Network, or between Qualys subscriptions.  These moves will require the creation of new assets and loss of asset history.

 

Also note: This methodology hinges on being able to get DNS forward or reverse zone in the old data center to match the forward zone in the new data center.  This is the entire FQDN, not just the hostname.  If the DNS naming convention includes location specific subdomains for example, it may be necessary to set up a temporary DNS server with the appropriate zone entries just for the Qualys scanner to use to ensure the DNS name on the asset is correct prior to the move.

 

Solution

If you are only changing IP addresses and optionally DNS names “in place”, and not moving between Networks or between Qualys subscriptions, follow these steps (for larger environments consider breaking into manageable chunks):

  1. Make sure all existing assets have an entry in either the forward zone or reverse zone of the DNS server your scanner appliance(s) are pointed to.  NOTE: When scanning by IP, the DNS name on the asset is from the REVERSE zone. When scanning by hostname, the name on the asset is the FORWARD zone entry.  There is no need for forward and reverse zones to match, but you must ensure the name on the asset matches with the FORWARD zone entry where it will be moving to.  You cannot manually name an asset.  As an example of how to do this, change the reverse zone in the old location to the name for the new location, then scan by IP to pick up the new name from the reverse zone.
  2. Scan all assets either by hostname or IP address to ensure data is fresh and all assets get a DNS name.  A full vuln scan is not needed, a light asset scan is fine but it must include hostname, and DNS name QIDs.
  3. Identify all assets that did not scan, determine why, fix (name resolution?  not alive?), purge old assets.
  4. With an Asset Search, ensure all assets have DNS name, fix DNS and rescan those that don’t have a name. 
  5. Perform an asset search, select all the assets that are moving, select Edit, and change to DNS Tracking, save
  6. Review assets to ensure all switched to DNS tracking
  7. In Host Assets, add the IP range to which these assets are moving as a DNS Tracked range
  8. Build an Asset Group containing the FQDNs of the assets (new forward zone entries), not IPs
  9. Create or modify forward/reverse zone entries on the DNS server with the updated DNS name and IP addresses, NOTE: new FORWARD zone entries must match the names currently on the assets, and point to the assets new IP addresses
  10. Change the IP of the target systems
  11. Perform a VM scan of the Asset Group containing the host names, this should update the IP addresses on all assets whose names can be resolved
  12. Verify those assets that scanned, identify those that didn’t, fix DNS or networking issues and rescan
  13. Once all assets have been updated to new names/addresses, in Host Assets change the address range to IP tracked

Attachments

    Outcomes