1. home icon for breadcrumbs >
  2. Deploy Sensors >
  3. Deploy Virtual Scanner Appliance >
  4. Scanner Deployment >
  5. Configuration of Security Group

Configure Security Groups for Virtual Scanner Appliance

Set up the following outbound rule for the security group assigned to the scanner appliance:

  • Connectivity to Qualys Cloud Platform

    The scanner appliance must have connectivity to Qualys Cloud Platform. If the scanner appliance has direct internet connectivity, ensure that the outbound rule allows access on port 443 to the Qualys Security Operations Center (SOC) IP address. You can get the SOC IP address range by logging in to Qualys Portal and navigating to the Help > About option. If you use a proxy server, ensure an outbound rule allows communication to the proxy server, and the proxy server can reach the Qualys Cloud Platform.

  • Connectivity to Amazon EC2 API endpoints

    The scanner appliance must be connected to the Amazon EC2 and STS API endpoints. For authorization, scanners must reach STS endpoints to assume roles and get tokens to make EC2 API calls. Communication to the EC2 and STS API is not routed through the proxy server you may have configured for appliance management communications with the Qualys Cloud Platform (see above). The scanner appliance must communicate directly to the EC2 and STS API or through a fully transparent proxy or filtering technology.

    If the scanner appliance has direct internet connectivity, ensure that the outbound rule allows access on port 443 to Amazon EC2 and STS API endpoints. If you have configured the Amazon EC2 API proxy server in Qualys UI, ensure you have an outbound rule that allows communication to the proxy server, and the proxy server can reach Amazon EC2 API endpoints.

    The scanner appliance must have connectivity to the Amazon EC2 API endpoints. If the appliance cannot reach the Amazon EC2 API endpoint, then any EC2 Scan job you initiate cannot succeed. Your scan concludes without scanning any EC2 instance targets because the appliance cannot resolve the list of target instance IDs to IP addresses with potential error No Hosts alive.

    Go here to learn about regions & endpoints: http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region

  • Connectivity to target instances

    The scanner must be able to reach out to all the target instances for running the scan. Configuring an outbound rule that allows access to all ports and subnets of the EC2 instances that the scanner scans is recommended.

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.