Configure AppScan 360° to support Presence for DAST Scanning

This document provides a step-by-step guide for users on how to set up AppScan 360° to support DAST scanning of Web Applications deployed on isolated networks.

Prerequisites

Before starting the setup process, ensure you have the following:

  • K8S Gateway - Prior to installation, you should verify that you have a K8S gateway available that supports Gateway API v1.4 (or later) with the TLSRoute API enabled and supports passthrough.

    If Istio gateway is used, the following environment variable should be set in the customization:
    env:
 PILOT_ENABLE_ALPHA_GATEWAY_API: true ## Necessary for TLSroute passthrough

  • Access to modify DNS records or hosts files on the machines running the Presence.

For each DAST scan that uses the Presence, a dedicated tunnel is created. All the tunnels use the same tunnel server IP address, but they use a different FQDN that allows the routing to the matching DAST scanner (within the K8S cluster).

Customization File Parameters

In order to allow it, the following settings must be configured in the customization file prior to deployment:
Parameter Description Constraint/Example
CK_CONFIGURATION_DISCLOSED_TUNNEL_HOST_MAX_ID Defines the total size of the tunnel server pool available for load balancing. This integer determines the upper limit of the round-robin index used when routing connections. The system generates hostnames using indices from 0 up to TunnelHostMaxId - 1. Constraint: Ensure this value matches the number of DNS records provisioning the environment. Example: A value of 5 will enable indices 0 through 4.
CK_CONFIGURATION_DISCLOSED_TUNNEL_HOST_NAME_PATTERN The hostname template string used to route traffic to specific tunnel server instances. This pattern must contain the placeholder {0}, which the system replaces with the 3-digit, zero-padded server index (e.g., 000, 001). Constraint: The domain part of the pattern must match the DNS entries mapped to the Kubernetes Gateway listener IP. Example: tap-{0}.as360.example.com resolves to tap-000.as360.example.com, tap-001.as360.example.com, etc.
Important: The number of hosts should be at least the number of concurrent DAST scans that will run using Presence.

Configuring DNS for Tunnel Server Load Balancing

To ensure proper connectivity across the tunnel servers, you must configure your DNS records to map the generated hostnames to the Kubernetes Gateway Listener IP.

Prerequisites:
  1. Obtain the Gateway Listener IP address.
  2. Identify the Host Name Pattern (e.g., tap-{0}.as360.example.com).
  3. Identify the Max Host ID (the number of tunnel instances).

DNS Record Format:

The system uses a round-robin indexing strategy. You must create DNS records for every index from 0 to Max Host ID - 1.
  • Note: The index is always formatted as a 3-digit number with zero-padding (e.g., 0 becomes 000).

Option A: Wildcard Record (Recommended)

If your security policies allow, create a single wildcard CNAME or A-Record. This is the simplest maintenance approach.

  • Record: *.as360.example.com ⇒ [Gateway Listener IP]

  • Note: This covers all current and future tunnel indices automatically.

Option B: Explicit Records

If wildcards are not permitted, you must explicitly add a record for every possible index.

Example Scenario:

  • Pattern: tap-{0}.as360.example.com

  • Max Host ID: 5 (Indices 0 to 4)

  • Gateway IP: 192.168.1.50

You would create the following 5 DNS records:

Index Generated Hostname Target
0 tap-000-as360.example.com 192.168.1.50
1 tap-001-as360.example.com 192.168.1.50
2 tap-002-as360.example.com 192.168.1.50
3 tap-003-as360.example.com 192.168.1.50
4 tap-004-as360.example.com 192.168.1.50

Option C: Set the Hosts File on the Machines that run the Presences

If you do not have access to the corporate DNS server or need a quick, local solution for resolving the hostnames, you can manually set the host-to-IP address mapping on the individual machines that host the Presences.

This method overrides the standard DNS resolution for the specific entries you add.

This is a common workaround in environments where:

  • You lack the necessary permissions to modify the central DNS server.

  • The target application is only accessible via a private or specific network segment, and the global DNS entry is either missing or incorrect for the presence machine.

  • You are testing a new application setup before its official DNS entry is propagated.

Procedure for Modifying the Hosts File

The hosts file is a plain-text operating system file that maps hostnames to IP addresses. Its location varies depending on the operating system:

Operating System Default Hosts File Location
Windows C:\Windows\System32\drivers\etc\hosts
Linux /etc/hosts

Example of a Hosts File Entry:

To ensure that the DAST Presence machine resolves the target hostname tap-000-as360.example.com to the specific IP address 192.168.1.50, you would add the following line to the hosts file:
192.168.1.50 tap-000-as360.example.com # AppScan 360 DAST Target IP