Get Started with Qualys Gateway Service

Qualys Gateway Service (QGS) is a packaged virtual appliance developed by Qualys that provides proxy services for Qualys Cloud Agent deployments that require proxy connectivity to connect agents to the Qualys Cloud Platforms.

Qualys Gateway Service is managed using a new module user interface on the Qualys platform. From this interface, one can create, register, monitor, and manage QGS virtual appliance deployments.

The QGS virtual appliance is separate and different from the virtual scanner appliance that is used for Vulnerability Management and Policy Compliance scanning. The QGS virtual appliance provides caching and proxy services for Cloud Agent deployments. It also provides proxy services for Qualys Scanner and Qualys Network Passive Sensor.

The QGS virtual appliance provides proxy services for Cloud Agent deployments, Qualys Scanner, and Qualys Network Passive Sensor and caching service for Cloud Agent deployments.

The following features and capabilities are available in QGS virtual appliance:

• A virtual appliance image downloaded, registered, and managed from the Qualys platform user interface using the QGS module.
• Support for any Cloud Agent version that supports HTTP/HTTPS proxy (all agents since 2016).
• Explicit forward proxy.
• SSL/TLS pass-through bypass.
• Can be deployed in High-Availability failover using external 3rd party load balancers.
• Connection Security – the QGS proxy only provides connections to the Qualys platform from where it is registered. It is not possible to use QGS to proxy connections to any other destination.
• Shared Platform support (Private Cloud Platforms require coordination with Qualys Operations).
• Enabling Allowed Domains: We have added an option which helps you to allow traffic for required domains.
  • Default Domains Allowed: qualys.eu, qualys.ca, qualys.com, qualys.in

Supported Cloud Virtualization Platforms

Cloud Provider	GovCloud	Documentation
Amazon Web Services	Yes	Amazon Web Services Deployment Guide
Microsoft Azure	Yes	Microsoft Azure Deployment Guide
Google Cloud Platform	No	Google Cloud Platform Deployment Guide

Virtualization Server Requirements and Virtual Machine File Formats

Virtual Server	Supported Versions	File Format	Documentation
VMware vSphere/ESXi	5.5 and later	VMDK, OVA, OVF	Virtual Appliance Local Configuration
Microsoft Hyper-V	Windows Server 2012 and later	VHD	Microsoft HyperV Deployment Guide
OpenStack Hypervisor	2024.2 (Dalmation) or later	VHD	OpenStack Deployment Guide
Nutanix Hypervisor	AHVVERSION NUTANIX 20170830.453 and later	VHD	Nutanix Hypervisor Deployment Guide

Virtual Machine Configuration

• 4 vCPUs.
• 16 GB RAM minimum.
• 40 GB Disk minimum (For QGS primary disk only).
  • For Patch Mode, a second disk of 150GB minimum is required.
• One network adapter.
  • IP address configured with a Default gateway.
  • QGS Proxy listening port for Cloud Agents: 1080 (can be changed).
  • QGS Cache listening port for Cloud Agent: 8080 (can be changed).
• Available support to connect QGS to upstream proxy server, if required.
  • IP/DNS name and port of upstream proxy.
  • Optional username/password proxy credentials.
  • Support for upstream proxy domain-based filtering.
  • This is a method for adding the static host to IP mapping to the QGS appliance. Similar to an entry in the/etc/hosts file, this is a way to add a FQDN<-->IP mapping to the QGS service.
• QGS caching limit is dynamic. The caching limit is based on the RAM assigned to QGS. Caching consumes 40% of the total allocated RAM.

  Taking snapshots of QGS instances is permitted, but creating new instances from these snapshots is strictly prohibited. Attempting to do so results in a non-functional instance with lost configuration settings and platform registration information. Snapshots should be used solely for backup purposes, not for instance replication.

Cloud agents on Windows Server 2008 Standard R1 may face connectivity issues. This is because TLS1.0 is not supported with the upgraded OpenSSL library. Connect with the Qualys Support team in case of connectivity issues with Windows Server 2008 Standard R1 cloud agents.

The QGS installable may occupy lesser space than the minimum space requirements. However, we recommend that the VM must meet the minimal requirements of 40 GB of disk space and 16 GB RAM.

Network Configuration

QGS requires connectivity to five URLs on the Qualys Platform for full functionality. The appropriate network routing, firewall rules, and upstream proxy configurations (if used) must be configured correctly to allow QGS to connect to these URLs.

• One URL is for Cloud Agents to connect through QGS to the Qualys Platform.
• Three URLs are for QGS to connect to Qualys Platform for management functions.
• One URL is for operating system updates as this appliance is based on Flatcar Linux.
• For any Windows Cloud Agents where falling back to a direct connection to the platform is required, those Cloud Agents require the relevant qagpublic URL to be enabled in a separate firewall rule.
• The Content Delivery Network URLs (cask urls) are necessary for SwCA functionality of cloud agents connecting to the Qualys Cloud Platform using QGS.