Qualys asset tracking: All you need to know

I probably get more questions about Qualys asset tracking than I get about anything else in regards to Qualys. Many people misunderstand Qualys asset tracking. It’s really easy to mess it up, and things can go horribly wrong if you do.

What you need to know about Qualys asset tracking

Qualys can track assets by one of four methods, three of which are available via scanning. When you scan your network, you can track by IP address, NetBIOS name, or DNS name.

Tracking by IP address is the default option since it’s the least common denominator. It’s also the worst option in a DHCP environment. When using DHCP, Qualys recommends using DNS name, as long as your DNS servers are fast and accurate. If your Active Directory works well, DNS is probably a great option. If your Active Directory is a mess, DNS may not be as good. How do you know if your Active Directory is a mess? If you have to ask, it probably isn’t.

NetBIOS works in Windows environments, with the caveat that some devices don’t have a NetBIOS name. It’s somewhat rare, given that not interacting with Microsoft stuff severely limits your market. Even most Macs have NetBIOS names in corporate environments so they can share files and print. After all, who wants a Mac that can’t print?

When you change the tracking to NetBIOS or DNS, it changes the key field in the backend database for that object. That way, when the machine moves around on the network, Qualys doesn’t create new records, and don’t get duplicate assets with duplicate vulnerabilities. Having duplicate assets with duplicate vulnerabilities in your scan results isn’t a good way to make friends.

Changing asset tracking from the user interface

Editing asset tracking from Asset Search used to be broken. It appears that if you search for assets in Asset Search and change the host tracking there, it works now. I was always told to change from the Host Assets tab, but the Asset Search functionality appears to work now, and it’s certainly more convenient.

Navigate to Vulnerability Management > Assets > Asset Search. Under Asset Groups, select All. Check the box next to Tracking Method and select (presumably) IP Address. You can fine-tune your search too. If you have a naming convension, select NetBIOS hostname and enter some search criteria. Failing that, you can select Operating System and select contains and type Windows 7 or Windows 10 to find workstation operating systems.

Click Search and you get a list of IP-tracked workstations. Scroll down to the results, check the select all box at the top, then from the actions menu at the top, select Edit and click Apply. From the resulting screen, select DNS or NetBIOS and click Save.

You can also change the tracking method from the Host Assets tab in the UI, but without any search or filtering capability. It’s a good idea to navigate to the Host Assets tab and spot check to make sure your IPs did indeed change tracking methods there.

Changing asset tracking via the API

You can also change asset tracking via the API, which is pretty fast. There’s an example API call on or around page 234 of the Qualys API Guide V2. Simply make a call with the IP addresses you want to change.

Unlike the user interface, there is no error checking. In the user interface, if you try to change an IP with a blank hostname to DNS or NetBIOS tracking, the user interface gives you an error. It also gives you an error if just one of many IPs you choose is blank, and doesn’t change the valid ones either. But the API doesn’t have the error checking. It just does it.

A weird error condition

If you scan an IP that’s being tracked by DNS or NetBIOS and the device on it doesn’t have a registered DNS or NetBIOS name, Qualys will skip it. It will note this in the scan results, but if you’re not familiar with this behavior, it can be unclear why. Qualys states a generic list of possible conditions: no data found for this host, no host alive, one or more hosts on the excluded hosts list, or no open port found.

If this happens to you and you’re pulling your hair out as to why the device won’t scan, check its asset tracking method and switch it back to IP for the time being.

What about existing scans?

There’s no need to change your existing scans. It’s best to still scan IP ranges. Scanning by hostname is less reliable than scanning by IP. Also, you really need to scan the unknown to see what’s out there. Only scanning known assets is a common thing vulnerability management programs get wrong.

Scanning by IP while tracking by NetBIOS or DNS name works well.

Configuring your scanner appliances

If you’re going to use NetBIOS name, it’s a good idea to configure your Qualys scanner appliances with a WINS server. Qualys won’t use WINS if it doesn’t need it, but if it needs WINS and doesn’t have it, that can cause it to not find NetBIOS names during scans.

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux