IBM Support

Migrating existing Security Network IPS policies to the Security Network Protection sensor

Question & Answer


Question

What is the process to migrate the security policies from an existing Security Network IPS (GX) sensor to a Security Network Protection (XGS) sensor?

Answer

 
Migrate GX to XGS Policy (6:02)
This video Explains how to use the utility to migrate existing GX policies to a new XGS policy.
Watch the video on the IBM Security Learning Academy (6:02)
 

Important: If you have updated the SiteProtector Database component to version 3.1.1.18 or later, you can only migrate directly from firmware 4.6.2 GX policies.

Items for consideration and planning prior to performing the migration

  • If policies are already deployed. They will be overwritten with the settings migrated from the GX and will not be preserved. The migration is intended as the first step of XGS configuration and deployment.
  • Any XGS specific configuration should be done after the GX to XGS policy migration is complete.
  • If you want to preserve current XGS policies, you can move them to a different policy repository than the one that contains the GX policies being migrated.
  • GX to XGS migration is only supported on SiteProtector 3.1 and later.
  • GX to XGS migration is only supported for group level policy deployments. Policies that are locally configured or deployed at the agent level can not be migrated.
  • If your SiteProtector Database is version 3.1.1.17 or earlier, you can only migrate firmware 4.6.1 GX policies to XGS.
  • The option to migrate firmware 4.6.2 GX policies was added in SiteProtector Database version 3.1.1.18 and later.
  • If your GX sensor is running a firmware version lower than 4.6.1, you must first update the GX firmware before attempting the migration.
     
Migration process
 
  1. In the Policy view, select IBM Security Network Protection as the Agent Type.
     
  2. Select the Site or top level group that contains the policy repository that you want to migrate and then click Action > Updates > Migrate Agent Policy Version.
     
  3. In the Migrate Agent Policy Version window, select IBM Security Network Protection as the Agent Type.
     
  4. Click the Upgrade Details icon and select the following:
    • 4.6.2.1 from the Migrate From Firmware Version list
    • 4.6.2.2 from the Migrate to Firmware Version list
       
  5. Click OK, and wait until the migration task is complete.

    Tip: To view the task status, right-click the site that you are migrating and select Properties > Command Jobs.
     
  6. Select the first group in the Site or top-level group that you are migrating and then click Action > Updates > Migrate Agent Policy Version. If you do not have any subgroups that belong to the policy repository you are migrating, select the same group or site that you selected in Step 2.

    Important: Do not select any subgroup that contains its own policy repository during this step. You must migrate each policy repository separately by following the steps in this article.
     
  7. Click the Upgrade Details icon and select the following:
    • 4.6.2.2 from the Migrate From Firmware Version list
    • 5.1.2 from the Update to Firmware Version list.

      Important: Even though you select 5.1.2 as the Update to Firmware Version, the migration will generate version 5.2 policies. Do not select 5.2 as the Update to Firmware Version or perform another migration from 5.1.2 to a newer version. Doing so causes the policies migrated from the GX to the XGS to be lost.
    • If the version to which you are migrating can update itself, select the Update Agents check box and then select a date and time.
    • To prompt agents to update immediately, select the Force affected agents to heartbeat check box.
       
  8. Click OK, and wait until the migration task is complete.

    Tip: To view the task status, right-click on the site you are migrating and select Properties > Command Jobs.
     
  9. If your Site or top-level group contains more groups to be migrated, repeat Steps 6 - 8 for each group.

    Note: You do not need to repeat the migration for subgroups of the group you selected in step 6. Subgroups are included in the group migration.

    If your XGS sensors are running firmware 5.2, the migration process is now complete. If you are running a more recent firmware version, continue following the instructions listed below.
     
  10. Select the first group in the Site or top-level group you are migrating and then click Action > Updates > Migrate Agent Policy Version. If you do not have any subgroups that belong to the policy repository you are migrating, select the same group or site you selected in Step 2.

    Important: Do not select any subgroup that contains its own policy repository during this step. You must migrate each policy repository separately by following the steps in this article.
     
  11. Click the Upgrade Details icon and select the following:
    • 5.2 from the Migrate From Firmware Version list.
       
  12. Select the current firmware version of your XGS sensors from the Update to Firmware Version list.
     
  13. If the version to which you are migrating can update itself, select the Update Agents check box and then select a date and time.
     
  14. To prompt agents to update immediately, select the Force affected agents to heartbeat check box.
     
  15. Click OK and wait until the migration task is complete.

    Tip: To view the task status, right-click on the site you are migrating and select Properties > Command Jobs.
     
  16. If your Site or top-level group contains more groups to be migrated, repeat steps 10 - 12 for each group.

    Note:
      • You do not need to repeat the migration for subgroups of the group you selected in step 10 subgroups are included in the group migration.
      • If the migration process gets stuck at 0% and the cancel option is grayed out, restart the Sensor Controller service wait 10 minutes. Refresh the SiteProtector Console the migration job is marked Unknown and you can try again.

[{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Intrusion Prevention Module (IPM)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.0;5.3;5.3.1;5.3.2;5.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"ARM Category":[{"code":"a8m500000008YQ6AAM","label":"ATS-Infrasec->Network XGS->Install"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
08 February 2021

UID

swg21680386

Page Feedback