Security Network IPS policy migration

If you want to use policies that you defined for your Security Network IPS appliances on your IBM QRadar Network Security appliances, you can migrate the incompatible IPS versions of some of the policies to groups of Network Security appliances in the SiteProtector™ System.

The policy migration feature is intended to generate Network Security policies that are equivalent to the policies that are deployed to the Security Network IPS. An exact migration is not possible due to the differences between the two products.
Important:
  • If you want to preserve your current Network Security 5.2 policies and you do not want them to be overwritten by the Security Network IPS policy migration, you can create a new policy repository in the SiteProtector System and move the policies to the new repository.
  • Security Network IPS policy migration to Network Security appliances is supported only on SiteProtector System 3.1.1 and later.
  • Security Network IPS policy migration to Network Security appliances is supported only for policy deployment at the group level. You cannot migrate policies at the agent level or policies that you configured locally.
Any specific Network Security configuration must be done after the migration is complete. Any changes that were made to the following policies and objects are discarded during the migration:
  • Intrusion Prevention Policy
  • Network Access Policy
  • Event Filter Policy
  • Address List and Group Objects
  • SNMP, email, packet capture response objects
  • IPS service objects
  • SSL Decryption policy
  • Inbound SSL Decryption policy
Any other policies that are deployed are not overwritten by the migration. However, any policies that use previously configured address lists, address groups, IPS services, or response objects are affected, as those objects are overwritten by the migration. This causes the appliance to reject the policy deployment from the SiteProtector System. If you deployed policies on the Network Security appliance, you must remove them from the appliance before you start the migration. After the migration is complete, you can add the policies again. You must redefine the objects that are used in these policies after the migration is complete.
Tip: If you previously created and deployed policies and you do not want them to be overwritten by the migration, you can create a new policy repository in the SiteProtector System and move the policies to the new repository. If you only perform the migration in the old repository, the policies in the new repository is not affected.
Only the following Security Network IPS policies are migrated to the Network Security appliance:
  • Protection Domains Policy
  • Global Responses Policy
  • X-Force® Virtual Patch® Policy
  • Security Events Policy
  • Web Application Protection policy
  • Response Filter Policy
  • Tuning Parameters Policy (partially)
  • NTP Configuration Policy (requires Network Security 5.3.1.2 with SiteProtector System DBSP 3.1.1.18 to migrate this policy)
  • Remote Flow Data Collection Policy (requires Network Security 5.3.1.2 with SiteProtector System DBSP 3.1.1.18 to migrate this policy)
Any configuration that is contained in other Security Network IPS policies is not migrated to the Network Security appliance.
Parent topic: Security Protection Settings
Related tasks:
Migrating Security Network IPS group policies to Network Security groups
Related reference:
Security Network IPS (GX) policies supported for migration to IBM QRadar Network Security (XGS) appliances