Deploying Custom Image Using Command-line Tool
This section describes how to deploy a Qualys Virtual Scanner Appliance using the Google gcloud CLI tool.
- You can deploy Custom Image Using Command-line Tool using any one of the following
- You can monitor Post-deployment progress here.
Deploying Scanner Appliance on Private Cloud Platforms (PCP)
First, you need to create a Qualys scanner image from a qVSA image link provided to you by Qualys Operations.
Once you have created the image, you can use the gcloud tool to deploy a Qualys Virtual Scanner Appliance in Google Cloud.
This scanner, once deployed, functions as a standard Virtual Scanner and can scan based on IP address or CIDR block.
- Step 1: Create a Qualys Scanner image in GCE with gcloud tool
- Step 2: Deploy a Qualys Virtual Scanner Appliance
Step 1: Create a Qualys Scanner image in GCE with gcloud tool
You can create a scanner image either using an SAS URL or a tar.gz file.
Option 1: Create a Qualys Scanner image from the SAS URL provided to you by Qualys by using this command:
gcloud compute images create IMAGE_NAME --project PROJECT --
source-uri=SOURCE_URI
For example:
gcloud compute images create qualys-scanner –project my-project --sourceuri="
https://storage.googleapis.com/qvsa-image-upload-non-regional/qVSAGCE.
PCP.1234-2.7.29-1.tar.gz?x-googsignature=
88888043fd956440222558fe4959b1036ec7153400e9c6d286bb0b6530775d863
91e4bc17ed7ac98037fae5bae85a2c98e03bfe5e0012a4014a7f861731c6aa482cdf1e42c35
53bf2a433dcad20cbbe85da36cffbe68ae5fd16e3a1d57762d942d58a54a1e06ec627b29192
f6053939966283761fd09eebcea45b1097a3883dc465a39e2343d0b51ff1fde732c4dfbaa5a5
9dc8bf2a233acd3828e06232016e6a5854357385996c117213bb9d98b0e39d3f18ff7a01ea8
581e852525de4068ec7f794685b03c20d620159a06d83f2d37b99bedbbeb4370965d8a49d6
87a99dde954e9d9d5083d475ca4f3c462da3b488d5d76087d8f863a5b197d48199163d27d4
5&x-goog-algorithm=GOOG4-RSA-SHA256&x-goog-credential=bamboo-buildaccount%
40qvsa-dev 2.iam.gserviceaccount.com%2F20210929%2Fus%2Fstorage%2Fgoog4_request&x-googdate=20210929T060234Z&x-goog-expires=604800&x-goog-signedheaders=host"
Option 2: Create a Qualys scanner image in GCE from a tar.gz file.
Customers are expected to build a Qualys Scanner image specific to their private platform.
- Download the qVSA image file (tar.gz) using the signed link provided by Qualys Operations.
- Upload the downloaded qVSA image file to a storage bucket in your Google cloud project.
- Create the Qualys Scanner Image using the already uploaded tar.gz file.
Use this command:
gcloud compute images create IMAGE_NAME --project PROJECT --
source-uri=SOIURCE_URI 30 Securing GCP with Qualys Deploying Sensors
Example:
gcloud compute images create qvsa-scanner –project my-project --sourceuri="
gs://qvsa-gce-bucket/qVSA-GCE-2.7.29-4.tar.gz
Step 2: Deploy a Qualys Virtual Scanner Appliance
The following gcloud command creates an instance with no service account assigned to it.
The 'metadata' option is where PERSCODE and Proxy server configuration should be specified, separated by comma.
Use this command:
gcloud compute instances create INSTANCE_NAME --image-project=IMAGE_PROJECT --image=IMAGE --zone=ZONE --custom-cpu=CUSTOM_CPU --custom-memory=CUSTOM_MEMORY --metadata=KEY=VALUE,[KEY=VALUE] --no-scopes --no-service-account
Example:
gcloud compute instances create vscanner --image-project=my_project --image=qvsa-gce-2-7-29-5 --zone us-east1-b --custom-cpu=2 --custom-memory=2048MiB --metadata=PERSCODE=12345678901234, PROXY_URL=proxy_user:proxy_paswd@10.1.2.3:8080 --no-scopes --no-service-account
Deploying Scanner Appliance on Marketplace (SCP)
Use the following options for image family and image project to get the latest Qualys Virtual Scanner Appliance image from Marketplace:
--image-family=qvsa --image-project=qualys-gcp-security
Example:
gcloud compute instances create vscanner --image-family=qvsa --image-project=qualys-gcp-security --zone us-east1-b --custom-cpu=2 --custom-memory=2048MiB --metadata=PERSCODE=12345678901234, PROXY_URL=proxy_user:proxy_paswd@10.1.2.3:8080 --no-scopes --no-service-account
- For generating Perscode through API, refer to the Add new virtual scanner API from VM API documentation.
- You receive an 'Activation Code' in the API response, referred to as 'perscode' in the case of the Scanner Appliance.
To deploy Qualys Virtual Scanner Appliance using the latest Marketplace image via Google Cloud CLI
Use the following command:
gcloud compute images list --filter="family=qvsa" --project qualys-gcp-security --sort-by=~creationTimestamp --limit=1 --uri
Post-deployment Progress and Monitoring
Deployment of the Qualys Virtual Scanner Appliance may take up to 10 minutes. Once deployment is complete, the appliance automatically connects to the Qualys Enterprise TruRisk™ Platform for registration. After registration, the appliance downloads the latest software and vulnerability signatures to ensure it is equipped with the most current information.
You can monitor the progress of the instance creation in the GCE VM instances.
To view further progress of the appliance configuration or to diagnose any issues, look at the serial console output.
Click 'Serial port 1 (console)' in the logs section.
In Google Compute Engine (GCE), you can also check VM status graphs, for instance resources such as CPU Utilization, Disk IO, and Network status:
From the Qualys Enterprise TruRisk™ Platform UI, you can check the activation status of your Qualys Virtual Scanner Appliance. Click Check Activation in the Add New Virtual Scanner dialog from where you copied the personalization code.
Learn more about Generating a Personalization Code.
