Tag Support for Authentication Records

Asset tags are supported for Windows and Unix authentication records, when this feature is enabled for your subscription.

With this support, you have the option to define target hosts in your authentication records using asset tags instead of adding IP addresses/ranges to the record. At scan time, we’ll resolve the asset tags in the record to IP addresses in your account and scan them using the login credentials defined in the record. The tag selection is similar to other existing workflows with tag support.

Prerequisites

Please reach out to your Technical Account Manager or Qualys Support to have these features enabled.

- Asset Tagging must be enabled for your subscription

- Tag Support for Authentication Records must be enabled for your subscription.

Some considerations and limitations for Initial Release

Please note the following for this initial release:

- Asset tags are supported in Unix and Windows authentication records only.

- Asset tags are resolved at scan launch time and this could result in performance degradation.

- You cannot search for authentication records by asset tag.

- You cannot remove hosts from authentication records with tags using the “Remove Hosts” workflow from the Actions menu.

- Certain application and database authentication records require a Windows or Unix record with the same IP address(es) defined. In this case, you must create your Windows/Unix record with IPs/ranges. We cannot compare the IP addresses in the application/database record against asset tags in your Windows/Unix record because tag resolution does not take place until scan launch time.  

- Be careful not to save multiple records for the same type with the same tag included. The tag will be resolved to an IP address at scan time, and it will match multiple records in your account. If those records have different login credentials defined, then authentication could fail depending on which record is used by the scanner. We do not have validation in the authentication record to prevent you from selecting an individual tag that is already used in another record of the same type.

- When selecting tags using the API, we only validate whether the tags specified in your request are valid. We do not filter out system root level tags, such as Asset Group and Business Unit. We also do not check that the tags selected for a record with asset type “IP Range in Tag Rule” are valid for this asset type. Be mindful when making your tag selection.

Configuring Windows and Unix Authentication Records

When your subscription has Tag Support for Authentication Records enabled, then you'll see additional options for specifying hosts using asset tags. Choose an asset type and then provide IPs or tags to the record.

Note for Windows records - For domain authentication, you can only add assets when the domain type is “NetBIOS, User-Selected IPs”. The Assets section is disabled when the domain type is “NetBIOS, Service-Selected IPs” or “Active Directory”.  

Asset Type: IPs/Ranges

Use this option to add IP addresses/ranges to the record. Enter the IP addresses/ranges in the field provided. (Same as in previous releases.)

Asset type IPs and Ranges

Asset Type: IP Range in Tag Rule

Use this option to add tags that have IP address ranges defined in the tag rule. All IP addresses defined in the tag rule will be associated with the record, including IPs that don’t already have the tag assigned. Click Add Tag to pick tags to include or exclude. Note that only tags with the dynamic tag rule “IP Address in Range(s)” will be available in the tag selector.

Asset type IP range in tag rule

Asset Type: Asset Tags

Use this option to add tags to the record for the assets you want included. IP addresses with the selected tags already assigned will be associated with the record. Click Add Tag to pick tags to include or exclude.

Asset type asset tags

Multiple records of same type with same TagSet cannot be saved

When you save a record with asset tags, we look at the combination tag settings, including the asset type (“IP Range in Tag Rule” or “Asset Tags”), the Included tags and tag scope (any, all), and the Excluded tags and tag scope. The combination of these settings create a single TagSet on the backend. If you try to create another record of the same type with the same TagSet, then an error will appear. If any of the tag settings are different, then a new TagSet is created and you will be allowed to save the record.