Configure Assets

Network Passive Sensors can detect traffic flows between two types of IP addresses. These IP addresses can be internal (within your network) or external (outside your network).

You can configure how you want to categorize your assets discovered by the sensors while monitoring traffic flow. All these assets are listed in the Assets tab of Global AssetView/CyberSecurity Asset Management.

Assets can be defined as Internal Assets, Excluded Assets, and External Assets.

The Configuration tab consists the following:

Internal Assets
Excluded Assets
Monitor Excluded Assets
General Settings

Internal Assets

Define Internal IP ranges that you want to monitor. IP addresses in these internal ranges are individually tracked for traffic analysis and inventoried in detail.

inventoried internal assets

When registering a sensor, you can add IP ranges within your network to monitor in Define Internal Assets step. The assets discovered for these IP addresses will be individually inventoried and tracked for traffic analysis. You can to select IP ranges from the default list or can create custom IP ranges.

Alternatively, you can add internal assets, simply go to Configuration > Internal Assets > Add.

In this step, you define the IP ranges within your network you want to monitor. The assets discovered for these IP addresses are individually inventoried and tracked for traffic analysis. You can use default IP ranges, IP range tags, or customized IP range options to define the range of internal assets. By default, assets are added to inventory. Select No if you want to just monitor the traffic flows to/from the configured IP ranges but do not want to track them in asset inventory. You can always edit the sensor configuration later to add assets for the IP ranges to the inventory if you have selected No while registering virtual and physical sensors.

To complete the sensor setup and to start sensing assets you must define Internal Asset ranges. The passive sensor senses all the traffic that you have mirrored. However, by defining internal asset ranges, you choose the assets you want to monitor and report on.

1 - Default IP Ranges

This option defines internal assets discovered within default internal ranges for your network. Click Select Sensors to select a sensor from the list of sensors for which you want to define internal assets.

2 - IP Range Tags

This option defines internal assets discovered with IP range tags. These are the dynamic tags created with IP Address In Range(s) rule engine. Click Select Sensors to select a sensor from the list of sensors for which you want to define internal assets. Click Select IP Ranges to select IP tags from the list of tags for which you want to define internal assets.

NPS supports configuration of IPv6 ranges in the internal asset group using IP Range Tags with some limitations. For more information about limitations, refer to the limitation of IPv6 address configuration.
If a network/IP range tag contains a large number of comma-separated IPs exceeding a threshold of 600 values, then the NPS sensor configuration does not process the tag.

3- Custom IP Ranges

This option defines internal assets discovered with custom IP ranges. You can provide IP ranges for monitoring. Click Select Sensors to select a sensor from the list of sensors for which you want to define internal assets.

custom IP range.

NPS supports internal asset group configuration of IPV6 addresses with Custom IP ranges. For more information about limitations, refer to the limitation of IPv6 address configuration.
If a network/IP range tag contains a large number of comma-separated IPs exceeding a threshold of 600 values, then the NPS sensor configuration does not process the tag.

Edit the Internal Asset Groups with Network + IP range tags

Once you have added the Internal Asset Groups with the Network and IP range tags, you can edit these configuration settings by going to the Sensor Details tab.

Go to Sensor Details page and click Edit.

To know more about network tags and networks, refer to Configure Your Network from VMDR Online help.

Excluded Assets

Define the assets you want to exclude from the inventory. The assets discovered for these addresses are masked as Excluded in traffic summary.

excluded assets

To add excluded assets, go to Configuration > Excluded Assets > Add.

define excluded assets

Monitor External Assets

Define the external sites you want to monitor. These sites are reported individually for traffic summary however; these are not inventoried like the internal assets.

monitor external sites

To add external assets, simply go to Configuration > Monitor External Asset Group > Add.

define external sites to monitor

How does it work?

All these discovered assets are reported to Qualys Asset Inventory where you can see detailed information about them as well as traffic summary, etc.

If an asset discovered by Passive Sensor is already known by active scans or by cloud agents then it is considered a managed asset and the asset data is correlated and merged. If the asset is previously unknown, then it is placed in the unmanaged list of assets.

In the Inventory column of Asset Inventory, the Asset the source is marked as Passive Sensor to indicate that the asset was discovered by a passive sensor.

how all assets are displayed in asset inventory

Manually Activate Assets for VM/PC scans

Now you can add IP addresses of un-managed assets into an IP range which can be scanned for VM and PC. The scans themselves have to be triggered via the respective VM or PC modules. You can choose one or more assets whose active IP (by default) is selected. You may then choose to add the selected IP(s) or IP of a different interface to be activated for scan. If your account has Network subscription, then you can choose from a list of Networks that the user has admin rights to, for adding the IPs. While adding a single IP, the Network associated with the sensor appliance that reported the asset, is chosen as the default network to add the IP to.

The following screen shows how to activate assets in the Manager Role.

General Settings

General Settings tab is divided into General Configuration tab and Exclusion tab.

General Configuration Tab

You can help Qualys NPS enhance the operating system and device prediction of the asset by providing fingerprint data.
You can set up notifications for events like Driver Change Required, Reboot Required, and Asset Reporting Stopped to be sent to your email address.
Also, you can see the alert notifications for the events generated (like Driver Change Required, Reboot Required, and Asset Reporting Stopped) in the events section of the sensor details page.

Exclusion Tab

You can exclude specific hostnames when merging unmanaged assets or merging them into managed assets.

General Configuration

Qualys NPS service utilizes the data gathered from traffic flows to predict the OS and hardware. NPS does not collect any user-specific sensitive data. It collects the protocol-specific data gathered from packet headers, which are transparently displayed to the customer in the asset's Raw Discovery Data (in the CSAM/GAV > Asset Details > System Information > View Raw Information Data section).

NPS service identifies patterns in this data to predict OS and device models. There is always a scope for improving pattern recognition to detect more OS and device models. Once consent is given, Qualys can collect the asset's metadata and utilize it to enhance predictions of OS and device models in future releases.

To configure the general settings, follow these steps:

Navigate to Configuration > General Settings > General configuration.
To give consent to Qualys to access the metadata, toggle Access to Fingerprint Data to allow access.
Fingerprints do not include any sensitive data. They consist of metadata related to the assets, which can be viewed in the CSAM/GAV > Asset Details > System Information > View Raw Information section.

On the Mail ID Recipients section, enter email IDs of recipients to receive email notification for specific events.

You can add multiple email IDs using commas.

Specific EventsSpecific Events

The following specific events are sent to recipients:

Events	Description	Action Required
Reboot Required	The NPS appliance raises this event whenever a user edits the NPS virtual machine’s settings to add or remove a network adapter while the virtual machine is running. For example, if the user wants to create yet another sniffing interface, the user must ensure to reboot the virtual machine for the changes to take effect.	Shut down the NPS appliance. Power on the NPS appliance.
Driver Change Required	The NPS appliance raises this event when a user edits the NPS VM appliance settings to add a network adapter but does not configure the network adapter type to vmxnet3.	Shut down the NPS appliance. Change the network adapter type to vmxnet3. Power on the NPS appliance.
Asset Reporting Stopped	The NPS appliance raises this event if it was inventorying assets but, for some reason, is unable to inventory any assets for a continuous duration of 2 hours. This can happen due to various reasons such as: A traffic tap configuration change altered the traffic that is mirrored to the NPS appliance and appliance can no longer see traffic needed for inventorying assets.	Ensure the correctness of the mirroring configuration on the tap. For example, check if both Tx/Rx traffic is mirrored from source VLANs/ports and any ACL that filters out protocols such as HTTP, SSH, DNS, DHCP, FTP, ARP, SSDP, WSD, SNMP, SIP, mDNS, SMB, Netbios, Kerberos is applied. The Passive Sensor deployment guide contains mirroring configurations that can be used for reference. Refer to the Network Passive Sensor Deployment Guide. Verify that there are no connectivity issues in the physical cable or in the ERSPAN configuration and that the NPS appliance is receiving all mirrored traffic containing the relevant protocols on the sniffing interface. Check that the NPS appliance internal asset configuration is proper according to the mirror traffic fed to the appliance.

Events

Description

Action Required

Reboot Required

The NPS appliance raises this event whenever a user edits the NPS virtual machine’s settings to add or remove a network adapter while the virtual machine is running.

For example, if the user wants to create yet another sniffing interface, the user must ensure to reboot the virtual machine for the changes to take effect.

Shut down the NPS appliance.
Power on the NPS appliance.

Driver Change Required

The NPS appliance raises this event when a user edits the NPS VM appliance settings to add a network adapter but does not configure the network adapter type to vmxnet3.

Shut down the NPS appliance.
Change the network adapter type to vmxnet3.
Power on the NPS appliance.

Asset Reporting Stopped

The NPS appliance raises this event if it was inventorying assets but, for some reason, is unable to inventory any assets for a continuous duration of 2 hours.

This can happen due to various reasons such as:

A traffic tap configuration change altered the traffic that is mirrored to the NPS appliance and appliance can no longer see traffic needed for inventorying assets.

Ensure the correctness of the mirroring configuration on the tap.
For example, check if both Tx/Rx traffic is mirrored from source VLANs/ports and any ACL that filters out protocols such as HTTP, SSH, DNS, DHCP, FTP, ARP, SSDP, WSD, SNMP, SIP, mDNS, SMB, Netbios, Kerberos is applied. The Passive Sensor deployment guide contains mirroring configurations that can be used for reference. Refer to the Network Passive Sensor Deployment Guide.
Verify that there are no connectivity issues in the physical cable or in the ERSPAN configuration and that the NPS appliance is receiving all mirrored traffic containing the relevant protocols on the sniffing interface.
Check that the NPS appliance internal asset configuration is proper according to the mirror traffic fed to the appliance.

Click Save.
Once you add the recipients, they receive the events in their email inbox.

Exclusion

You can configure hostnames that need to be excluded while merging unmanaged assets or merging unmanaged assets into managed assets.

The hostnames provided here are case-insensitive. When a new hostname is added to the exclusion list, make sure first to purge the asset created for that hostname. Refer the following screenshot for configuring excluded hostnames.

Contact Qualys Customer Support to get them deleted to avoid deduplication in the future.

Limitation of IPv6 Address Configuration

The following are the limitations:

Internal asset groups with IPv6 cannot be deleted.
It is not possible to purge the sensor containing IPv6 addresses in the internal asset group. However, if the customer wants to purge the sensor, they can do so by updating the IPv6 address to any temporary placeholder IPv4 address.
Note that this purge operation will only result in deletion of IPv4 assets present in the internal asset group and IPv6 assets will remain.
It is not possible to exclude assets with IPV6 addresses.