Looking for ideas on how to migrate x8 McAfee IPS sensors which are being managed by an existing McAfee NSM to a new McAfee NSM.
The IPS sensors are as follow;
(a). x4 M6050
(b). x4 M3050
The existing NSM, the new NSM and all the IPS devices are all in the same location.
Can I please get some guidance/steps on how to successfully migrate these sensors from the current NSM to the new NSM.
Moving the devices from one manager to another is pretty easy. Full instructions are in the Installation guide, the basic steps are below.
Log on to the sensor you want to move.
Enter the command "deinstall"
This will remove the trust between the sensor and the manager. Enter the command "status" to see when the deinstall is complete.
Once the deinstall is complete the sensor should show as disconnected in the manager interface. Now delete the sensor from the manager. (Sometimes the sensor still appears in the manager after you delete it. Stopping and starting the manager service will force it to remove) Devices > Add and Remove Devices
On the new manager add the sensor. Devices > Add and Remove Devices
Enter the sensor name (case sensitive) and type of device then the Shared secret key
Log on to the sensor and enter the command "set manager ip xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is the ip address of the manager)
Then enter the command "set sensor sharedsecretkey" you will be prompted to enter the same shared key you entered on the manager and to confirm it.
Use the status command to see when communication is established.
If your managers are in an MDR pair it normally takes 15 - 30 minutes for the secondary manager to establish trust with the sensor.
If you don't already have it, download a copy of the CLI guide for your version of NSM form the McAfee support site.
Let me know if you have any more questions.
Thanks for the prompt response - really appreciated.
I will also need to export the policies related to the sensors from the exiting NSM to the new NSM environment. But the existing NSM manages other sensors which are deemed 'sensitive'.
Is it possible to just export ONLY the policies relating to the sensors I will be migrating to the new environment NSM without touching the other sensors on the existing NSM?
Does it really matter if I export the policies at the 'Group' level or export at each individual sensor level?
Apart from the steps you already mention in your response, do I need to perform any extra config steps or require config files from the existing NSM to get the new NSM environment to successfully manage the sensors I have migrated?
Are the old and new managers different versions of NSP? Are you using a Central manager to define your policies or just regional managers?
If they are running the same software version you could take a config backup of the existing manager and restore it to the new manager, this would copy all of your policies etc. If possible it's probably better to start with a clean install and recreate the policies etc that you need to avoid bringing old or unused settings to your new manager.
Yes, you should be able to export individual policies. I'm using version 8.2 so these settings could be slightly different for you.
To see what policies are currently applied to your sensor go to Policy > Intrusion Prevention > Policy Manager to see a list of your sensors and the policies applied to them.
To export policies go to Policy > Intrusion Prevention > Advanced > Policy Export >
Select the type of policy you want to export and select the individual policies.
On the new manager go to Policy > Intrusion Prevention > Advanced > Policy Import > to import them.
For your second question this depends on the way your sensor is set up. The steps in my last post will get the sensor set up and the manager to manage it. There may be additional configuration required if you have other types of policies configured or Exception or Objects etc.
You really just need to go through your existing configuration and see what is currently set up and what you need to copy or recreate.
If you are changing versions of NSM you need to look and see if any features have changed or been depreciated.
Please see below answers to your questions and additional info:
Is there any reason you are not just adding the new manager to the existing Central manager? If you have multiple NSM's it's easier to manager your policies etc form the Central manager.
The policies should be the same on the central and regional managers so you should not have an issue.