Deploying Custom Image Using Command-line Tool

This section describes how to deploy a Qualys Virtual Scanner Appliance using the Google gcloud CLI tool.

• You can deploy a Custom Image Using Command-line Tool using any one of the following
  • Deploying Scanner Appliance on Private Cloud Platforms (PCP)
  • Deploying Scanner Appliance on Marketplace (SCP)
• You can monitor Post-deployment progress here.

Deploying Scanner Appliance on Private Cloud Platforms (PCP) or SCPs with No Access to Google Cloud Marketplace

First, you need to create a Qualys scanner image from a qVSA image link provided to you by Qualys Operations.

Once you have created the image, you can use the gcloud tool to deploy a Qualys Virtual Scanner Appliance in Google Cloud.

This scanner, once deployed, functions as a standard Virtual Scanner and can scan based on IP address or CIDR block.

• Step 1: Create a Qualys Scanner image in GCE with gcloud tool
• Step 2: Deploy a Qualys Virtual Scanner Appliance

Step 1: Create a Qualys Scanner image in GCE with gcloud tool

You can create a scanner image either using an SAS URL or a tar.gz file.

Option 1: Create a Qualys Scanner image from the SAS URL provided to you by Qualys by using this command:

gcloud compute images create IMAGE_NAME ---project PROJECT --source-uri=SOURCE_URI

For example:

gcloud compute images create qvsa-gce-1.2.3-1 --project my-project
--source-uri="https://storage.googleapis.com/qvsa-image-upload-non-regional
/qVSA-GCE.PCP.123-1.2.3-1.tar.gz?x-goog-signature=888636eabfad176a3dacdf8b36bfe238d837c6fe980e557868546214c59aa0ce2
d2094eebb43c48f2545796a2bb1b091a3dcb11060da22f226dd2e8e200e51e2ed4d9c31870ceba
6e289bc7091a2b6f30a4f20859f19b8669025d201c8eec810b2de39aecf43fb03150de16d54cb
83a23be8109958e78bc1b6034fe897f6560f83287277a7535aca0d1db941738ddef8038dd418a
71966d9834aadab672b052172170714a47eadcc77d12d2e7ded09375896115e626369c9a4f74d
59e26e6f6f882d97019cc0fd4fb3f8b8c82dd4c081ccc7d1ac80f7b4b8700a86e2072ab8a23e81e3
ed33b2dba1f1023bceb4fd0abc38707bd4f1dafed99813844c3830d815&x-goog-algorithm=GOOG4-RSA-SHA256&x-goog-credential=example-
dev.iam.gserviceaccount.com%2F20250527%2FUS%2Fstorage%2Fgoog4_
request&x-goog-date=20250527T212530Z&x-goog-expires=3600&x-goog-
signedheaders=host"

Option 2: Create a Qualys scanner image in GCE from a tar.gz file.

Customers are expected to build a Qualys Scanner image specific to their private platform.

1. Download the qVSA image file (tar.gz) using the signed link provided by Qualys Operations.
2. Upload the downloaded qVSA image file to a storage bucket in your Google cloud project.
3. Create the Qualys Scanner Image using the already uploaded tar.gz file.

Use this command:

gcloud compute images create IMAGE_NAME --project PROJECT --

source-uri=SOIURCE_URI 30 Securing GCP with Qualys Deploying Sensors

Example:

gcloud compute images create qvsa-scanner –project my--project ‘–-source-uri="

gs://qvsa-gce-bucket/qVSA-GCE-2.7.29-4.tar.gz

Step 2: Deploy a Qualys Virtual Scanner Appliance

The following gcloud command creates an instance with no service account assigned to it.

The 'metadata' option is where PERSCODE and Proxy server configuration should be specified, separated by comma.

Use this command:

gcloud compute instances create INSTANCE_NAME --image--project=IMAGE_PROJECT --image=IMAGE --zone=ZONE --custom-cpu=CUSTOM_CPU --custom-memory=CUSTOM_MEMORY --metadata=KEY=VALUE,[KEY=VALUE] --no-scopes --no-service-account

Example:

gcloud compute instances create vscanner --image--project=my_project --image=qvsa-gce-2-7-29-5 --zone us-east1-b --custom-cpu=2 --custom-memory=2048MiB --metadata=PERSCODE=12345678901234, PROXY_URL=proxy_user:proxy_paswd@10.1.2.3:8080 --no-scopes --no-service-account

Deploying Scanner Appliance on Marketplace (SCP)

Use the following options for image family and image project to get the latest Qualys Virtual Scanner Appliance image from Marketplace:

--image-family=qvsa --image--project=qualys-gcp-security

Example:

gcloud compute instances create vscanner --image-family=qvsa --image--project=qualys-gcp-security --zone us-east1-b --custom-cpu=2 --custom-memory=2048MiB --metadata=PERSCODE=12345678901234, PROXY_URL=proxy_user:proxy_paswd@10.1.2.3:8080 --no-scopes --no-service-account

• For generating Perscode through API, refer to the Add new virtual scanner API from VM API documentation.
• You receive an 'Activation Code' in the API response, referred to as 'perscode' in the case of the Scanner Appliance.

To deploy Qualys Virtual Scanner Appliance using the latest Marketplace image via Google Cloud CLI

Use the following command:

gcloud compute images list --filter="family=qvsa" --project qualys-gcp-security --sort-by=~creationTimestamp --limit=1 --uri

Post-deployment Progress and Monitoring

Deployment of the Qualys Virtual Scanner Appliance may take up to 10 minutes. Once deployment is complete, the appliance automatically connects to the Qualys Enterprise TruRisk™ Platform for registration. After registration, the appliance downloads the latest software and vulnerability signatures to ensure it is equipped with the most current information.

You can monitor the progress of the instance creation in the GCE VM instances.

To view further progress of the appliance configuration or to diagnose any issues, look at the serial console output.

Click 'Serial port 1 (console)' in the logs section.

In Google Compute Engine (GCE), you can also check VM status graphs, for instance resources such as CPU Utilization, Disk IO, and Network status:

From the Qualys Enterprise TruRisk™ Platform UI, you can check the activation status of your Qualys Virtual Scanner Appliance. Click Check Activation in the Add New Virtual Scanner dialog from where you copied the personalization code.

Learn more about Generating a Personalization Code.