Network Security QGSA-5120-A1 User manual
Scanner Appliance
User Guide
December 20, 2021
Copyright 2005-2021 by Qualys, Inc. All Rights Reserved.
Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other
trademarks are the property of their respective owners.
Qualys, Inc.
919 E Hillsdale Blvd
4th Floor
Foster City, CA 94404
1 (650) 801 6100
Table of Contents
Preface
Get Started
Before you begin ...................................................................................................................... 8
Check package accessories .............................................................................................. 8
Network requirements / configuration .......................................................................... 8
Best Practices for internal scanning...................................................................................... 9
Quick Start ............................................................................................................................. 10
Step 1 - Connect the Scanner Appliance to the Network........................................... 10
Step 2 - Power On the Scanner Appliance.................................................................... 12
Step 3 - Activate the Scanner Appliance ...................................................................... 14
We recommend one more thing ................................................................................... 16
Scanner Appliance Tour
A Quick Look at the Appliance............................................................................................. 18
Navigating the Appliance UI ................................................................................................ 20
System Reboot and Shutdown ............................................................................................. 26
Configure VLANs and Static Routes .................................................................................... 28
Configure Static IP Address .................................................................................................. 29
Configure IPv6 Address for Scanning .................................................................................. 33
Proxy Configuration .............................................................................................................. 34
Split Network Configuration ................................................................................................ 39
Ethernet Port Configuration ................................................................................................. 43
Changing the Network Configuration ................................................................................. 45
Enable IPv6-only Mode.......................................................................................................... 46
Network Settings in IPv6-only Mode ................................................................................... 46
Renew Auto IPv6 on LAN ...................................................................................................... 48
Switch Between Modes ......................................................................................................... 48
Reset All Network Settings ................................................................................................... 49
Troubleshooting
How can I test network connectivity?................................................................................. 52
Communication Failure message........................................................................................ 52
Appliance Network Errors .................................................................................................... 53
Network Errors using older appliance model..................................................................... 56
Where can I find the model number and serial number? ................................................ 57
Contents
4
Appendix A - Product Specifications
Appendix B - Software Credits
Appendix C - Safety Notices
Preface
5
Preface
This user guide introduces the Qualys Scanner Appliance. The Scanner Appliance offers
Qualys users the ability to extend their use of the service to assess the security of internal
network systems, devices and web applications.
Note: Your use of the Qualys Scanner Appliance is subject to the terms and conditions of
the Qualys Service User Agreement.
About Qualys
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses
simplify security operations and lower the cost of compliance by delivering critical
security intelligence on demand and automating the full spectrum of auditing,
compliance and protection for IT systems and web applications.
Founded in 1999, Qualys has established strategic partnerships with leading managed
service providers and consulting organizations including Accenture, BT, Cognizant
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT,
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a
founding member of the Cloud Security Alliance (CSA).
For more information, please visit www.qualys.com.
Contact Qualys Support
Qualys is committed to providing you with the most thorough support. Through online
documentation, telephone help, and direct email support, Qualys ensures that your
questions will be answered in the fastest time possible. We support you 7 days a week,
24 hours a day. Access support information at www.qualys.com/support/.
Preface
6
Get Started
7
Get Started
Welcome to the Qualys Scanner Appliance, an option with the Qualys Cloud Platform
from Qualys, Inc. With the Qualys Scanner Appliance, you can assess internal network
devices, systems and web applications. The Scanner Appliance is a robust, scalable
solution for scanning networks of all sizes including large distributed networks.
It’s easy to set up a Scanner Appliance within your network. Let’s get started!
Before you begin
Best Practices for internal scanning
Quick Start
Interested in Virtual Appliances?
Qualys Virtual Scanner Appliance is packaged and qualified for deployment on a
variety of virtualization and cloud platforms. Please contact your TAM or Qualys
Support if you’re interested in adding Virtual Appliances to your license.
Desktop/Laptop: VMware Workstation, Player, Fusion, Oracle VirtualBox
Client/Server: VMware vCenter/vSphere, Citrix XenServer, Microsoft Hyper-V
Cloud: Amazon EC2 - Classic, Amazon EC2 - VPC, Microsoft Azure, Google GCE,
OpenStack
Learn more
Qualys Virtual Appliance: Platform Qualification Matrix
Get Started
Before you begin
8
Before you begin
Check package accessories
Your starter kit package should contain these components. If any components are missing
or damaged, please contact Qualys Support.
Network requirements / configuration
Qualys Scanner Appliance User Guide
AC power cord
CAT6 cable
Rack screws (quantity 4) - 10-32 x 3/4", Phillips, black matte, with washer
USB-to-RS232 converter cable
Bandwidth Minimum recommended bandwidth connection of
1.5 megabits per second (Mbps) to the Qualys Cloud
Platform.
Outbound HTTPS Access The local network must be configured to allow outbound
HTTPS (port 443) access to the Internet, so that the
Scanner Appliance can communicate with the Qualys
Cloud Platform.
Network Mode By default when you deploy a Scanner Appliance it will be
in IPv4+v6 network mode. If your network is configured in
a way that only IPv6 addresses can be used, then you’ll
need to switch to IPv6-only mode. See Enable IPv6-only
Mode.
Appliance Access to Qualys
Cloud Platform
The Scanner Appliance must be able to reach certain
infrastructure located at the Qualys Cloud Platform where
your Qualys account is located.
Tip - Log into your account and go to Help > About to see
the Qualys Cloud Platform URLs.
Appliance Access to
Target Host IPs
The IP addresses for the hosts to be scanned must be
accessible to the Scanner Appliance. The Appliance must
be able to resolve external DNS for the hostnames to be
scanned.
LAN Interface is Default The LAN interface services both scanning traffic and
management traffic to the Qualys Cloud Platform, unless
split network configuration is defined for the Appliance.
See Split Network Configuration.
Get Started
Best Practices for internal scanning
9
Best Practices for internal scanning
Here are our best practices related to internal scanning.
Avoid scanning through a firewall from the inside out
Problems can arise when scan traffic is routed through the firewall from the inside out, i.e.
when the scanner Appliance is sitting in the protected network area and scans a target
which is located on the other side of the firewall. We recommend placing scanner
Appliances in your network topology in a way that scanning and mapping through a
firewall from the inside out is avoided if possible.
VLAN Support VLAN configuration options: 1) If you have connected the
LAN interface to a 802.1q trunked port and need your
Scanner Appliance to use VLAN tags on the LAN default
network, enter the VLAN tag number using the Appliance
console. 2) For any Appliance, you can choose option 1)
and also configure more VLANs (to be used for scanning)
using the Qualys user interface.
DHCP or Static IP By default the Scanner Appliance is pre-configured with
DHCP. If configured with a static IP address, be sure you
have the IP address, netmask, default gateway, primary
DNS and WINS server (if appropriate).
Proxy Support The Scanner Appliance includes Proxy support with or
without authentication — Basic or NTLM. Proxy-level
termination (as implemented in SSL bridging, for example)
is not supported. SOCKS proxies are not supported.
WINS Support If your network is running Windows Internet Naming
Service (WINS), the Scanner Appliance needs to use it for
host name resolution during scanning. For an Appliance
configured with DHCP, please be sure your WINS server IPs
(primary and secondary) are added to your DHCP subnet
configuration using “option netbios-name-servers WINS1,
WINS2;”. For an Appliance with a static IP address, the
WINS servers are defined with the static IP settings using
the Appliance console.
Network Time Protocol (NTP) The Scanner Appliance syncs the time from the Qualys
SOC (Security Operations Center) for your
account/location automatically. For this reason, there is
nothing you need to configure for NTP.
Learn more
Scanning through a firewall
Get Started
Quick Start
10
Check network access to scanners
Go to Help > About in the application. The Scanner Appliances section lists URLs at the
SOC (Security Operations Center) for your account/location. Your Scanner Appliances
must be able to contact these URLs on port 443. For Private Cloud Platform, the URLs
displayed are appropriate to your local on-site SOC.
Consult your network group for scanner placement
It's highly recommended that you work with your network group to determine where to
place Scanner Appliances in an enterprise network environment. Some things to consider:
place Scanner Appliances as close to target machines as possible, and make sure to
monitor and identify any bandwidth restricted segments or weak points in the network
infrastructure. Scanning through layer 3 devices (such as routers, firewalls and load
balancers) could result in degraded performance so you may consider using our VLAN
tagging feature (VLAN trunking) to circumvent layer 3 devices to avoid potential
performance issues.
Quick Start
Once you complete the Quick Start you’re ready to start scanning! It takes just a couple of
minutes. It’s important that you complete the steps in the order shown.
Step 1 - Connect the Scanner Appliance to the Network
Qualys strongly recommends the Scanner Appliance be plugged into a Managed Power
Supply. On the rare occasion where the Scanner Appliance may need to be rebooted,
utilizing the MPS will allow for remote rebooting in unmanned or high security areas.
Set Up Network Connection
The Scanner Appliance connects like any other computer to a switch on your network.
To set up the network connection, follow these steps:
•Connect one end of an Ethernet cable to the Ethernet LAN port on the Scanner
Appliance (back panel).
•Connect the other end of the Ethernet cable to a 10BASE-T or 100BASE-TX or
1 Gigabit switch on your network.
Learn more
How to check network access to scanners
Get Started
Quick Start
11
Remote Console Interface Set Up (optional)
The Remote Console interface supports remote configuration and management of the
Scanner Appliance using a VT100 terminal, such as Windows HyperTerminal.
Figure 1-1. Set up for Remote Console Interface
A USB-to-RS232 converter cable allows you to connect to their terminal server via network
cable. Qualys recommends the following USB-to-RS232 converter cable:
IOGEAR USB-Serial Model GUC232A
Full specifications: http://www.iogear.com/product/GUC232A/
Keystroke File Not Supported: The Remote Console interface is not intended for uploading
the whole scanner configuration by means of a pre-defined “keystroke file.” Uploading
such a file will result in lost characters and incorrect configuration.
To set up the Remote Console interface, follow these steps:
1Be sure the terminal server is up and running. Also check the terminal server
settings. The following settings are required. Note - Stop Bits must be set to 2.
2Connect one end of the USB-to-RS232 converter cable to a USB port on the Scanner
Appliance (back panel).
3Connect the other end of the USB-to-RS232 converter cable to your terminal server
via network cable.
Port Setting Value
Bits per second (Baud rate) 9600
Data Bits 8
Parity None
Stop Bits 2
Flow Control None
Terminal Emulation VT100
Get Started
Quick Start
12
4Connect the Scanner Appliance (see Step 2 - Power On the Scanner Appliance)
Note: In the case where the Scanner Appliance is already powered on, you must
reboot the Scanner Appliance before taking the next step and making any
configurations. To reboot, press the Down arrow on the LCD interface until the
SYSTEM REBOOT message appears and then press ENTER. Please make sure that
the Scanner Appliance has fully rebooted (this takes up to 3 minutes).
5Press the ENTER key on the VT100 terminal’s keyboard to display the Remote
Console interface. You will notice the MAC address for the Scanner Appliance
appears.
Step 2 - Power On the Scanner Appliance
To power on the Scanner Appliance, follow these steps:
1Connect the AC power cord into the Power Supply Socket.
Note: Qualys strongly recommends the Scanner Appliance be plugged into a
Managed Power Supply. On the rare occasion where the Scanner Appliance may
need to be rebooted, utilizing the MPS will allow for remote rebooting in
unmanned or high security areas.
2Press the power button on the back panel. Be sure that the power button has a
green backlight.
3Welcome to Qualys appears in the Scanner Appliance interface followed by other
informational messages during the boot process which takes approximately two
minutes. These messages appear in the order shown:
Welcome to Qualys
Qualys Scanner is starting up...
Filesystem check in progress...
Qualys Scanner is coming up...
4Once the Scanner Appliance makes a successful connection to the Qualys Cloud
Platform you’ll see the activation code message.
ACTIVATION CODE — The activation code for the Scanner Appliance is displayed.
A unique code is assigned to each Appliance. Make a note of the activation code
and then go to enter the activation code.
You might see an appliance configuration error instead. This will be reported if the
Scanner Appliance did not make a successful connection to the Qualys Cloud
Platform using its current network settings. The error must be resolved before you
go to Step 3. Need help? See Troubleshooting.
Tip - If you’ve set up the Remote Console, it may be necessary to press the ENTER
key on the VT100 terminal’s keyboard to display the Remote Console interface.
Get Started
Quick Start
13
Complete the Network Configuration (default IPv4+v6 mode)
Enable the network configurations for the Scanner Appliance, as appropriate, in the order
listed. One or more configurations may be required. Any error must be resolved before
going to Step 3. Refer to Troubleshooting for help with resolving any errors.
Use the options chart below to determine the configurations needed.
The Scanner Appliance supports VLAN interface configuration (802.1Q). For information,
see Configure VLANs and Static Routes.
You may see an appliance configuration error one or two more times, depending on how
many configurations are needed. For example, if the Scanner Appliance is installed on a
network with DHCP and a Proxy server, and you want split network configuration with
DHCP, you enable options B and C. After you enable option B, you’ll see another error
prompting you to make another configuration.
Complete the Network Configuration (IPv6-only mode)
If your network is configured to only allow IPv6 addresses, then you’ll need to switch to
IPv6-only network mode and make network configuration settings. See Enable IPv6-only
Mode for details on how to reset the Scanner Appliance to IPv6-only mode, then configure
your network, VLANs and proxy before continuing to the next step.
Configuration Options For information ...
A Static IP Address See “Configure Static IP Address” on page 29
B Proxy Support See “Proxy Configuration” on page 34
C Split Network
Configuration
using DHCP
See “Enable DHCP on the WAN Interface” on page 40
and ”Enable DHCP on the WAN Interface” on page 40
D Split Network
Configuration
using a Static IP Address
See “Enable DHCP on the WAN Interface” on page 40
and ”Enable Static IP on the WAN Interface” on page 41
DHCP
w/o Proxy
Static IP
w/o Proxy
DHCP
with Proxy
Static IP
with Proxy
Standard Config no action A B A & B
Split Netw. Config:
DHCP on WAN
C A & C B & C A, B, & C
Split Netw. Config:
Static IP on WAN
D A & D B & D A, B, & D
Get Started
Quick Start
14
Step 3 - Activate the Scanner Appliance
You will need a Qualys user account with the role of Manager or Unit Manger. Check to be
sure that you have your account information.
1Open a browser and go to the platform URL where your account is located. Please
refer to your registration email containing your platform URL and login
credentials. A Manager or Unit Manager account is required.
2On the Qualys LOGIN page, enter your user name (login) and password, and then
click LOGIN. You are prompted to review and accept the licensing agreement when
you log into your account for the first time. Your Qualys Home page appears upon
successful login.
3Select VM/VMDR from the application picker. Then go to Scans > Appliances.
4Select New > Scanner Appliance and enter the activation code for the appliance
(as it appears in the ACTIVATION CODE screen in your Appliance’s user interface.
Note: The activation code is shown only when the Appliance has not been
activated yet.
5(Unit Manager only) From the Add To menu, select an asset group that you want
to add the Scanner Appliance to. This will make the Appliance available to users
in your business unit.
6Click Activate. Then the Scanner Appliance attempts to log in to the Qualys Cloud
Platform.
Note: It may take a few minutes for the Scanner Appliance activation to occur. If
you prefer not to wait, complete the activation manually by restarting the Scanner
Appliance. Just press the Down arrow until the SYSTEM REBOOT screen appears
and then press ENTER. When REALLY REBOOT SYSTEM? appears press ENTER.
7The SCANNER APPLIANCE NAME–IP ADDRESS message appears after the Scanner
Appliance makes a successful login to the Qualys Cloud Platform. Do you see
another message instead? See Troubleshooting and we’ll help you with this.
That’s all there is to it!
You are ready to start scanning with your Qualys Scanner Appliance! You’ll see the
Scanner Appliance name and IP address in the interface (LCD or Remote Console), this
indicates you have completed the Quick Start, the Scanner Appliance has been added to
your subscription.
Tip - Before you launch scans using the Scanner Appliance, we recommend you log into
the Qualys user interface and check the Appliance status on the appliances list.
Get Started
Quick Start
15
Scanner Appliance Name and IP Address
The Scanner Appliance name and IP address appear as shown below.
The Scanner Appliance name displayed is “is_username”, where username is your
Qualys user name. The name can be changed using the Qualys user interface.
The IP address is available for information purposes only. The Scanner Appliance
is remote controlled by the Qualys Cloud Platform, and the Appliance does not
allow incoming logins or connections from the network. If split network
configuration is enabled, the IP address for the LAN interface is displayed.
The Qualys Cloud Platform indicator for your account appears in the lower right
corner.
Proper Shutdown
Just go to the LCD display on the front panel. Press the down arrow until SYSTEM
SHUTDOWN appears, and then press ENTER. When you see REALLY SHUTDOWN SYSTEM?
press ENTER.You'll notice the Scanner Appliance lights and LEDs are turned off. Then you
can safely disconnect the power supply.
Don't want to use the LCD interface? No problem, you can press the power button on the
back panel instead.
Get Started
Quick Start
16
We recommend one more thing
Check your Scanner Appliance status in Qualys portal. Go to Scans > Appliances and
select your Appliance. You’ll see details in the preview pane.
1) tells you your Scanner Appliance is ready. Now you can start internal scans! Next to
the status you’ll see the busy icon is greyed out until you launch a scan, then it looks like
this .
You might also check out:
2) tells you that your Scanner Appliance is a Physical Appliance and means it’s a
Virtual Appliance.
3) Latest software versions - these are installed automatically as part of the activation.
4) The available capacity will be 100% until you launch a scan. You can come back and
check on this at any time.
Scanner Appliance Tour
17
Scanner Appliance Tour
This section gives you a tour of the Qualys Scanner Appliance, its features, basic operation
and configuration options.
A Quick Look at the Appliance
Navigating the Appliance UI
System Reboot and Shutdown
Configure VLANs and Static Routes
Configure Static IP Address
Configure IPv6 Address for Scanning
Proxy Configuration
Split Network Configuration
Ethernet Port Configuration
Changing the Network Configuration
Enable IPv6-only Mode
Network Settings in IPv6-only Mode
Switch Between Modes
Reset All Network Settings
Scanner Appliance Tour
A Quick Look at the Appliance
18
A Quick Look at the Appliance
Front Panel
You’ll see Welcome to Qualys in the LCD display when you connect the Appliance to the
network for the first time. After you’ve successfully completed the Quick Start steps for
your Scanner Appliance, you’ll see the Scanner Appliance name and IP address.
Use the keypad to enter information and respond to prompts.
•Left and Right arrow buttons move the cursor to left/right in an entry field.
•Up and Down arrow buttons scroll through menu options, and scroll through
characters in an entry field.
•ENTER button, in the center, is used to confirm entries and move to the next
screen.
Tell me about the LEDs.
•S1 tells you a Qualys scan is in progress on the Scanner Appliance.
•S2 tells you a software update to the Scanner Appliance is in progress.
•S3 is not used.
Back Panel
The Appliance’s back panel includes: the power socket, the Ethernet LAN port, the
Ethernet WAN port, two USB 2.0 ports and two USB 3.0 ports.
Scanner Appliance Tour
A Quick Look at the Appliance
19
Power socket - Use to connect the power connector to the Appliance.
Power button - Use to power on the Appliance. A green light indicates the Appliance is
turned on.
LAN/WAN ports - Use to connect the Appliance to a hub or switch on your network using
a straight through CAT6 twisted pair Ethernet cable. The LAN port is required. The WAN
port is only required if you choose the split network configuration option.
USB ports - Connect a USB-to-RS232 converter cable to a USB port if you want to use the
optional Remote Console interface (any port may be used).
Appliance UI
The Scanner Appliance has a user interface for configuration and management. You can
choose to use the LCD display and keypad on the front panel, or the optional Remote
Console interface. Both the LCD display and Remote Console offer the same functionality
and share the same menus and navigation (ENTER key and arrows) for a consistent user
experience.
The Remote Console interface supports remote configuration and management of the
Scanner Appliance using a VT100 terminal, such as Windows HyperTerminal. See Remote
Console Interface Set Up (optional).
Scanner Appliance Tour
Navigating the Appliance UI
20
Navigating the Appliance UI
Main Menu
To access the Scanner Appliance main menu, press ENTER when the Scanner Appliance
name and IP address are displayed. The first menu option displayed is SETUP NETWORK.
Figure 2-1. Scanner Appliance Main Menu
To move up through the menu options, press the Up arrow. To move down through the
menu options, press the Down arrow. To select an option, press ENTER. To exit the main
menu, press the down arrow button until the EXIT THIS MENU option appears, and then
press ENTER.
Table of contents
