Understand Cache Mode and Patch Mode
Cache Mode is an optional feature used to optimize the download network bandwidth used by Cloud Agents whereby the QGS appliance caches downloaded Cloud Agent artifacts (installers for platform-initiated upgrades and manifest files).
Files downloaded by the first-connecting agent is cached on the QGS appliance to be served to any subsequent configured agents requesting the same content. This saves Internet download bandwidth from the Qualys cloud platform to the on-premise network as only one copy of unique files is downloaded. For environments with large number of Cloud Agents deployed, this can save a significant amount of download bandwidth.
|
File Type |
Interval |
Number of Agents |
Bandwidth without Caching |
Bandwidth with Caching |
|---|---|---|---|---|
|
VM Manifest |
Daily |
1,000 |
2 GB |
2 MB |
|
VM Manifest |
Daily |
5,000 |
10 GB |
2 MB |
|
VM Manifest |
Daily |
10,000 |
20 GB |
2 MB |
|
VM Manifest |
Daily |
25,000 |
50 GB |
2 MB |
Patch Mode extends the caching capability to cache patch files for Cloud Agents activated with the Qualys Patch Management application. Similar to Cache Mode where the gateway appliance caches the downloaded Cloud Agent artifacts, Patch Mode caches the patch files downloaded by the first requesting Cloud Agent in order to serve patch files locally to subsequent download request. Patch Mode uses the same port and connection as Cache Mode.
When Patch Mode is enabled, the default Connection Security that only allows outbound connections from the gateway appliance to Qualys platform domains is disabled. Cloud Agents with Patch Management application need to download patch files from the software vendor’s website thus the gateway appliance allows for connections to any Internet resource. When allowing QGS to communicate with third-party vendor patch repositories, these connections must be allowed through customer firewalls. For more details, refer to the “URLs to be added to the Allowlist for Patch Download” section of the Patch Management Getting Started Guide.
In Patch Mode, Connection Security is configured to only allow client connections from Cloud Agent clients as an additional protection method.
Cache Mode and Patch Mode are not enabled by default. Additional configuration is required to enable caching and patch file caching, both on the gateway appliance itself (using the QGS module UI) and on the host the runs the Cloud Agent.
QGS Appliance Cache and Patch Mode Configuration
To enable Cache Mode or Patch Cache Mode on an existing QGS appliance:
- For a specific appliance, use the Quick Action menu to select Configuration (hover over the appliance name in the appliance list until the Quick Action menu appears)
- Click Next through the menu until Caching Modes
- To enable Cache Mode, toggle the On/Off slider to On
- The default cache port is 8080. You may accept or change the cache port to an allowable port number.
Valid Port values are 1 – 65535 (integers only), excluding 22, 23, 2379, 2380, 4001,5514, 7001, 48081, 48082, 48083, 48084, 48085, 48086.
- To enable Allowed Domains, toggle the On/Off slider to On
Allowed Domains: This option allows traffic to external domains while operating in cache mode. By default, only Qualys domain URLs are accessible. However, with this feature, you can manually add domain names to allow QGS to reach the required external domains.
This toggle allows accessing external domain resources but does not involve artifact caching.
Default Domains Allowed: qualys.eu, qualys.ca, qualys.com, qualys.in
While adding domains in the allowed domain section you should not add a prefix like http(s)://www. For instance, if you want to allow traffic to Microsoft then you should enter only microsoft.com and not https://www.microsoft.com
To enable Patch Mode, toggle the On/Off slider to On.
A second disk with required minimum free disk space must be attached to the virtual appliance first. Patch Mode can not enabled if the disk is not attached.
The third hard disk is not supported and would not be recognized on the CAMS/QGS appliance to use the patch mode. We recommend using only one extra hard disk of 150GB or more to use the patch mode.
Click Next through the menu until TLS Protocols
Select the Minimum TLS Protocol Version allowed for agent connections. To support older operating systems that only support TLS, select TLS 1.0 as the minimum protocol version. (Default setting is TLS 1.2 and higher.)
Note: To enable this mode, a second virtual disk drive, minimum capacity 150 GB, is required to be added to the virtual appliance prior to enabling Patch Mode.