Configuration in Alibaba Cloud 

Qualys virtual scanners can be launched from the Alibaba Cloud Marketplace or from a custom image that has been shared with your account.

 Use only the Virtual Scanner Appliance for Alibaba images available in the Alibaba Cloud Marketplace or a shared image provided by Qualys. Images downloaded from the Qualys Cloud platform are not recommended for use on Alibaba Cloud.

Deploy the Qualys Virtual Scanner Appliance

  1. To launch an instance from the Alibaba Cloud Marketplace, go to Qualys Virtual Scanner Appliance page in the Alibaba Marketplace.

  2. Log in to your Alibaba Cloud account, and Click Choose Your Plan.

    choose your plan.

Launch a Custom Image from the Alibaba Cloud Console

To launch from a custom image that has been shared with your Alibaba account.

  1. Login to your Alibaba cloud account.
  2. Go to Elastic Compute Service > Instances  & Images > Images > Share Image.
  3. Enter ‘qVSA’ in the search box to view all Qualys Virtual Scanner images shared with your account.
  4. Select an image and click Create Instance. 

  5. Use the wizard to enter the instance settings.
    • Region - Select a region where the scanner instance resides in the same region as the scan targets

    • Instance type - Select an instance type that does not exceed 16GB of RAM and 16 CPU Cores.

    • Instance Name - Specify a distinctive name for the scanner.

    • Logon Credentials - The Qualys Virtual Scanner Appliance is a locked appliance; login access is disabled. Choose the ‘Inherit Password from Image’.

  6. Under System Configurations, select  Advanced (based on instance RAM roles or cloud-init) from the drop-down.
    • Instance Metadata Access Mode: Qualys now supports 'Server Hardening Mode (IMDSv2)'. 

    • Normal Mode (Compatible with Security Hardening Mode): This is the Default mode. After the instance is created, you can view its metadata in normal mode or in security hardening mode.

    • Security Hardening Mode: After the instance is created, you can view its metadata only in security hardening mode.

    • User data - Use this field to specify the 14-digit Personalization code and Proxy (if required), in the following format:

    Example:

    PERSCODE=123456789101234
    PROXY_URL=username:password@proxyhost:port

    Proxy formatting
    If you have a domain user, the format is: domain\username:password@proxyhost:port
    If authentication is not used, the format is: proxyhost:port
    where 'proxyhost' is the IP address or the FQDN of the proxy server and 'port' is the proxy port.

    Examples:
    jdoe:abc12345@192.168.1.5:443
    jdoe:abc12345@proxy.examplehost.com:443

    User data settings cannot be updated while in Running status. To alter the PERSCODE and/or PROXY_URL, stop the instance, update the user data settings and start up the instance.

    Default storage size can be increased based on your requirements

    Once launched, the Virtual Appliance connects to the Qualys Cloud Platform

    Upon deployment, the appliance connects with the Qualys Cloud Platform to complete registration and download the latest software and vulnerability signatures.

Configuring Security Groups for your Virtual Scanner Appliance

  • If the scanner has direct internet connectivity, ensure an outbound rule is created to allow port 443 to connect to the Qualys Security Operations Center (SOC) IP address range. To lookup the SOC IP address range, log into the Qualys Cloud Platform and navigate to Help > About option.
  • Make sure to create an outbound rule allowing communication with a proxy server on port 443 and the port used for proxy communication.
  • Scanner must have connectivity access to target instances for scanning. It is recommended to configure an outbound rule that allows access to all ports and sub nets of target instances.

Next Step

Step 3: Deploying Virtual Scanner in Alibaba Cloud Infrastructure with CLI