Whitelisting & Authentication Information for Qualys Policy Compliance Scanning Services
This information is intended for clients who are receiving a Qualys-based Ransomware Preparedness Assessment. If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.
Qualys Internal Virtual Scanner Appliance Whitelisting
ACCESS TO REQUIRED EXTERNAL RESOURCES
In order to function, the scanner must have outbound access to the following external resources:
162.159.152.21 and 162.159.153.243 (Cloudflare Dedicated IPs)
qualysguard.qg3.apps.qualys.com:443
distribution.qg3.apps.qualys.com:443
monitoring.qg3.apps.qualys.com:443
qgadmin.qg3.apps.qualys.com:443
scanservice1.qg3.apps.qualys.com:443
qualysapi.qg3.apps.qualys.com:443
- If there is a firewall separating the scanner from the Internet, outbound access must be allowed to these resources.
- Any device (hardware or software) that filters outbound traffic will need to allow the scanner to access these resources. Specifically, TraceSecurity has documented issues with web content filtering systems (e.g., Websense, WebTitan, Barracuda, etc.), and the scanner's traffic should be excluded from examination by those systems.
- Why? To perform filtering on SSL-protected sites, many web content filtering systems require each client to install a specific certificate that allows the filter to read the traffic. The scanner appliance does not have this certificate and will not be able to communicate outbound.
ACCESS TO INTERNAL TARGETS
In addition to allowing the scanner to access the necessary external resources, the scanner's IP address may also need to be whitelisted in any security solutions in place on your internal network and/or target devices. This will ensure the scanner is able to route to and scan all ports on all target IP addresses throughout all intended subnets unimpeded.
-
Antivirus/Endpoint Protection/EDR Software
- Ensure the IP address of the internal scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
- Why? Many of these solutions will see the scanning traffic to the target devices as malicious and block traffic from the scanning appliance, resulting in limited or no results and an incomplete picture of vulnerabilities in the network.
- Ensure the IP address of the internal scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
-
Intrusion Detection/Intrusion Prevention Systems
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
- Why? The scanning traffic will trigger most IDS/IPS systems as the traffic is suspicious to these devices. In this case, the IDS/IPS may block all traffic from the scanner and prevent full scanning of targets.
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
-
Firewalls and Proxy Services
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
- Why? Misconfigured proxy services and firewalls, most often transparent proxies, can interfere with scanning by responding on behalf of inactive IPs, a process which clutters the scanning and scan results with invalid information while slowing scans by an order of magnitude.
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
AUTHENTICATION TO INTERNAL TARGETS
For this service, the scanner must also be able to authenticate to the target Windows devices. Please consult https://tracedownload.s3.amazonaws.com/Qualys/Guides/TraceInsight_Authenticated_Scanning_Guide_(Windows).pdf for detailed instructions on creating the account to be used for authentication, adding those credentials to Vuln Manager, and configuring your Windows devices for successful authenticated scanning.
This information will need to be supplied to whomever maintains the applicable system(s) for your organization. If any of these systems are maintained by a third-party vendor, please pass the applicable information along to them. For any questions or concerns relating to this information, you or they may reach out to TraceSecurity Support at tracesupport@tracesecurity.com.