Configuration of Qualys Guard Scanner Appliance

After setting up the Scanner Appliance, you can access it through the Qualys website, at The web page prompts you to specify a username and a password. When your authentication credentials are successful, the Qualys website shows all the options to manage your Scanner Appliance. Browse to Preferences > Account and click the Edit icon for your Scanner Appliance. A new browser window pops up showing the Scanner Appliance Information. Make sure that Enable NAC is checked under NAC/ NAM Access Protocol. You can close the browser window after verifying the current settings. This is shown in Figure 11-3.

NOTE You must make sure that the QualysGuard Scanner Appliance is set up for NAC. If it is not, you must contact Qualys, Inc., for a NAC subscription. You cannot create NAC-specific policies if your Scanner Appliance does not have NAC subscription from Qualys.

When you have verified that the Enable NAC option is turned on, the next step is to configure the NAC-specific policies on the Scanner Appliance. You must log into the Scanner Appliance by opening an HTTP or HTTPS session to its LAN interface's IP address. The scanner prompts for the user credentials again. After the user credentials are authenticated, you can create a new policy or use the existing default policy. If you want to create a new NAC policy, click the New Policy icon. Under Policy Title, enter the name of the NAC policy. As shown in Figure 11-4, the name of this NAC policy is NAC-Policy and is made the default NAC policy. Therefore, this policy will be analyzed when the ACS server contacts the Scanner Appliance for an audit and does not specify a policy name.

Figure 11-3 Verification of Scanner Appliance Information

Figure 11-3 Verification of Scanner Appliance Information

The QualysGuard Scanner Appliance supports two polling intervals. The preliminary polling interval instructs the CS-ACS server to check back with the Scanner Appliance after the configured interval when an initial request for an audit is submitted. The preliminary polling interval is set to 60 seconds to allow the scanner appliance to complete the scan. When the preliminary polling interval expires, the ACS server contacts the Scanner

Appliance to determine the current posture of the agentless machine. If the Scanner Appliance is not finished with the scanning process, it sends back a 30-second polling interval, which tells ACS to check back in 30 seconds to see if the posture assessment is ready. The following polling interval is set to 30 seconds so that the ACS server can have plenty of time to check back with the scanner appliance about the NAC posture-assessment result.

Figure 11-4 NAC Policy Setup on QualysGuard

Figure 11-4 NAC Policy Setup on QualysGuard

NOTE The QualysGuard Scanner Appliance usually takes between 15 and 30 seconds to complete an audit. However, scanning time can vary, depending on your implementation and configured NAC policies.

In Figure 11-4, the TCP and UDP ports are selected with the default NAC scanlist. You can view the list of all the ports by clicking the View List option. If you want to add more ports, you can specify them in the Additional option.

The QualysGuard Scanner Appliance uses the application posture token (APT) evaluation method to determine the correct posture token for the agentless machine. It maps the severity levels of different threats with the posture tokens. In Figure 11-4, if there is at least one Severity 5-level vulnerability on the agentless host, the QualysGuard Scanner Appliance assigns an Infected posture token to the host. Similarly, if there is at least one Severity 4-level vulnerability on the host, the Scanner Appliance assigns a Quarantine posture token. A Checkup posture token is assigned if at least one Severity 3-level vulnerability is determined. If there are no Severity 3, 4, or 5 vulnerabilities on the agentless host, the Scanner Appliance assigns a Healthy posture token to the agentless host. The QualysGuard scanner assigns an Unknown posture token if it fails to communicate with the agentless host.

The performance-level option is useful to specify what type of agentless hosts will be analyzed. If the network connection between the Qualys scanner and the agentless hosts is fast, use High under Performance. If the connection between the scanner and the agentless machines is slow, use Low under Performance.

After the Scanner Appliance has done a vulnerability assessment of an agentless host, it can cache the assessment results for a configured period of time. It is recommended that all posture tokens except for the Healthy token have a shorter cache time. In Figure 11-4, the cache time to live (TTL) is 5 minutes for Infected and Quarantine posture tokens and 10 minutes for Checkup and Unknown hosts. For the Healthy posture token, the cache TTL is 1 hour so that the hosts do not have to go through the posture-validation process every time they reconnect to the network.

Was this article helpful?

0 0


  • Emilia
    How to audit qualys configurations?
    2 years ago

Post a comment