QualysGuard 8.0 New Features
Last updated on: June 3, 2020
Table of Contents
QualysGuard 8.0 adds the following capabilities to the QualysGuard Cloud Platform and its suite of services:
- Featured Enhancement: Overlapping IP support
- Vulnerability Management
- Improvements to the SSL Certificates List
- Configure Multiple PCI Option Profiles
- Security Risk Score Summary Added to XML and CSV Reports
- Policy Compliance
- Golden Image Policy Organized Into Sections
- Select Individual IPs for Your Policy Reports
- Control Checksum Requirement Removed from Policy XML
- QualysGuard Platform
- New Look and Feel for QualysGuard Express
- Improved IP Selection
- QualysGuard API Enhancements
QualysGuard 8.0 will be released in production in the coming weeks and includes enhancements to QualysGuard Vulnerability Management (VM) and Policy Compliance (PC), QualysGuard Cloud Platform and the API.
For release notifications containing details about the release dates for specific platforms and to subscribe to release notifications by email, please see the following:
- US Platform 1
- US Platform 2
- EU Platform
- API Notifications (for all platforms)
Featured Enhancement: Overlapping IP Support
With QualysGuard 8.0 customers can now manage overlapping IP ranges within a single QualysGuard subscription, providing the user with the ability to define discrete private networks to keep overlapping blocks isolated from each other. This is a common need that appears in many use cases including:
- M&A events;
- Air gap networks;
- Business continuity/disaster recovery
- Dev/test,
- IaaS environments;
- "Cloned" small office networks.
These different network zones can now be easily defined and separated within QualysGuard through the UI and API.
To take advantage of this new capability, the administrator uses the new “Networks” tab under Assets, defines a new network, and assigns a scanner. Once defined, one can perform asset discovery, launch a vulnerability scan, run reports, and track mitigation on that network as a specific entity. Assigning scanners to networks resolves the issue of duplicate IP addresses occurring in different networks, but allows the administrator to maintain centralized management across the entire organization.
Create a Network
Discover Assets on Your New Network
Scan Your Network
QualysGuard Vulnerability Management (VM)
Improvements to the SSL Certificates List
We’ve made several improvements to the SSL Certificates list to make managing your certificates even easier. Relationships are now maintained between a given certificate and the ports, services, or even different hosts on which it is found, which helps prevent duplicate entries and simplifies reporting and remediation efforts. The reason for an invalid status now appears in a preview pane.
Configure Multiple PCI Option Profiles
With the QualysGuard 8.0 release you can configure multiple PCI option profiles with different performance settings. For example, you can create one profile set to High performance, another set to Normal performance, and a third set to Low performance. Then apply the appropriate profile to each scan based upon your network requirements.
Security Risk Score Summary Added to XML and CSV Reports
With this release vulnerability scan reports now include a security risk score summary for the report as a whole and per host, in all available report formats. Previously security risk metrics were not included in XML or CSV output types. As before, the risk score summary appears when your report template is configured for host based findings (automatic data) and the Text Summary option is selected. The corresponding asset_data_report.dtd was updated.
QualysGuard Policy Compliance (PC)
Golden Image Policy Organized Into Sections
When you create a golden image policy, we automatically add controls to the policy for you. In the QualysGuard 8.0 release we now go one step further and organize those controls into sections based on the control category, giving your policy structure within the Policy Editor.
Select IPs for Your Policy Reports
You can now select individual IP addresses or ranges to include in your policy compliance report. Simply select the policy you want to report on and click the “Select IPs in policy” option. Then tell us which IPs/ranges from the policy you want to include in the report.
Control Checksum Requirement Removed from Policy XML
Now it’s possible to manually import policies without the requirement to have a checksum for control configurations. We’ve updated the XML output of the EVALUATE element. We’ll use the new XML output without the checksum when you export policies. No changes were made to the policy export output DTD (https://<base_URL>/api/2.0/fo/compliance/policy/policy_export_output.dtd).
QualysGuard Cloud Platform
New Look and Feel for QualysGuard Express
The QualysGuard Express UI has a new look and feel – you’ll notice more tips and details throughout the UI to help you with your configurations and tasks.
Here’s a look at the Scans section. Helpful details and links are shown on the screen to help you understand the different scan configuration options available to you in the Scans section. Similar details appear in the Reports and Remediation sections.
Improved IP Selection
You’ll now see a simple text field where you can directly enter IPs/ranges or paste them in. This new method for IP selection is used throughout the UI. You’ll see it when setting up your asset groups, configuring approved hosts lists for your domains, removing IPs from your subscription, and so on. If it seems familiar that’s because we introduced this change in authentication records in the last release.
QualysGuard API Enhancements
The QualysGuard API delivers these new capabilities and enhancements with this release. More information is available at QualysGuard® API Release Version 8.0 – 15 day notification.
- VM – “Security Risk Score” summary added to XML and CSV reports
- VM – Manage the EC2 Scan Workflow using the API
- VM and PC – Select Multiple Scanner Appliances for Scans
- VM and PC – Launch Reports using Asset Tags
- PC – Limit Policy Reports to Selected IPs
- PC – Compliance Scorecard Report XML – added NetBIOS name and DNS name
- PC – Policy XML updated to remove control checksum requirement
- PC – Posture Info API improvements
- Cloud Security Platform – Manage your Virtual Scanners using the API
- Cloud Security Platform – Network Support API
VM – Manage the EC2 Scan Workflow using the API
VM and PC – Select Multiple Scanner Appliances for Scans
VM and PC – Launch Reports using Asset Tags
PC – Limit Policy Reports to Selected IPs
PC – Compliance Scorecard Report XML – added NetBIOS name and DNS name
PC – Policy XML updated to remove control checksum requirement
PC – Posture Info API improvements
Cloud Security Platform – Manage your Virtual Scanners using the API
Cloud Security Platform – Network Support API
aly
a little bug ! what is behind:
This is a link to an API details post which has not yet posted. This will become a live link once that publishes.
Hi, good to see adding overlapping IP support. However, my client needs this for their multiple Amazon AWS Accounts. Will this feature be added to the EC2 Connector as well? I envisage that all assets imported with an EC2 connector would be automatically assigned to a network-id.
Secondly, an appliance that is in AWS VPC also needs to be assigned network-id.
Any comments?
Best regards
Vladimir
Vladimir:
Great use cases and definitely things that are on "the list" to add as automatic/integrated options for the EC2 Connector and overall EC2 solution workflow.
It will be fairly simple to automatically create one-to-one associations between an EC2-Classic region and a Network in Qualys.
Because of the availability of VPC Peering and other methods of connecting VPC private networks to each other (and to "home" networks via VPN and DirectConnect), one-to-many relationships can exist between Qualys "Networks" and VPCs. So our solution will need to provide the user with a self-configurable capability to create the relationships between VPCs and QualysGuard Networks that makes sense in their environment.
I have no estimate yet of when these features will arrive, but they are in the R&D queue.
Great new feature for VM!
Will this feature also work where we scan our External IP’s using the 'External' Appliances, and then also scan some of the same IP’s using our DMZ appliances?
Thus, could we assign the duplicate IP’s for the DMZ to a "New Network Zone" and scan them without over-writing the scan results from the External IP scan?
Regards
Steve
Yes, that DMZ use case would definitely be supported from a technical perspective.
In essence, the creation of a Network within QualysGuard will abstract an entire potential IPv4 network space (0.0.0.0 – 255.255.255.255).
I like the new features especially the Risk info on the xml and CSV reports. Saves time.
Mahalo, Mike