5 Replies Latest reply on Jul 15, 2015 9:46 AM by peter.mason

    How to migrate McAfee IPS sensors from an existing McAfee NSM to a new NSM

    sokam

      Looking for ideas on how to migrate x8 McAfee IPS sensors which are being managed by an existing McAfee NSM to a new McAfee NSM.

      The IPS sensors are as follow;

      (a).  x4 M6050

      (b).  x4 M3050

       

      The existing NSM, the new NSM and all the IPS devices are all in the same location.

      Can I please get some guidance/steps on how to successfully migrate these sensors from the current NSM to the new NSM.

       

      Many thanks

        • 1. Re: How to migrate McAfee IPS sensors from an existing McAfee NSM to a new NSM
          peter.mason

          Hi Sokam,

           

          Moving the devices from one manager to another is pretty easy. Full instructions are in the Installation guide, the basic steps are below.

           

          Log on to the sensor you want to move.

           

          Enter the command "deinstall"

           

          This will remove the trust between the sensor and the manager. Enter the command "status" to see when the deinstall is complete.

           

          Once the deinstall is complete the sensor should show as disconnected in the manager interface. Now delete the sensor from the manager. (Sometimes the sensor still appears in the manager after you delete it. Stopping and starting the manager service will force it to remove) Devices > Add and Remove Devices

           

          On the new manager add the sensor. Devices > Add and Remove Devices

           

          Enter the sensor name (case sensitive) and type of device then the Shared secret key

           

          Log on to the sensor and enter the command "set manager ip xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is the ip address of the manager)

           

          Then enter the command "set sensor sharedsecretkey" you will be prompted to enter the same shared key you entered on the manager and to confirm it.

           

          Use the status command to see when communication is established.

           

          If your managers are in an MDR pair it normally takes 15 - 30 minutes for the secondary manager to establish trust with the sensor.

           

          If you don't already have it, download a copy of the CLI guide for your version of NSM form the McAfee support site.

           

          Let me know if you have any more questions.

           

          Peter

          • 2. Re: How to migrate McAfee IPS sensors from an existing McAfee NSM to a new NSM
            sokam

            Hi Peter,

            Thanks for the prompt response - really appreciated.

            I will also need to export the policies related to the sensors from the exiting NSM to the new NSM environment. But the existing NSM manages other sensors which are deemed 'sensitive'.

            Is it possible to just export ONLY the policies relating to the sensors I will be migrating to the new environment NSM without touching the other sensors on the existing NSM?

            Does it really matter if  I export the  policies at the 'Group' level or  export at each individual sensor level?

            Apart from the steps you already mention in your response, do I need to perform any extra config steps or require config files from the existing NSM to get the new NSM environment to successfully manage the sensors I have migrated?

            Regards

            • 3. Re: How to migrate McAfee IPS sensors from an existing McAfee NSM to a new NSM
              peter.mason

              Hi Sokam,

               

              Are the old and new managers different versions of NSP? Are you using a Central manager to define your policies or just regional managers?

               

              If they are running the same software version you could take a config backup of the existing manager and restore it to the new manager, this would copy all of your policies etc. If possible it's probably better to start with a clean install and recreate the policies etc that you need to avoid bringing old or unused settings to your new manager.

               

              Yes, you should be able to export individual policies. I'm using version 8.2 so these settings could be slightly different for you.

               

              To see what policies are currently applied to your sensor go to Policy > Intrusion Prevention > Policy Manager to see a list of your sensors and the policies applied to them.

               

              To export policies go to Policy >  Intrusion Prevention > Advanced > Policy Export >

               

              Select the type of policy you want to export and select the individual policies.

               

              On the new manager go to Policy >  Intrusion Prevention > Advanced > Policy Import > to import them.

               

              For your second question this depends on the way your sensor is set up. The steps in my last post will get the sensor set up and the manager to manage it. There may be additional configuration required if you have other types of policies configured or Exception or Objects etc.

               

              You really just need to go through your existing configuration and see what is currently set up and what you need to copy or recreate.

               

              If you are changing versions of NSM you need to look and see if any features have changed or been depreciated.

               

              Regards

               

              Peter

              • 4. Re: How to migrate McAfee IPS sensors from an existing McAfee NSM to a new NSM
                sokam

                Peter,

                Thanks again.

                Please see below answers to your questions and additional info:

                1. The old environment used a Central Manager to define the policies but the new environment is a Regional Manager. Does that affect the policies that can be copied and successfully applied to the new environment?
                2. The policies configured for the sensors are for ; ExceptionObjects, Firewall and IPS_Reconnnaisance
                3. Both the old and new managers are running the same version of NSP.
                4. I am not changing the versions of NSM
                • 5. Re: How to migrate McAfee IPS sensors from an existing McAfee NSM to a new NSM
                  peter.mason

                  Hi Sokam,

                   

                  Is there any reason you are not just adding the new manager to the existing Central manager? If you have multiple NSM's it's easier to manager your policies etc form the Central manager.

                   

                  The policies should be the same on the central and regional managers so you should not have an issue.

                   

                  Regards

                   

                  Peter