Notice of Datacenter Migration of Qualys US3 Platform
This advance notification is to inform customers with subscriptions on the US3 platform that we will be migrating from our existing colocation datacenter to another colocation datacenter. This migration is scheduled to take place on 27th November 2024, from 5:00 PM PST, and will require a 15-hour downtime.
Please refer to the Frequently Asked Questions (FAQs) below to learn more about this move and what is needed from customers to ensure a smooth transition.
Frequently Asked Questions
What is the scope of the migration activity?
The Qualys US3 Shared Cloud Platform (SCP) will undergo a migration to a new datacenter. All customer data will be moved along with all applications and services from the existing SCP environment in the current data center to the new data center environment.
When is this activity scheduled?
This migration will take place on 27th November 2024, from 5:00 PM PST. It will take place during the scheduled Quarterly Maintenance Downtime for the US3 Platform.
Which customers are affected by this migration?
Customers with subscriptions on the US3 platform will be affected. Please refer to https://www.qualys.com/platform-identification/ for help identifying your platform.
What testing has been done?
Our Operations team has completed extensive testing to ensure this migration will go through smoothly. We have also successfully migrated our other shared cloud platforms in other regions in a similar manner over the last year.
Will there be any impact on customers during this migration?
Qualys services will be unavailable during this migration as we migrate customer data along with applications and services to the new colocation data center environment. Scans using an external scanner might get interrupted until the platform is back online. Qualys recommends pausing scans and resuming them once the platform is back online.
The IP address used for communication between Cloud Agents / Scanner Appliances / Qualys Gateway Appliance and the Shared Cloud Platform will change.
What steps does the customer need to take?
As part of this migration, the IP addresses associated with the FQDNs (URLs) & the Qualys scanners will change. For customers who have already whitelisted the Qualys IPv4 supernet 64.39.96.0/20 in both directions for incoming & outgoing traffic and IPv6 supernet 2602:FDAA::/36, there will be no change. Only those customers who have allowed specific IPs of US3 pod are requested to add the below IPs to the Allowlist to ensure uninterrupted connectivity with Qualys services & scanners. Customers are requested not to remove the existing IP addresses until further notice. The additional IPv4 addresses are within the existing Security Operations Center (SOC) netblock.
URL/Service | Current IP Address | Additional IP address to whitelist | Services | Traffic Direction |
qualysapi.qg3.apps.qualys.com | 64.39.96.136 | 64.39.101.65 | HTTP, HTTPS | Outgoing |
qgadmin.qg3.apps.qualys.com | 64.39.96.137 | 64.39.101.66 | HTTP, HTTPS | Outgoing |
portal.qg3.apps.qualys.com | 64.39.96.138 | 64.39.101.67 | HTTP, HTTPS | Outgoing |
portal-bo.qg3.apps.qualys.com | 64.39.96.139 | 64.39.101.68 | HTTP, HTTPS | Outgoing |
distribution.qg3.apps.qualys.com | 64.39.96.140 | 64.39.101.69 | HTTP, HTTPS | Outgoing |
monitoring.qg3.apps.qualys.com | 64.39.96.141 | 64.39.101.70 | HTTP, HTTPS | Outgoing |
scanservice1.qg3.apps.qualys.com | 64.39.96.142 | 64.39.101.71 | HTTP, HTTPS | Outgoing |
gateway.qg3.apps.qualys.com | 64.39.96.143 | 64.39.101.72 | HTTP, HTTPS | Outgoing |
download.qg3.apps.qualys.com | 64.39.96.144 | 64.39.101.73 | HTTP, HTTPS | Outgoing |
rns.qg3.apps.qualys.com | 64.39.96.145 | 64.39.101.74 | HTTP, HTTPS | Outgoing |
certs.qg3.apps.qualys.com | 64.39.96.147 | 64.39.101.75 | HTTP, HTTPS | Outgoing |
rns-bo.qg3.apps.qualys.com | 64.39.96.148 | 64.39.101.76 | HTTP, HTTPS | Outgoing |
qpatchpublic.qg3.apps.qualys.com | 64.39.96.149 | 64.39.101.77 | HTTP, HTTPS | Outgoing |
debug.qg3.apps.qualys.com | 64.39.96.154 | 64.39.101.78 | HTTP, HTTPS | Outgoing |
kube.qg3.apps.qualys.com | 64.39.96.156 | 64.39.101.79 | HTTP, HTTPS | Outgoing |
nac-le-service.qg3.apps.qualys.com | 64.39.96.172 | 64.39.101.80 | HTTP, HTTPS | Outgoing |
camspm.qg3.apps.qualys.com | 64.39.96.173 | 64.39.101.81 | HTTP, HTTPS | Outgoing |
camsrepo.qg3.apps.qualys.com | 64.39.96.174 | 64.39.101.82 | HTTP, HTTPS | Outgoing |
camspublic.qg3.apps.qualys.com | 64.39.96.175 | 64.39.101.83 | HTTP, HTTPS | Outgoing |
semca.qg3.apps.qualys.com | 64.39.96.176 | 64.39.101.84 | HTTP, HTTPS | Outgoing |
qepp-update.qg3.apps.qualys.com | 64.39.96.186 | 64.39.101.85 | HTTP, HTTPS | Outgoing |
wasoob-dns.us3.qualysperiscope.com | 64.39.96.155 | 64.39.101.86 | DNS | Outgoing |
qagpublic.qg3.apps.qualys.com | 64.39.104.113 | 64.39.105.32 | HTTP, HTTPS | Outgoing |
cmsqagpublic.qg3.apps.qualys.com | 64.39.104.114 | 64.39.105.33 | HTTP, HTTPS | Outgoing |
qpatchpublic.qg3.apps.qualys.com | 64.39.104.115 | 64.39.105.34 | HTTP, HTTPS | Outgoing |
qgadmin.qg3.apps.qualys.com | 2602:fdaa:2:801::ac10:4112 | 2602:fdaa:c3:1::ac1a:0242 | HTTP, HTTPS | Outgoing |
scanservice1.qg3.apps.qualys.com | 2602:fdaa:2:801::ac10:4115 | 2602:fdaa:c3:1::ac1a:0247 | HTTP, HTTPS | Outgoing |
download.qg3.apps.qualys.com | 2602:fdaa:2:801::ac10:4116 | 2602:fdaa:c3:1::ac1a:0249 | HTTP, HTTPS | Outgoing |
distribution.qg3.apps.qualys.com | 2602:fdaa:2:801::ac10:4113 | 2602:fdaa:c3:1::ac1a:0245 | HTTP, HTTPS | Outgoing |
monitoring.qg3.apps.qualys.com | 2602:fdaa:2:801::ac10:4114 | 2602:fdaa:c3:1::ac1a:0246 | HTTP, HTTPS | Outgoing |
qualysapi.qg3.apps.qualys.com | 2602:fdaa:2:801::ac10:4110 | 2602:fdaa:c3:1::ac1a:0241 | HTTP, HTTPS | Outgoing |
qagpublic.qg3.apps.qualys.com | 2602:fdaa:0:4801::ac10:4119 | 2602:fdaa:c4::ac1a:0220 | HTTP, HTTPS | Outgoing |
Scanner IPv6 block | 2600:c02:1020::/48 2603:c0f2:5001:4500::/56 2602:fdaa::/48 | 2602:fdaa:c5::/48 | ANY | Incoming & Outgoing |
Scanner IPv4 block | 64.39.96.0/20 139.87.112.0/23 | 64.39.103.0/24 | ANY | Incoming & Outgoing |
Customers are recommended to allowlist Qualys’ own IP supernet 64.39.96.0/20 & 2602:FDAA::/36, instead of individual IP, which will prevent them from allowing individual IP.