cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
nsaman
Level 7
Report Inappropriate Content
Message 1 of 8

McAfee SIEM End of Life appliance replacement

Hi,

we are in the process of replacing the following hardware within our SIEM environment because they are going to become end of life end of this year.

The appliance are: ERC, APM, ACE, DSM

My question is, what is the process that needs to be followed to replace these appliances without losing data or configuration that is store on these appliance? This is going to be one for one swap but the new appliance will have a new hardware (Gen 4). The appliance we are replacing it with will contain the same software version 10.1.1 and the same network settings (example: IP, NetMask, etc).

thank you for your help in advance

Nash

7 Replies
rth67
Level 12
Report Inappropriate Content
Message 2 of 8

Re: McAfee SIEM End of Life appliance replacement

As long as you give the new appliances the same IP Address, all you have to do is take down the old appliance, connect up the new appliance, re-key it, upgrade it to the same version you are on, write any data sources and VM info from ERC, write databases on the DSM, write the correlation engines on the ACE, then rollout policy.

The configuration for the appliances is kept on the ESM.

Don't forget to enable Ping once you are keyed, if you are used to being able to get ping replies from your equipment.

We have replaced almost all of our old Gen3 equipment over the past 2+ years (ESM, ELM, ACE, APM, DSM, 10 ERC's)

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 3 of 8

Re: McAfee SIEM End of Life appliance replacement

What about the old system settings/configurations and data? Since new and old devices are different model, so I assume you can't do a full backup and restore onto the new device, since backup/restore is model dependent? Or should the subsidiary devices get swapped out first, and then do the ESM last? Maybe there is a device refresh guide that I haven't seen yet.

nsaman
Level 7
Report Inappropriate Content
Message 4 of 8

Re: McAfee SIEM End of Life appliance replacement

sssyyy

I agree with you. if we are going to replace the receiver and re-key it, would there need to be some type of steps afterward to import the configuration from the old receiver to the new one since this will be a new entry within SIEM?

rth67
Level 12
Report Inappropriate Content
Message 5 of 8

Re: McAfee SIEM End of Life appliance replacement

The "settings" for a Receiver are stored on the ESM, as long as you give a replacement Receiver the same IP, you Key it, write the Data Sources, VA info, and push policy. You do not have to export / import anything.

As for the ESM, we setup a Primary / Redundant relationship between our X3 and X6, once everything was sync'd we made the X6 the primary and took the X3 offline. Best bet is to open a ticket with support ahead of time, see what they have to say, and keep it open until you are done.

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 6 of 8

Re: McAfee SIEM End of Life appliance replacement

So, you are saying leave the ETMs to last, replace the ERC, ELM, ACE first via re-key. But what are you going to do with the ETMs? Also, I believe you can only do primary/redundant with same models of ETMs, or is that a myth? Fail-over to redundant as primary, replace the old-primary and fail-back and then replace the redundant?

rth67
Level 12
Report Inappropriate Content
Message 7 of 8

Re: McAfee SIEM End of Life appliance replacement

You don't have to leave your ESM's till last, we did ours in about the middle, depends on if you have budget money to purchase everything at once, or if you have to spread your purchases over multiple quarters / years as we had to.

You can do Primary / Redundant with dissimilar hardware, when going from smaller to larger anyway.  Where you may run in to problems is if you tried to go from larger to smaller, as the sync process tries to sync drive to drive. So if the Primary has larger drives than the Redundant their may be issues during the sync, or so I've heard.

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 8 of 8

Re: McAfee SIEM End of Life appliance replacement

Good to know. Did you have to play with the Primary/Redundant ETM fail-over a bit when swapping out the ETM devices?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community