Deploying Qualys Scanners using Azure and Az CLI Tools (for Private Cloud Platforms)

Document created by Qualys Documentation Employee on Mar 23, 2018Last modified by Qualys Documentation Employee on Apr 11, 2018
Version 2Show Document
  • View in full screen mode

This set of instructions is recommended for customers on Qualys Private Cloud Platforms.

 

This document describes how to deploy Qualys Virtual Scanner Appliances using "azure" or "az" CLI tools. This scanner, once deployed, will function as a standard Virtual Scanner and can scan based on IP address or CIDR block. Want to learn more about Microsoft Azure? Check out the Azure Support page.

 

We'll help you with these steps:

Create Resource Group

Create Storage Account

Create Storage Container

Create Virtual Network with 10.0.0.0/24 subnet

Create Deployment templates

Copy Qualys image into your Storage Account

Deploy Qualys Scanner

Optional - Use Azure GUI to Create Qualys Image from VHD file

 

About Managing Instances

Instance Snapshots/Cloning Not Allowed

Using a snapshot or clone of a virtual scanner instance to create a new instance is strictly prohibited. The new instance will not function as a scanner. All configuration settings and platform registration information will be lost. This could also lead to scans failing and errors for the original scanner.


Moving/Exporting Instance Not Allowed

Moving or exporting a registered scanner instance from a virtualization platform (HyperV, VMware, XenServer) in any file format to Microsoft Azure cloud platform is strictly prohibited. This will break scanner functionality and the scanner will permanently lose all of its settings.

 


 

Create Resource Group

We recommend you create one resource group per location for your Qualys virtual scanners. Give your resource group a name that will be easy to recognize and represents the group location, and tell us where the group will be created. Once created, the name cannot be changed.

 

azure CLI

Example: azure group create --name  resource-group-qualys-scanner  --location "Central US"

where name is the resource group name, location is the location where we will create the group

Help: -h, --help for output usage information

 

az CLI

Example: az group create --name  resource-group-qualys-scanner --location centralus

where name is the resource group name, and location is the location where we will create the group

Help: -h, --help for output usage information

 

 

Create Storage Account

If you don't already have a storage account for your Qualys virtual scanners you'll need to create one at this time.

 

azure CLI

Example: azure storage account create  storagequalys --resource-group  resource-group-qualys-scanner --sku-name LRS --kind Storage --location "Central US"

where storagequalys is the storage account name, resource-group is the resource group name, sku-name is the SKU name (LRS/ZRS/GRS/RAGRS/PLRS), kind is the account kind (Storage/BlobStorage), location is the location

Help: -h, --help for output usage information

 

az CLI

Example: az storage account create --name storagequalys --resource-group resource-group-qualys-scanner --sku Standard_LRS --kind Storage --location centralus

where name is the storage account name, resource-group is the resource group name, sku is the SKU name (Premium_LRS,Standard_GRS,Standard_LRS,Standard_RAGRS,Standard_ZRS), kind is the account kind (BlobStorage,Storage,StorageV2), location is the location

Help: -h, --help for output usage information

 

 

Create Storage Container

You need to create a container in your storage account where qvsa images will be stored

 

azure CLI

Example: azure storage container create --container images --account-name storagequalys --account-key "AbcdefDKBFEHMKxeelzL4fsxINIm7gPrG+dVoirJFuCVEknW9TbCXVEUDxs1Oeg+heAcosc/SiCUhAzwN0uy+2w=="

where container is the storage container name, account-name is the storage account name, account-key is the storage account key

Help: -h, --help for output usage information

 

az CLI

Example: az storage container create --name  images --account-name storagequalys  --account-key "AbcdefDKBFEHMKxeelzL4fsxINIm7gPrG+dVoirJFuCVEknW9TbCXVEUDxs1Oeg+heAcosc/SiCUhAzwN0uy+2w=="

where name is the storage container name, account-name is the storage account name, account-key is the storage account key

Help: -h, --help for output usage information

 

 

Create Virtual Network with 10.0.0.0/24 subnet

You may already have a virtual network set up for your Qualys virtual scanners. If not, create a new virtual network.

 

azure CLI

Example: azure  network vnet create --name qualys-scanner-vnet  --address-prefixes "10.0.0.0/24" --resource-group  resource-group-qualys-scanner  --location "Central US"

where name is the name of the virtual network, address-prefixes is a comma separated list of address prefixes for this virtual network, resource-group is the name of the resource group, location is the location

Help: -h, --help for output usage information

 

az CLI

Example: az network vnet create --name qualys-scanner-vnet --address-prefixes "10.0.0.0/24" --resource-group resource-group-qualys-scanner  --location centralus

where name is the name of the virtual network, address-prefixes is a comma separated list of address prefixes for this virtual network, resource-group is the name of the resource group, location is the location

Help: -h, --help for output usage information

 

 

Create Deployment templates

To deploy Qualys scanner from the command line you need to create deployment templates.

Microsoft Documentation on Azure Resource Manager Templates

Download custom Qualys Scanner templates and adjust them to your Azure Cloud environment.

 

 

Copy Qualys image into your Storage Account

Now you need to copy Qualys qVSA image to your storage account. The qVSA image link is provided to you by Qualys Operations.

 

azure CLI

Example: azure storage blob copy start --source-uri https://qvsacq5itlevnuiuku.blob.core.windows.net/images/qVSA.i386-2.4.26-2.vhd?st=2018-02-07T01%3A20%3A01Z&se=2019-02-09T01%3A20%3A01Z&sp=rl&sv=2015-02-21&sr=c&sig=vEzXlKy6cy3DgZY%2Fo7qXVsY%3D" --account-name "storagequalys" --account-key  "AbcdefDKBFEHMKxeelzL4fsxINIm7gPrG+dVoirJFuCVEknW9TbCXVEUDxs1Oeg+heAcosc/SiCUhAzwN0uy+2w==" --dest-blob "qualys-scanner-image” --dest-container images

where source-uri is the qVSA image link provided by Qualys Operations, account-name is the storage account name, account-key is the storage account key, dest-blob is the blob name, dest-container is the destination storage container name

Help: -h, --help for output usage information

 

az CLI

Example: az storage blob copy start --source-uri "https://qvsacq5itlevnuiuku.blob.core.windows.net/images/qVSA.i386-2.4.26-2.vhd?st=2018-02-07T01%3A20%3A01Z&se=2019-02-09T01%3A20%3A01Z&sp=rl&sv=2015-02-21&sr=c&sig=vEzXlKy6cy3DgZY%2Fo7qXVsY%3D" --account-name "storagequalys" --account-key  "AbcdefDKBFEHMKxeelzL4fsxINIm7gPrG+dVoirJFuCVEknW9TbCXVEUDxs1Oeg+heAcosc/SiCUhAzwN0uy+2w=="  --destination-blob "qualys-scanner-image" --destination-container images    
where source-uri is the qVSA image link provided by Qualys Operations, account-name is the storage account name, account-key is the storage account key, destination-blob is the blob name, destination-container is the destination storage container name
Help: -h, --help for output usage information

 

 

Deploy Qualys Scanner

Prior to deploying the Qualys Virtual Scanner in Azure, you must first create a virtual scanner in the Qualys Cloud Platform, assign it a distinct scanner name and record the exact personalization code.

 

Notes:

1) Since Qualys Virtual Scanner is a locked-down Linux appliance, managed completely from the Qualys Cloud Platform, Azure username, password and SSH public key are not used for any kind of authentication but rather as a mechanism to pass configuration information from Azure Cloud to the appliance.

2) Azure passwords should not contain these special characters:  : @ & < > - "  ' \

3) Passwords that look like "proxy://[user:password@]IP[:port]" URLs could be used to configure Qualys Scanner to use SSL proxy for all outbound communication with the Qualys Cloud Platform.


azure CLI

Example: azure group deployment create --resource-group  resource-group-qualys-scanner --name qualys-scanner --template-file  azuredeploy.json --parameters-file  azuredeploy.parameters.json

where resource-group is the name of the resource group, name is the name of the deployment, template-file is the path to the template file in the file system, parameters-file is a file containing parameters

Help: -h, --help for output usage information

 

az CLI

Example: az group deployment create --resource-group resource-group-qualys-scanner --name qualys-scanner --template-file  azuredeploy.json --parameters @azuredeploy.parameters.json

where resource-group is the name of the resource group, name is the name of the deployment, template-file is the path to the template file in the file system, parameters is a file containing parameters

Help: -h, --help for output usage information

 

 

Optional - Use Azure GUI to Create Qualys Image from VHD file

In this section we'll describe how to create the Qualys image from a VHD file using the Azure GUI. You can do this instead of using the "azure" or "az" CLI tools.

From the Microsoft Azure Dashboard, choose Create a resource, search for images, and then click the Create button.

 

create-image-step1

 

Fill in all the required information for your new image. In "Storage blob" choose the location of the .vhd file you have already copied into your Storage account.

 

create-image-step2

 

Now you can create one instance of a Qualys scanner using the image created in the previous step.

Choose All services, then choose Images from the Compute section.

 

create-image-step3

 

Find your image in the list and create a new VM.

 

create-image-step4

 

Want to know more about using the Azure GUI? Check this out:

https://community.qualys.com/docs/DOC-5725-scanning-in-microsoft-azure-using-resource-manager-arm

Attachments

    Outcomes