This document describes briefly how to deploy the Qualys Virtual Scanner Appliance in Oracle Cloud Infrastructure Compute Classic from the Oracle Cloud Marketplace. This scanner, once deployed, will function as a standard Virtual Scanner and can scan based on IP address or CIDR block.
Customers will have an active Qualys subscription.
Scanner personalization code (14 digits) obtained from your Qualys account. (Documentation)
Qualys Virtual Scanner Appliance VM must be able to reach the Qualys Cloud Platform over HTTPS port 443
What do I need to get started?
The Virtual Scanner option must be turned on for your account. Contact Qualys Support or your Technical Account Manager if you would like us to turn on this option for you.
You must be a Manager or a sub-user with the “Manage virtual scanner appliances” permission. This permission may be granted to Unit Managers. Your subscription may be configured to allow this permission to be granted to Scanners.
Configuration in Qualys
You'll add a new virtual scanner appliance and get your personalization code.
Go to Scans > Appliances and select New > Virtual Scanner Appliance. Choose "I have my image" and click Continue.
Give your scanner a name. If you’re a sub-user then you’ll need to pick an asset group that has been assigned to your business unit by a Manager user. Not seeing any asset groups? Please ask a Manager to assign an asset group (other than the All group) to your business unit.
Follow the on screen instructions to configure your virtual scanner and get your personalization code. You'll need this to launch your AMI instance.
Configuration in OCI Classic Compute
Launch an instance from the Oracle Cloud Marketplace.
1) Go to Qualys Virtual Scanner Appliance page in the Oracle Cloud Marketplace, and login to your OCI Compute Classic account.
The Oracle Cloud Marketplace lists two virtual scanner appliances. One for OCI Classic Compute (select this one for this guide), the other for OCI Nextgen.
2) Launch the virtual scanner by selecting “Get App”.
- Shape - Select shape that doesn’t exceed 16GB of RAM and 16 CPU Cores
- Instance - Choose a distinctive name and label of your scanner. Choose “True” for “Persistent” field if you want this object to persist when the orchestration is suspended. In “Custom Attribute” field set your Personalization code and Proxy, if any, in JSON format:
If you have a domain user, the format is: domain\username:password@proxyhost:port
If authentication is not used, the format is: proxyhost:port
Where “proxyhost” is the IPv4 address or the FQDN of the proxy server.
- Qualys Virtual Scanner is a locked down appliance, so access to it with SSH keys are not allowed
- Custom Attribute settings cannot be updated after deployment. If you need to alter the PERSCODE and/or PROXY_URL, you will have to redeploy the scanner
- For network configuration you can choose either IP Network or Shared Network. If you are not sure which option works best for you, please see the Oracle Cloud documentation for configuring IP Networks:
- You can keep the default storage size or you can increase it based on your requirements.
- Note: You cannot change the Storage size later on without redeploying the scanner
- Review and Create –Review your Qualys scanner configuration and then click on Create button.
Once launched, the Virtual Appliance connects to the Qualys Cloud Platform
This step registers the Virtual Scanner Appliance with your Qualys account. Also your appliance will download all the latest software updates right away, so it’s ready for scanning.
Configuring security groups for your Virtual Scanner Appliance
- If you are using proxy server then ensure you have outbound rule allowing access on port 443 and the port used to communicate with proxy server.
- If scanner appliance has direct internet connectivity, then ensure that there is an outbound rule that allows access on port 443 to Qualys Security Operations Center (SOC) IP address. You can get the SOC IP address range by logging in to Qualys Portal and navigating to Help > About option.
- Scanner should be able to reach out to all the target instances for running the scan. It is recommended to configure outbound rule that allows access to all ports and subnets of the instances that the scanner is going to scan.
How do I know my scanner is ready to use?
Check your virtual scanner status in Qualys. Go to Scans > Appliances, and find your scanner in the list.
Tip - It can take several minutes for the Qualys user interface to get updated after you add a new appliance. Please refresh your browser periodically to ensure that you are seeing the most up to date details.
Click on Instances tab. Find your Qualys scanner in the listed instances and click on it. Then from the menu, choose Logs. Console log includes log output from the scanner and it could be used for troubleshooting purposes.