Manage Your IPs (Host Assets)

I'm adding new hosts

I already have hosts


Have you installed cloud agents? Click here to learn more about agent hosts

Note: If Asset Group Management Service (AGMS) is enabled for your subscription, you will see the Address Management tab instead of Host Assets. To understand the changes that happen when AGMS is enabled for your subscription, refer to Introducing AGMS.

What are host assets?

Host assets are the IP addresses in your account. Host assets may be used as scan, map and report targets. You can view the hosts in your account by going to Assets > Host Assets. Then add new hosts using the New menu. You can only perform actions like scanning, mapping and reporting on the hosts in your account.

How do I add IPs?

Go to Assets > Host Assets. From the New menu, select IP Tracked Hosts, DNS Tracked Hosts or NetBIOS Tracked Hosts. The tracking method you choose will be assigned to all of the hosts being added. Review the number of hosts you can add, enter the new IPs/ranges, and click Add.

Which users have permission to add IPs?Which users have permission to add IPs?

Managers always have permissions to add IPs. When Managers add IPs, they are automatically added at the subscription level where other Managers can view and take actions on them.

Unit Managers have permissions to add IPs when granted the "Add assets" permission (user account setting).

Your subscription may be configured to allow the "Add assets" permission to be granted to Scanners, giving them the ability to add IPs. Scanners in Consultant subscriptions may be granted this permission.

Can I have different IPs for VM and PC?Can I have different IPs for VM and PC?

Yes. You can have a completely separate set of IP addresses for VM and PC. Go to the VM application to manage IP addresses in the VM license. Go to the PC application to manage IP addresses in the PC license. Hosts added to PC are available for all compliance tasks including SCAP tasks when this application is also enabled for the subscription.

Note that asset groups are shared across applications. Only the appropriate IPs will be included in tasks. For example, if you launch a vulnerability scan on an asset group, only the IP addresses in the group that are part of the VM license will be scanned. The same is true for PC. Let’s say you run a policy compliance report on an asset group. Only the IP addresses in the group that are also in the PC license will be included in the report.

Can I add IPs to VM and PC at the same time?Can I add IPs to VM and PC at the same time?

If VM and PC are both enabled for the subscription and you have access to both modules, then you'll see a shortcut for adding hosts to both modules in one step. If you're adding new hosts from the VM module, choose the option "Add to Policy Compliance Module" to also add the hosts to PC. If you're adding new hosts from the PC module, then choose the option "Add to VM Module" to also add the hosts to VM.

How do I purchase more IPs/licenses?How do I purchase more IPs/licenses?

Please reach out to your Technical Account Manager to purchase additional IPs/licenses.

How do I add IPs for VMDR OT Device scan?

You can follow the same procedure to add IPs with one additional setting for VMDR OT application. Select the Add to VMDR OT Module option. By selecting this option, the IPs will be reserved for VMDR OT and not combined with other modules. Review the number of hosts you can add, enter the new IPs/ranges, and click Add.

What is the tracking method?

The tracking method impacts how the hosts will be listed in scan reports (scan results are always sorted by IP address). Hosts assigned the IP address tracking method will be listed in numerical order by IP address. Hosts assigned the DNS or NetBIOS tracking method will be listed in alphabetical order by hostname. Learn more

Show me formats for entering IPs/ranges

IPs may be entered in any of the following formats:

Tell me about the host owner

The owner assumes responsibility for the host. When creating remediation policies and manual tickets, users have the option to automatically assign tickets to the owner.

Tell me about host attributes

You can assign certain host attributes, including tracking method and owner. Select the attribute you want to define and enter a value in the field provided or select from the available drop-down menu. Your selection will apply to all hosts included in the action. (Important: If you are a Unit Manager, the hosts you're adding may already be in the subscription. If you define host attributes at this time, then your values will override any previously set values.)

Besides tracking method and owner, you'll see three additional attribute fields. Initially these are Location, Function and Asset Tag but these labels may have been customized for your subscription. Managers can change the attribute names by going to Assets > Setup > Host Attributes.

Adding assets to business unit

When setting up business units be sure to assign at least one asset group with host assets. If you only assign empty asset groups then the business unit won’t have assets assigned and users in the business unit will not be able to scan or report on any assets. Learn more

Notes for Unit Managers adding hosts

If you are a Unit Manager adding hosts, please note the following:

1) Permission to add hosts: You need the "Add assets" permission. You also need permission to each application you want to add hosts to (VM and/or PC).

2) Add hosts to an asset group: You must add the new IPs to an asset group assigned to your business unit. Select Add To on the left side, and then choose an asset group from the Assigned Groups menu. Once added, new IPs are available in your business unit. New IPs are also available to Managers for inclusion in other business units and asset groups.

3) Overwriting host attributes: Keep in mind that the hosts you're adding may already be in the subscription (even though you don't see them in your business unit). If you define host attributes, then your values will overwrite any previously set values for the hosts.

How to remove host IPs (accounts without Cloud Agent app)

(Manager Only) Use our Remove IPs wizard (go to Assets > Host Assets > Actions > Remove IPs). You can choose which apps you want to remove the IPs from. This option is only available in subscriptions that do NOT have Cloud Agent (CA) enabled.

Once IPs have been removed...
- They are no longer available for scanning and reporting
- Host-based scan data will be permanently removed; this is not recoverable.

Note: If you remove an IP that is part of an ongoing scan, the IP may get partially removed and the asset may still appear at different places, such as in the asset search report. To remove the IP completely, you can either re-add the IP to the subscription and then remove it, or contact Qualys support.

How to remove host IPs (accounts with Cloud Agent app)

Go to the Cloud Agent (CA) app and uninstall the agents associated with the hosts you want to remove. We will then purge the hosts and remove them from VM, SCA, PC. When Cloud Agent (CA) is enabled for your subscription, you do not have the option to remove hosts from only the VM, SCA or PC app.

How to remove host IPs (accounts with VMDR OT app)

Go to Assets > Host Assets > Remove IPs from VMDR OT.

Note:  Once IPs are removed, they will no longer be available for scanning and reporting. 

What does it mean to purge a host?

When you purge a host you permanently remove saved security data (like vulnerability data, compliance data) and scan history. It's best practice to purge a host when the host is being decommissioned or used in a completely new role - new operating system, new applications, new purpose. This ensures that security data collected from previous scans of the host does not affect reporting moving forward. Our service can not infer from scanning hosts if the host is decommissioned, firewalled, temporarily out of service, reappropriated, etc. For that it needs insider information.

Note: For the tracking method EC2, if IP addresses are added to the VM when the purge event is performed, IP addresses will also be removed from the VM. For the tracking method EC2 and IP, if IP addresses are added to the VM when the purge event is performed, IP addresses will not be removed from the VM since hosts are different.

How to purge a single hostHow to purge a single host

Go to Assets > Host Assets and select Info Icon for the host you're interested in. In the Host Information page, click the Purge button and follow the prompts to confirm. The host will be marked for purging. Until the purge operation completes, security data will remain in your account. 

Not seeing the Purge button? The Purge button will only appear when the selected IP is in the current module and has been scanned. For example, if an IP is in PC but not in VM/VMDR, then you will see the Purge button when you view Host Information from PC, but you will not see it when you view Host Information from VM/VMDR. Similarly, if the IP is only in VM/VMDR and not in PC, then you'll see the Purge button in VM/VMDR but you won't see it in PC. Now let's say the IP is in both PC and VM/VMDR but it has never been scanned. In this case, the Purge button will not appear in PC or VM/VMDR.

How to purge multiple hosts in bulkHow to purge multiple hosts in bulk

You can choose the hosts you want to purge from various reports, including Map Report, Asset Search Report and Risk Analysis Report. For example, run an Asset Search Report by going to Assets > Asset Search. Provide a search target, select host attributes and click Search. In the Results section of your report, select the hosts you want to purge. Then go to the top of your report and choose Purge from the Actions menu and click Apply.

The Purge Host Information page appears with a Warning that once a host has been purged the action cannot be undone. Carefully review the list of hosts to be purged and the type of host data that will be deleted from the subscription. Click Purge to continue. You will be asked again to confirm the action. Upon doing so, the hosts will be marked for purging. Until the purge operation completes, host information will remain in your account.

Tell me about the types of information purgedTell me about the types of information purged

Purging hosts does not delete scan results. You can still report on scan results by running scan reports with scan based findings.

Purging does delete vulnerability and compliance data collected from your scans. For this reason certain vulnerability reports and all compliance reports will not show security information for these hosts after you've purged them.

Vulnerability data deletedVulnerability data deleted

Information gathered on the host such as its hostname and OS, vulnerability history, remediation tickets for the host, and comments added to the host.

Compliance data deletedCompliance data deleted

Authentication status for the host, pass/fail status for controls on the host, all exceptions (approved, rejected and pending) along with the exceptions history and comments. If you have the SCAP application, then this SCAP compliance data is also deleted: authentication status for the host and pass/fail status for rules on the host.


How to purge compliance data for inactive instances

A single asset can have multiple technology instances. You may choose to purge compliance data for only the instances that are no longer active, and keep compliance data for active instances. A Manager can enable the Inactive Instance Purge option (under PC > Scans > Setup > Inactive Instance Purge) and set a timeframe in order to automatically purge instances when they have not been evaluated within the specified timeframe. This way you won't see data in your reports for instances that are no longer active. This is especially useful when Scan by Policy is used. With Scan by Policy, we keep instance data for all previously discovered instances even if they are no longer present on the asset. (Note that we will only purge an instance if at least one instance of the same technology type was evaluated within the timeframe.)

Can I export my hosts to a CSV file?

Yes. Go to Assets > Host Assets. Select Export All from the New menu. The Comma-Separated Value (CSV) format is selected automatically. Click Download. You're prompted to open the CSV file or save it to disk. Your file is saved as IP_<login ID>_<date>.csv.

The first half of the file lists all hosts in your account and the second half of the file lists all active hosts. This data can then be imported into a third-party application, such as Excel. CSV data is encoded in UTF-8 format.

Importing the CSV dataImporting the CSV data

You may need to import the CSV data into your database or spreadsheet with encoding set to UTF-8 to properly display special characters, such as Japanese and French characters. For example, to do this in Microsoft Excel, select Data > Import External Data > Import Data and then browse to your downloaded CSV file and click Open. Select the Unicode (UTF-8) file origin and then follow the prompts to complete the import process. For more information about importing CSV data, see your third-party documentation.

Can I download the list in other formats?Can I download the list in other formats?

There is a download option for the host assets list. In fact all the data lists have a download option available. Go to New > Download and then select a file format. Your options are CSV, HTML, MHT and XML.

Can I exclude certain hosts from scans?

Yes. You have the option to exclude hosts for a specific scan or for all scans within the subscription. No scanning traffic, including ICMP, TCP and UDP probes, will be sent to excluded hosts.

How to exclude hosts per scanHow to exclude hosts per scan

When launching or scheduling your scan, enter the scan target in the Target Hosts section, and then enter the IP addresses/ranges you want to exclude in the Exclude IPs/Ranges field. This feature is supported for all IP-based scans including vulnerability scans, compliance scans and SCAP scans.

How to globally exclude hosts from all scansHow to globally exclude hosts from all scans

There is one global excluded hosts list for the subscription. The IPs in this list will not be mapped or scanned by the service, even if specified as part of a map or scan target. To view or edit the global excluded hosts list, go to Scans > Setup > Excluded Hosts. Learn more

An excluded host appeared in map results. How come?An excluded host appeared in map results. How come?

Excluded hosts may still appear in map results if discovered via a DNS method. If the IP belonging to a DNS server is included in the excluded hosts list and this server is used to resolve DNS names for hosts in the map target, then the service will still send normal requests to the DNS server. The server, however, will not be scanned for vulnerabilities.

What are asset groups?

Asset groups are user-defined groupings of host assets (IP addresses). You can group hosts by importance, priority, location, ownership, or any other method that makes sense for your organization. When you scan an asset group, only the hosts in the group are scanned. This allows you to limit the scope of your scans to a particular group of hosts or a subsection of your network, making the scan results and remediation tasks more manageable. Learn more

What are asset tags?

Asset tagging is another method for organizing and tracking the assets in your account. You can assign tags to your host assets. Then when launching scans you can select tags associated with the hosts you want to scan. This dynamic approach is a great way to ensure you include all hosts that match certain criteria, even if your network is constantly changing as hosts are added and removed. For example, scan all Windows XP hosts or all hosts with Port 80 open. There are multiple ways to create tags, for example you can create tags from asset search (go to Assets > Asset Search) or by using the AssetView application. Learn more