Whitelisting for Qualys Vulnerability Scanning Services
This information is intended for clients who are receiving a Qualys-based Vulnerability Assessment (VA), Enhanced Vulnerability Assessment (EVA), or Comprehensive Network Vulnerability Assessment (CNVA). If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.
Qualys External Vulnerability Scanner & Analyst Manual External Testing Whitelisting
During the defined Vulnerability Assessment, the external scanners (and analyst in the case of an EVA or CNVA) must rapidly scan discovered services, which may cause an IPS to temporarily block or permanently blacklist the source IP address. This can limit the ability to scan services that may otherwise be available, and consequently limit the ability to identify vulnerabilities on those services. Because of this, TraceSecurity recommends conducting external vulnerability scanning (and manual external testing in the case of an EVA or CNVA) with the source IP addresses whitelisted in any deployed intrusion prevention systems.
The Qualys External Scanners' traffic will originate from one of the following IPs:
139.87.104.123
139.87.117.66
64.39.96.0/20 (64.39.96.1-64.39.111.254)
139.87.112.0/23 (139.87.112.1-139.87.113.254)
139.87.116.188
For EVA and CNVA services, manual external testing by the analyst will originate from one of the following IPs:
174.69.226.251
174.69.226.254
Qualys Internal Virtual Scanner Appliance Whitelisting
ACCESS TO REQUIRED EXTERNAL RESOURCES
In order to function, the scanner must have outbound access to the following external resources:
162.159.152.21 and 162.159.153.243 (Cloudflare Dedicated IPs)
qualysguard.qg3.apps.qualys.com:443
distribution.qg3.apps.qualys.com:443
monitoring.qg3.apps.qualys.com:443
qgadmin.qg3.apps.qualys.com:443
scanservice1.qg3.apps.qualys.com:443
qualysapi.qg3.apps.qualys.com:443
- If there is a firewall separating the scanner from the Internet, outbound access must be allowed to these resources.
- Any device (hardware or software) that filters outbound traffic will need to allow the scanner to access these resources. Specifically, TraceSecurity has documented issues with web content filtering systems (e.g., Websense, WebTitan, Barracuda, etc.), and the scanner's traffic should be excluded from examination by those systems.
- Why? To perform filtering on SSL-protected sites, many web content filtering systems require each client to install a specific certificate that allows the filter to read the traffic. The scanner appliance does not have this certificate and will not be able to communicate outbound.
ACCESS TO INTERNAL TARGETS
In addition to allowing the internal scanner to access the necessary external resources, the internal scanner's IP address may also need to be whitelisted in any security solutions in place on your internal network and/or target devices. This will ensure the scanner is able to route to and scan all ports on all target IP addresses throughout all intended subnets unimpeded.
-
Antivirus/Endpoint Protection/EDR Software
- Ensure the IP address of the internal scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
- Why? Many of these solutions will see the scanning traffic to the target devices as malicious and block traffic from the scanning appliance, resulting in limited or no results and an incomplete picture of vulnerabilities in the network.
- Ensure the IP address of the internal scanner is whitelisted in all areas of any endpoint antivirus/endpoint protection/EDR software in use.
-
Intrusion Detection/Intrusion Prevention Systems
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
- Why? The scanning traffic will trigger most IDS/IPS systems as the traffic is suspicious to these devices. In this case, the IDS/IPS may block all traffic from the scanner and prevent full scanning of targets.
- Any intrusion prevention or detection systems in place should be configured to ignore the scanner.
-
Firewalls and Proxy Services
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
- Why? Misconfigured proxy services and firewalls, most often transparent proxies, can interfere with scanning by responding on behalf of inactive IPs, a process which clutters the scanning and scan results with invalid information while slowing scans by an order of magnitude.
- Firewalls should be configured to allow the scanner to route to all target IPs unimpeded and to scan all ports on all target IPs throughout intended subnets. If there are any proxy services, they should be configured to ignore scanner setups.
CSO Internal Virtual Scanner Appliance Whitelisting (EVA and CNVA Services Only)
For EVA and CNVA services, manual internal testing will require an additional virtual scanner appliance for which different whitelisting will need to be implemented. If your organization is contracted for an EVA or CNVA, please also review Whitelisting Information for TraceCSO Internal Penetration Testing Services for the applicable whitelisting information.
This information will need to be supplied to whomever maintains the applicable system(s) for your organization. If any of these systems are maintained by a third-party vendor, please pass the applicable information along to them. For any questions or concerns relating to this information, you or they may reach out to TraceSecurity Support at tracesupport@tracesecurity.com.