Qualys Scanner - VLAN Scanning Guide

Qualys scanners support IEEE 802.1q VLAN tagging protocol. When connected to a suitably configured trunk port, VLAN scanning allows the scanner to tag frames with the target VLAN ID, enabling your switching fabric to move scan traffic across your network, and allowing the scanner to participate in the VLAN. Participation in the VLAN allows the scanner to scan devices in the same VLAN directly as a “neighbor”. This eliminates dependencies on Layer 3 devices, such as firewalls, load balancers, IDS/IPS and so forth.

Benefits

- A potential increase in overall scan performance by reducing the delays associated with transiting Layer 3 devices

- Better OS and service fingerprinting since Layer 3 devices often modify packet headers or change the handling of non-RFC compliant datagrams

- Reduction of compute and other resources on Layer 3 devices particularly half open connection state tables

- Reduction of “ghost host” issues due to inappropriate responses from Layer 3 devices to datagrams destined for unused NAT and VIP addresses

Use of VLAN tagging does not preclude the simultaneous use non-VLAN tagged scan traffic on the same interface.  Neither does it require the use of a dual-NIC configuration on the scanner.

Requirements

- Your appliance must be configured with a static IP address, netmask, and default gateway address on the LAN interface as per normal.

- Your appliance must be running Scanner Appliance software version 2.1 or later. VLAN scanning must be enabled for your subscription. Please contact Support or your Technical Account Manager to enable this feature.

- The scanner must be connected to a trunk port.

- The trunk port must be configured to present the necessary VLANs to the interface. 

Limitations

Public cloud provider distributions and offline scanner appliances do not support VLAN trunking.

Physical scanners support up to 4094 VLANs for devices with a serial number over 29000 and up to 99 VLANs for devices with a serial number under 29000.

Virtual scanners (except public cloud provider and offline scanner images) support up to 4094 VLANs.

Required VLAN Information

The following information is required for each VLAN the scanner is configured to participate in:

Static IP Address – The IP address must be unique per appliance. This means the same IP address cannot be defined in another VLAN configuration for the same appliance.  The IP address assigned to the VLAN interface on the scanner cannot be dynamically assigned

Netmask – A valid netmask defining the subnet. Example: 255.255.255.0

ID – A VLAN ID. You may specify a number between 0 and 4094, inclusive. The VLAN ID must be unique per appliance. This means the same VLAN ID cannot be defined in another VLANs configuration for the same appliance.

Name – A VLAN name to identify the VLAN configuration in the VLANs list.

Add VLANs on the Appliance Console

It is possible to configure a single VLAN from the appliance console.  This can be configured using the LCD panel (for a physical appliance) or virtual appliance console.

**Note**

This VLAN cannot be viewed or edited within the user interface.

This VLAN takes precedence.

Configure VLANs in the UI

These steps assume you have already deployed, connected and verified that the scanner appliance is operational.

1) Configure the trunk port on the switch to present the necessary VLANs.

2) Log in to Qualys as a Manager, go to Scans > Appliances, select the appliance, and choose Edit from the Quick Actions menu.

3) Choose the VLANs tab on the left.

VLANs configured on the appliance

4) Click New (or Edit to change existing VLAN information). Enter the IP address, subnet mask, ID, and a name for the new VLAN as shown in the example below. When you have finished entering all the required VLAN information click Save.  

Edit VLAN information for scanner appliance

Once configured the scanner will automatically use 802.1q VLAN tags for traffic matching a configured VLAN address and netmask.  This will allow your switching fabric to move the traffic using Layer 2, enabling the scanner to scan targets in those subnets as a neighbor.  Traffic for IPs not matching any of the configured VLANs will be sent via the default network interface and default gateway as per normal operations.

IPv6 Support for VLANs

The IPv6 Scanning feature must be enabled for your account. Please contact Support or your Technical Account Manager if you would like have this feature turned on.

You must enable IPv6 on the scanner to add IPv6 configurations. Select “Enable IPv6 for this scanner” on the LAN Settings tab.

enable I P v 6 check box for the scanner option

On the VLANs tab you'll see IPv4 and IPv6 configurations that have been configured for the appliance.

VLANs on the appliance with a mix of I P v 4 and I P v 6 configurations

When you create or edit a VLAN, click the Enable IPv4 option to add IPv4 details and click the Enable IPv6 option to add IPv6 details. You can choose to enable IPv4 only, IPv6 only or both.  

Edit VLAN for the appliance