How-to

Use the Qualys Scan Tool for Vulnerability Management

Qualys Vulnerability Management (VM) scan tool is a commercial network-based application used to scan systems for technical vulnerabilities.

Follow the University Technical Vulnerability Management Standard

See the Information Security Policy Technical Vulnerability Management standard for current requirements on frequency of vulnerability scanning and whether remediation is required or recommended.

Units include the IP addresses for their critical systems in a Qualys asset group using the naming convention CRITICAL.COLLEGE.DEPT.  Critical systems asset groups include IP addresses for:

  • Security Level High or Medium systems or network devices per the Data Security Classification Policy,
  • Single-user systems in scope for compliance with HIPAA or PCI DSS.

High Severity vulnerabilities in the Technical Vulnerability Management standard are equivalent to Qualys Confirmed level 4 or 5 vulnerabilities.

University Information Security coordinates the external vulnerability scan for systems and network devices that are in scope for the credit card data environment (CDE). These scans meet the Payment Card Industry (PCI) Scanning (PDF) requirement.

Review Monthly For Your Critical Systems Report

Review the following at least monthly for IP addresses in your Qualys critical systems asset group.

  • List of IP addresses in the Critical Systems asset group. Use Asset Search on Critical Systems asset group- lists IP addresses that responded to ICMP ping.
  • Add new IP addresses to your Critical Systems asset group and schedule a scan.
  • Remove IP addresses for systems that no longer meet the criteria for Critical Systems asset group or are retired or decommissioned.
  • Verify IP addresses are scanned at least monthly. Modify the Asset Search to identify IP addresses not scanned within the last 30 days.
    • Remove IP addresses for systems that no longer meet the criteria for Critical Systems asset group or are retired or decommissioned.
    • For others, schedule a vulnerability scan.
  • Verify High Severity Vulnerabilities are patched or fixed. Run Report using the Report Template: UMN-High Severity Summary Report--OIT Sec Reporting.
    • For vulnerabilities listed:
      • Mitigate the risk and run vulnerability scan.
      • Document the remediation plan by creating a Qualys remediation ticket if the vulnerability requires more time to mitigate the risk.
      • For false positives, create an ignored vulnerability remediation ticket and include support documentation.  
  • Review Ignored Vulnerabilities.Run Report using the Scorecard Template: Ignored Vulnerabilities Report.
  • For vulnerabilities that are not false positives, change the remediation ticket status to re-open.
  • University Information Security will review these and make the final determination on whether or not a vulnerability can be ignored for IP address in the Critical Systems asset group.

University-wide reporting uses calendar quarters (9/30, 12/31, 3/31, 6/30) to report on critical systems. Complete your scans to allow time to address vulnerabilities on your critical systems.

Understand Qualys Unit Manager Responsibilities

Large units (e.g., OIT) are set up in Qualys as a Business Unit and a Unit Manager (and Business Unit Manager) is assigned responsibility for managing various features within Qualys for the unit.

Business Unit Manager and Unit Manager responsibilities include:

  • Define responsibilities of the other Qualys roles in the Business Unit: scanners readers, remediation user.
  • Manage users (scanners, readers, remediation user) for the Business Unit.  This includes set up, deactivate or reactivate, reset passwords.   Assign users to Asset Groups.
  • Identify to University Information Security (email University Information Security) a list of subnets your unit is responsible for.  This is used for discovery mapping your section of the network, similar to NMAP.  Discovery maps are free.
  • Identify to University Information Security (email University Information Security) a list of IP/IP Ranges for systems your unit is responsible for scanning.
  • Set up and maintain the list of IP addresses that are included in the Critical Systems Asset Group for your Business Unit following the naming convention for Asset Groups.
  • Scan all IP addresses in the Critical System Asset Groups.
  • Review and mitigate the vulnerabilities detected.
  • Review open ticket remediation for IP’s assigned to your Business Unit or Asset group.
  • Manage the other Asset Groups that you create to meet your scanning/reporting needs, following the naming convention for Asset Groups.
  • Discovery map your section of the network at least monthly and review the Map reports for unknown devices.
Maintain Qualys Users

Qualys Unit Managers can create, inactive/reactivate, delete, and reset passwords for users (not using SAML authentication) in their Qualys Business Unit.

Select the Users tab in the Qualys portal.

  • General Information, all fields with an asterisk are required.
  • Locale, set Time Zone
  • User Role, select
    • Scanner - scan and map IP addresses in assigned Asset Groups, create and run reports and manage remediation tickets
    • Reader - create and run reports for assigned Asset Groups and manage remediation tickets
    • Remediation User - access remediation tickets and the vulnerability KnowledgeBase
    • Unit Manager - same privileges as Scanner and can manage user accounts for their unit
  • Asset Groups, assign one or more Asset Groups to the user
  • Permissions, select or deselect which Extended Permissions the user needs
  • Options, select the type of Notifications the user will receive

Getting Started

Qualys maintains extensive documentation for each tab (i.e., Scans, Reports, Remediation) of the product under Help on the Qualys menu bar.

Below are instructions to get you started.

Maintain Asset Group

Asset groups list IP addresses for scanning or reporting on as a group. Also used to limit what IP addresses that a user is allowed to scan or report on.

Select the Assets tab in the Qualys portal.

Create a new group from the New menu or edit an existing group from the Quick Actions menu.  Use the workflow to manage the asset group and click Save.

  • Follow the naming conventions for Asset Groups
  • IPs, list the IP addresses or IP ranges to include in the Asset Group
  • Domains, choose none
  • Users, select the Users assigned to this asset group
  • Scanner Appliances, select all listed and select a default scan appliance
  • Business/CVSS Info
    • Critical Systems asset group, change Business Impact to Critical
    • Other parameters (optional)

Naming conventions:

  • For critical systems asset group, create asset groups that begin with CRITICAL.COLLEGE.DEPT, where college is your college or admin unit name and dept is your departement name.
  • For other asset groups, create asset groups that begin with COLLEGE.DEPT.subgroup _aaa (aaa-each unit can define).

Set up a Scan

There are multiple scan option profiles and features for running a scan, including scheduling or launching a scan immediately.

There is no guarantee that the Qualys scanner will not affect services on a production system. Therefore it is important that the affected system have a scan window schedule agreed to by management or other pertinent personnel. If availability is too critical to have a window, then redundancies should be created.

Select the Scans tab in the Qualys portal.

Go to Scans and choose New -> Scan
Enter scan details and click Launch.

Scan details:

  • Title
  • Option Profile: Initial Options for University of Minnesota (default)
  • Scanner Appliance:
    • All Scanners in Asset Group (distributes the scan between the internal scan appliances on the University network)
    • Build my list (distributes the scan between the internal scan appliances on the University network)
    • Single scan appliance
    • External (scan originates from a Qualys IP from outside the University network)
  • Choose Target Hosts
    • Assets Groups
    • IP/Ranges
    • Exclude IPs/Ranges
  • Notification when scan is finished (optional)

Cancel or pause scan in the Qualys portal.

Results from scan are in the Qualys portal.

  • View report under Scans tab
  • Use Reports tab to create additional reports using the report templates
  • Asset Search under Assets tab

Remediate and Maintain Remediation Tickets

Remediation (fix) may include patching, configuration changes, using other compensating controls, or documenting as a false positive. Required to fix High severity vulnerabilities or create/update a Qualy Remediation ticket to document false positives and remediation fixes that can not be done for various reasons or require additional time to complete. Fix remaining vulnerabilities by severity or risk to your systems. Systems in scope for the credit card data environment (CDE) must also fix vulnerabilities marked as PCI Severity HIGH.

The main remediation policy will create tickets for confirmed severity level 4 and 5 vulnerabilities for IP addresses in a Critical Systems asset group. Ticket is assigned to the user running the scan. Deadline date for determining overdue tickets is 20 days from when vulnerability is first detected.

Users can manually create a ticket and manage (e.g., change status, add comments) a ticket assigned to them. Unit Managers can set up additional remediation policies for their unit.

Select the Remediation tab in the Qualys portal.

Go to Remediation tab and then select the Tickets tab.

Select Edit from the Quick Actions menu for a single ticket in the list. Or select multiple tickets in the list and select Edit from the Actions menu.

Run Reports & Maintain Report Templates

Schedule a report or launch on-demand using the various report templates or create your own template.

Select the Reports tab in the Qualys portal.

Choose New > Scan Report > Templates Based or Scorecard Report (ignored Vulnerabilities)

Here are some commonly run report templates.

Summary Reports

  • Report Template: UMN-High Severity Summary Report- OIT Sec Reporting
    • Results as of the last scan
    • Includes confirmed vulnerabilities at levels 4 & 5
    • Sorted by vulnerability and lists the vulnerable hosts
    • No detail on how to fix
  • Report Template: UMN-High Severity Report
    • Results as of the last scan
    • Includes confirmed vulnerabilities at levels 4 & 5
    • Details on how to fix
  • Report Template: UMN-Summary Report
    • Results as of the last scan
    • Includes all vulnerabilities (confirmed, potential, info) at all levels (1-5)
    • No detail on how to fix

Detail Reports (Large Reports)

  • Report Template: Technical Report- Select Asset Group or IP
    • Results as of the last scan
    • Includes all vulnerabilities (confirmed, potential, info.) at all levels (1-5)
    • Details on how to fix
    • Very large report
  • Report Template: Technical Report-Select Scan Results
    • Results from a specific scan (includes option to include a specific IP)
    • Includes all vulnerabilities (confirmed, potential, info.) at all levels (1-5)
    • Details on how to fix
    • Very large report

Run a Discovery Map

There are multiple map or discovery map option profiles and features for running a map, including scheduling or launching a map immediately.. A map is similar to nmap.

Go to Scans tab and then select the Maps tab.

Choose New ->Map
Enter maps details and click Launch.

Map details:

  • Title
  • Option Profile: Initial Options for University of Minnesota (default)
  • Scanner Appliance:
    • All Scanners in Asset Group (distributes the scan between the internal scan appliances on the University network)
    • Build my list (distributes the scan between the internal scan appliances on the University network)
    • Single scan appliance
    • External (scan originates from a Qualys IP from outside the University network)
  • Choose Target Hosts
    • Assets Groups
    • IP/Ranges
    • Domains/Netblocks
  • Notification when map is finished (optional)

Cancel or pause a map in the Qualys portal under Scans/Maps tab

Results from map are in the Qualys portal

  • View report under Scans/Maps tab
  • Review the results for anomalies.
    • Run Map Report using the Unkown Devices Template.
    • On the report, the status column will report if an IP address has been Added or Removed when comparing the 2 map results.  If an IP address appears on both map results, the status is Active.

Use Reports tab to create additional reports using the report templates.

Schedule Scans, Maps and Reports

Under the respective tabs in the Qualys portal, select Schedules tab.

Scheduling details:

  • Start date and time
  • Duration (optional) for scans and maps
  • Frequency
  • Notifications
  • Change schedule status (deactivate or reactivate)

Read Tips for Using Qualys

Manage Your User Account Settings

Use the pull down next to your name to 

  • Change Password
  • Change Home Page (Qualys portal start page)
  • User Profile to change the email notifications from Qualys

Forgot your password or account is deactivated- contact your Qualys unit manager or University Information Security.

Develop a Scan Strategy

  • Scan using external scan appliance (fix Confirmed 4 & 5) and re-scan
  • Scan using internal scan appliance (fix Confirmed 4 & 5) and re-scan
    • Create tickets for Confirmed 4 & 5 that are false positives or require more time
    • Set up scheduled scan (at least monthly, recommend weekly)
    • Continue to remediate the other vulnerabilities on the report
  • Sandbox- re-use an IP address to scan the pre-production server and when ready to put in production, move it to a production IP address.  This is especially useful for one-time scan for servers that are not critical or important.
  • Use the external and internal scan appliances to test your firewall rules.

Filter Scan Results

  • Use Asset Search-use search criteria
  • Use Summary scan report templates
  • Run Report- select individual IP or IP ranges
  • View on-line vs PDF ( use pull down to view alternate formats when creating reports)
  • Set up Report Templates with Search Lists

Understand Qualys Terminology

  • Hosts- Computers/workstations, networked devices, servers, network infrastructure
  • Asset Groups- List of IP addresses for scanning or reporting
  • Business Unit- University collegiate unit, administrative unit, or system campus
  • Unit Mangers (Business)- Individuals responsible for unit set up/maintenance for their unit
  • Owner-Qualys account that maintains the asset group, reports, tickets
  • Scan- Network based vulnerability scan
  • Options Profile- Defines the vulnerability checks and scan parameters (speed) and mapping parameters.
  • Scanner Appliance- Scans/maps originate from either an external (from Qualys network) or internal (on the University network) scan appliance.
  • Vulnerability Levels- Categories of vulnerabilities are confirmed, potential, or information and within each category, there are 5 severity levels for vulnerabilities.  Severity level 5 is the highest severity.
  • Map- Quick discovery map of subnet.
  • Remediation-Tickets with Qualys portal used to document mitigation strategy for vulnerability checks that do not auto resolve through re-scans.

University of Minnesota Assistance

Email University Information Security to:

  • Request access to the Qualys VM scanner for your unit,
  • Add or remove IP addresses to your Qualys account, or
  • For questions or report issues.

More Information

Sign In

Default Sitewide