A scan name is provided and you can enter a custom one. The name can have a maximum of 256 characters. We recommend you to avoid using special characters in the scan name.
Tell us the name of the web application you want to scan. Your web application may have defaults defined for option profile, scanner appliance and/or authentication record. We'll automatically select the defaults in your scan settings. You can change each setting for the scan, if you want, and override the defaults.
Did you know? You can click View next to a web application to see its settings.
Tell us the web applications you want to scan. You'll select web application names or tags.
Did you know? You can click View next to a web application to see its settings.
Add tags to choose the web applications to be scanned. To find a tag in the tag selector, begin typing the tag name in the tag selector in the Search field. Click a tag to select it, then click outside the tree to add the selected tag. Want to exclude web application from the scan? Add tags to the "Exclude web applications" section. Select All to include the web applications that match all of the tags listed. Select Any to include the web application that would match at least one of the tags listed.
Add tags to choose the web applications to be scanned. To find a tag in the tag selector, begin typing the tag name in the tag selector in the Search field. Click a tag to select it, then click outside the tree to add the selected tag. Want to exclude web applications from the scan? Add tags to the "Exclude web application" section. Select All to include the web applications that match all of the tags listed. Select Any to include web applications that match at least one of the tags listed.
You might want to add randomization to the ordering of scans in a Multi-Scan, i.e. a scan of multiple web applications. This helps to avoid hitting too many web applications hosted on the same infrastructure at the same time.
Authentication may be required for our security scanners to access the functionality of your target web application. You must select an authentication record if authentication is needed. Choose from records already defined for your target web application (in the web app settings). This tells us the access methods and credentials (form and/or server based) that we'll use to perform authenticated scanning. Tip - You can upload Selenium scripts to your authentication records and we'll use them for authenticating to your applications at scan time.
Authentication may be required for our security scanners to access the functionality of your target web applications. If authentication is needed, be sure to set up your target web applications with a default authentication record (in the web app settings). This tells us the access methods and credentials (form and/or server based) to use. Select "default" in the scan settings and we'll use the default record for each application. Tip - You can upload Selenium scripts to your authentication records and we'll use them for authenticating to your applications at scan time.
This web application is protected by WAF. By enabling this option you allow Qualys scanners to scan the web application through the firewall and perform enhanced assessment and reporting. This lets you view WAF-blocked vulnerabilities that are not yet fixed in WAS detections and reports.
An option profile has various scanning options and the settings can be customized. Just getting started? We recommend the profile Initial WAS Options to begin - it has settings for common environments. You might see that we've selected an option profile for you - this is the default profile for your target web application. You can choose another profile to override the default for this scan.
We'll use an option profile to scan each of your target web applications - this has various scanning options and the settings can be customized. You can choose to 1) scan your web applications using different profiles - the default for each web application, or 2) scan all web applications using the same profile - just select any profile that's available in your account.
Need help with making a selection? We recommend the profile Initial WAS Options to begin - it has settings for common environments.
Is your web application external facing? Perimeter applications can be scanned by our cloud scanners (select the External option).
Is your web application on your internal network? If yes you'll need to use a scanner appliance (you'll select the Individual option). Want to set one up? It's easy - just go to VM/VMDR > Scans > Appliances and we'll tell you all about it. We have physical and virtual appliances you can set up in minutes.
Want to allocate multiple scanner appliances? If yes you'll need to add the asset tags associated with the scanner appliances (select the Tags option). All the scanner appliances associated with the selected tags form a group of scanner appliances and during scan run time, the best available scanner gets allocated.
You might see that we've selected Default for you - this is the default appliance for your target web application. You can choose another scanner to override the default for this scan.
You can choose to scan your target web applications 1) using various scanners - the default for each web application, or 2) using the same scanner - just select any scanner that's available in your account.
Perimeter applications can be scanned by our cloud scanners (this is the External option). Web applications on your internal network can be scanner using internal scanners (this is Individual option). To assign multiple scanners, add the asset tags associated with the scanner appliances (select the Tags option). All the scanner appliances associated with the selected tags form a group of scanner appliances and during scan run time, the best available scanner gets allocated.
Applications on your internal network can be scanned using a scanner appliance. Want to set one up? It's easy - just go to VM/VMDR > Scans > Appliances and we'll tell you all about it. We have physical and virtual appliances you can set up in minutes.
Easily run web application scanning through a proxy by selecting a proxy for the scan. Choose from the list of proxy configurations available in your account. You might notice we've selected a proxy for you - this is the default proxy for your target web application. Want to change it? No problem just choose another proxy to override the default for this scan.
Progressive Scanning adds more scanning capabilities. Progressive Crawling expands the testing coverage for web applications over time. Each scan builds upon the information obtain in previous scans, prioritizing new content areas to expand coverage. Progressive Testing enhances the flexibility of scanning by automatically starting, stopping and resuming scans across your networks without manual intervention. By choosing Progressive Scanning we'll add to the history of findings with this scan.
By default we'll use the DNS for the web application URL to crawl the web app and perform scanning. If you select a DNS override record, we'll use the mappings in your record instead. There a few reasons you might want to do this. For example your web application does not have a DNS entry since it's in a non-production environment. Or the web application may have a different IP address in a non-production environment (e.g. development or QA) than in production.
We'll send email notifications at scan completion by default unless you disable this option. Choose the email address to be used in the From Address of the notification. All users with permissions to view the target web app will get these emails. Just turn off email notifications if you do not want to send these emails.
Select Single occurrence to launch your scan only once. Select Daily to launch your scan every 1 day, 2 days, 3 days, etc. Select Weekly to launch your scan every week - on selected days of the week, or every 2 weeks, 3 weeks, etc. Select Monthly to launch your scan every month - on selected date, or every 2 months, 3 months, etc.
Select "Ends after" and tell us how many times the scan should be run. When the set number of occurrences is reached, the schedule will be deactivated.
For Start Date/Time, use the date picker to specify the date and select the time of day for this scheduled task.
For Time Zone, select the local time zone (GMT shift and location) that this schedule applies to. For example, if you're in California, then select "(GMT -0800) Pacific Standard Time (PDT US/Pacific)". If you're in Rome, select "(GMT +0100) Italy: Milan, Rome". Some time zones include locations that observe Daylight Saving Time and others that do not. For this reason, it's important that you make the correct selection.
This option allows you to cancel the scan automatically after some period of time - after a number of hours, or at a specific time. If set for a scan schedule the setting applies to every new scan that is launched using the schedule.
By default we do not cancel scans. Once a scan is launched it will run until it completes, or the maximum scan time is reached.
Keep in mind that cancelled scans may return partial, incomplete results.
You can set the Cancel Option for web application settings.
Select Deactivate task to prevent the scheduled scan from running. To reactivate, clear this check box.
Select Activate Notification to have the scan schedule owner receive an email notification each time a scan is scheduled to start. Choose the email address to be used in the From Address of the notification. Tell us when to send an email notification to the schedule owner.
You can choose to notify additional people of the scheduled scan. Enter one or more email addresses or distribution aliases on separate lines or separated by comma, semi-colon or vertical bar. You can enter a maximum of 4000 characters.
Custom email template. Enter a custom message to be included with the scheduled task details: task title, owner, start time and option profile. You can enter a maximum of 4000 characters.