Static Route Configuration for Qualys Appliances

Document created by Martin Walker Employee on Jan 5, 2018Last modified by Seneca Agopian on Jan 5, 2018
Version 2Show Document
  • View in full screen mode
Static routes are a special configuration required when the default gateway for the LAN NIC on the scanner appliance cannot route traffic to a target network for scanning, and instead a specific non-default gateway on the local network must be used.
The configuration of scanner NICs has no bearing on the use of static routes, however the subjects are often conflated.  The Qualys scanner appliance does not normally require the WAN NIC to be configured.  Typically both scan and management traffic is carried over the LAN interface. However, in the event the scanner cannot reach the Internet/Qualys POD from the local LAN, a split configuration must be used.  In the split configuration the WAN interface is connected to a network that can reach the Internet/Qualys POD, and this interface carries all management traffic.  In the split configuration only the LAN interface is used to scan your networks, no scan traffic is routed through the WAN interface regardless of configuration, and no management traffic is carried by the LAN interface.  Management traffic consists of heartbeat check ins, signature updates, scan jobs, and scan results, all of which connections are initiated from the scanner, and can be proxied.  
Static route configuration on the scanner is not used by the appliance to decide which NIC to egress traffic to Qualys.  The scanner does not behave like a typical dual homed host in this respect, it is intelligent enough to separate scan from management traffic appropriately. Static routes are only used by the appliance for scan traffic, and only needed when the default gateway on the local LAN cannot route scan traffic correctly to a target network.  If the default gateway for the LAN interface can properly route this traffic then static routes should not be configured for that network--- only use static routes when a specific non-default gateway is needed.  One use case might be a border network that contains multiple routers used to connect a remote site or partner networks.  In this case a static route entry would be configured with the CIDR block representing each target network and with the IP of the router that carries traffic to that network.
To configure static routes from the portal, navigate to Scans->Appliances, scroll to the scanner you wish to modify, and select Edit and then the Static Routes tab on the left.  Enter the IP address of the router, and a target network in CIDR format. The target network must have a valid starting IP address for the target mask provided. The gateway/target network pair must be unique per appliance. This means the same gateway/target network pair cannot be defined in another static route configuration for the same appliance.  You will also need to enter a route name to identify the static route configuration in the static routes list.
Note: There should be no active scans on the appliance when these changes are made, as they will be terminated.