Mapping - The Basics

Good to Know

What to Map


How to Map

Which Scanner to Use


What is the benefit to mapping

When you run a discovery scan we will create a map that gives you an inventory of your network devices as seen from the Internet (perimeter devices) or Intranet (internal devices). If you run discovery scans on a regular basis you can keep track of your continually evolving network. Changes in firewall rules or DNS setups may allow intruders to find more information than they should. A map is also a way to find devices and services running without your authorization, including virtual hosts that may have been maliciously placed on your network.

When mapping your network perimeter

When mapping your internal network

Tell me more about the types of devices identified

Discovery methods used to find open services

For each host detected we will show you a list of open services running on the host. Then for each service listed you can view the discovery method used to identify the service along with the port the service was running on, if available. Simply click the black arrow next to any host in your map results to view these details.

Show me possible discovery methods

Map complete email notifications

You can choose to be notified via email each time a map completes. The email gives you a summary of the results and a secure link to the saved report. Select User Profile below your user name, go to the Options section and select Map Notification. You'll notice additional email notifications you can opt in to.

See difference in duration on Map Summary email and UI

How to map domains and netblocks

Under Target Domains, enter domains and domains with netblocks into the Domains/Netblocks field. The registered domain names that you enter must be in your account (under Assets > Domains), making them available to you for mapping.

If a netblock was already specified as part of a domain configuration (on the domains list), then you only need to specify the domain name when launching the map. The netblock will be used automatically. You may, however, enter a portion of the netblock if you do not want the entire netblock mapped.

See different ways to enter domains and netblocks

Enter 1 domain and we'll create 1 map. Show me

Enter 2 domains and we'll create 2 maps. Show me

How to map IPs and IP ranges

Under Target Domains, enter IPs and IP ranges into the Domains/Netblocks field. The IPs you enter must already be part of the None domain in your account.  

Important notes about mapping IPs/ranges:

1) Define the None domain - Go to your domain assets list (Assets > Domains) to determine whether the None domain has already been defined for your account. If you plan to manually enter IPs/ranges in the Domains/Netblocks field, then those IPs must be included in the None domain configuration. (Note that when you map IPs from asset groups, the IPs do not have to be part of the None domain configuration. Learn more

2) Review map options - If you map IPs/ranges without a domain, be sure to enable the map option "Perform live host sweep" in the option profile applied to the task.

Enter IPs only and we'll create 1 map. Show me

Enter IPs and domains and we'll create multiple maps. Show me

How to map asset groups

Under Target Domains, enter one or more asset groups in the Asset Groups field. Then identify which assets (domains and/or IPs) from the asset groups you want to target by selecting the Domains and/or IPs check boxes.

When Domains is selected, we'll create a separate map for each domain in the asset groups.

When IPs is selected, we'll create a single map for each asset group including all the group's IP addresses. The map report lists the target domain for each group as "none:[netblock]" where netblock includes the IP addresses from the asset group. When you map IPs from asset groups, the IPs do not have to be part of the None domain configuration.

Sample asset groups:

The group "New York" includes the following assets:
Domains: and

The group "London" includes the following assets:
Domains: and

Map the domains from these asset groups

Map the IPs from these asset groups

Map the domains and IPs from these asset groups

Can I exclude hosts from my map?

Yes. Go to Scans > Setup > Excluded Hosts to create a list of IPs that you want to exclude from all maps and scans launched by all users. These hosts will not be scanned even if specified as part of the map target.

An excluded host appeared in my map results. How come?

How can I customize my map?

You customize your map by changing the map settings in a scan option profile. Go to Scans > Option Profiles to see the option profiles available to you or to create a custom profile. The following settings can be tweaked to meet your specific needs: ports to scan for host discovery, ports to scan for basic information gathering on the hosts discovered during scanning, performance settings, and more.

Network discovery options

These options can be configured in your option profile.

Host Discovery

Perform Live Host Sweep

Disable DNS traffic

Using the Default scanner appliance option

This option is used for mapping asset groups with scanner appliances. Select the Default scanner option to use the default scanner defined in each asset group for discovery of the domains/IPs in those groups. When there are multiple targets we create multiple maps, one for each target. Discovery scans of your targets will run sequentially - one at a time - and each map will be created using a single scanner appliance.

For example, let's say that Group ABC includes Domain1 and the default scanner is SA_ABC. Group XYZ has Domain2 and Domain3 and the default scanner is SA_XYZ. When you include both groups in the map request and you're using the Default scanner appliance option you'll get these 3 maps (one for each domain):

- Domain1 is mapped using SA_ABC

- Domain2 is mapped using SA_XYZ

- Domain3 is mapped using SA_XYZ

Do I need to whitelist Qualys scanners?

Yes, scanners must be able to reach the target domains/IPs being scanned. Go to Help > About to see the IP addresses for external scanners to whitelist. You'll also see a list of URLs that your scanner appliances must be able to contact for internal scanning.

Scanning through a firewall - avoid scanning from the inside out

Problems can arise when scan traffic is routed through the firewall from the inside out, i.e. when the scanner appliance is sitting in the protected network area and scans a target which is located on the other side of the firewall. Learn more

I don't see the scanner appliance option

You will only see the Scanner Appliance option if you have scanner appliances in your account. If you don't have scanner appliances you can still map your network perimeter using our External scanners.

How do I get a scanner appliance?

Contact Support or your Technical Account Manager to: 1) have a physical scanner appliance shipped to you, or 2) have the Virtual Scanner option enabled for your subscription in order to download a virtual scanner image and configure your scanner in a few easy steps.