1. home icon for breadcrumbs >
  2. Scan Assets

Scan Assets

Here are the steps to scan your network. Before you initiate your scan, you must ensure a few checkpoints or pre-configurations.

EC2 Scan checklist

Go to Qualys VM/VMDR or Qualys PC - We recommend these steps before scanning.

Check Appliance Status

Go to Scans > Appliances - Be sure the new Scanner Appliance is connected to the Qualys Cloud Platform.icon connected Now, your appliance is connected and ready for scanning.

Define Amazon EC2 API Proxy settings in Qualys UI

This step is required if you have defined a Proxy Server in the User Data field during the virtual scanner deployment. Your EC2 scan does not work if you do not perform this step.

  • Go to Scans > Appliances.
  • Edit your EC2 Virtual Scanner Appliance.
  • Go to the Proxy Settings tab, select the Amazon EC2 API Proxy, and tell us about your proxy server (hostname and IP address or any of them, port, and proxy credentials (if required by the proxy server).

Good to Know

The settings you enter here allow the Virtual Appliance to connect to your Amazon EC2 API endpoints. The Virtual Appliance makes API calls to the AWS Gateway through the proxy server that you specify. For example, it calls the DescribeInstance API to get the current IP address for each EC2 instance you want to scan.

Sample Scanner Appliance Proxy Settings

You can view all proxy settings on the Scanner Appliance Information page.

  • Just go to Scans > Appliances.
  • Hover over your appliance and choose Info from the Quick Actions menu.
  • Click Edit to make changes to the Amazon EC2 API Proxy settings.

The Scanner Proxy section shows Proxy Server info currently defined in AWS AMI settings (credentials are masked with ***) during its deployment.

sa-proxy-edit

You must allow the EC2 Region endpoints to be accessible via the proxy.

Identify the URL to an endpoint from here - http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region

Check EC2 Assets are activated

Go to Assets > Host Assets or Qualys AssetView (AV) - Check that your EC2 hosts are activated. Activated assets are assigned the EC2 tracking method.host-list

Configure security groups for the EC2 instances to be scanned

In AWS, you must associate a security group that allows inbound access on all ports for the scanner appliance's IP address or the scanner appliance or the security group of the scanner appliance.

Here is the sample security group assigned to the EC2 instance allowing inbound access on all the ports for the security group of Qualys Virtual Scanner Appliance.

security_sample

Configure OS Authentication

Using host OS authentication (trusted scanning) allows our service to log in to each target system during scanning. Running authenticated scans gives you the most accurate results with fewer false positives.

Go to Scans > Option Profiles. Edit the profile Initial Options, use Save As to save a copy with another name. In your new profile enable the authentication types you’ll need.option-profile

Go to Scans > Authentication. Add authentication records for the EC2 instances you’ll be scanning - Unix and/or Windows. In the record you’ll need to add credentials for the account to be used for authentication - this is an account for OS user (not the AIM user). We recommend you create a dedicated account for authentication on target systems.auth-records

Sample Unix Record

  1. Login Credentials - Provide OS user name and select Skip Password.

    auth-unix1
  2. Private Keys - Key authentication is recommended. Select key type (RSA, DSA, ECDSA, ED25519) and enter your private key content. 
    auth-unix2
  3. IPs - Select Unix IP addresses/ranges of your EC2 instances for this record. Credentials in this record are used to scan these assets.

    auth-unix3

Sample Windows Record

  1. Login Credentials - Provide OS user name and select Skip Password.
    auth-win-record
  2. IPs - Select Windows IP addresses/ranges of your EC2 instances for this record. Credentials in this record will be used to scan these assets.
    auth-win-record2

Learn more about OS authentication

Online help within the authentication record workflows provides detailed instructions and guidance on all available options. These documents are good resources

Qualys Windows Authentication Guide (pdf)

Qualys Unix Authentication Guide (pdf)

Move your Virtual Appliance

This step is recommended if you have defined custom networks in your Qualys account.

By default, a new Virtual Scanner Appliance is placed in the Global Default Network, and when a scan is performed, host scan data is added to that network.

We recommend you move this Virtual Appliance to the desired network before scanning - the Global EC2 Network or a custom network.

Go to Assets > Networks, edit the network you want to move the Virtual Appliance to and add the appliance to that network.

Next Step

Scan Using Virtual Scanner Appliance

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.