Migrate policies to Trend Cloud One - Endpoint & Workload Security

Migrate to Trend Cloud One - Endpoint & Workload Security is a multi-step process.

You may want to use the same policies in Workload Security as you used in Deep Security. You can manually recreate the policies in Workload Security, automate the policy migration using the migration tool, or use one of the other methods for migrating policies.

Prerequisites

  • Check that you are running Deep Security Manager 20.0.513 (20 LTS Update 2021-10-14) or later.

    If you do not want to upgrade to a supported Deep Security 20 version to migrate policies, see Deep Security 12 documentation for information on how to migrate policies by exporting them to XML and then importing via API into Workload Security.

  • Update to and apply the latest Deep Security Rule Updates (DSRU). In Deep Security Manager, go to Administration > Updates > Security > Rules

    If your migration results in error 303, you likely did not update the DSRU.

  • If you have not done so already, complete the earlier steps in Migrate to Trend Cloud One - Endpoint & Workload Security including creating a Trend Cloud One account, creating an API key, and preparing a link to Workload Security.

Limitations

  • Policies containing SAP Scanner module configurations can be migrated or imported, but those settings will not be visible unless your Workload Security account is also licensed for the SAP Scanner.
  • Policies containing VMware agentless configurations are not supported in Workload Security.
  • Application Control settings are not migrated.
  • Network-dependent objects and settings (proxy settings, syslog configurations, and so on) may not be migrated.
  • Only common objects referenced by the policy are migrated. If a common object being migrated has the same name as an existing common object in Workload Security, the existing object is overwritten by the migrated object.

For information on migrating common objects, see Migrate common objects to Workload Security.

Migrate policies using the migration tool

The Migrate to Trend Vision One Endpoint Security tool (formerly called the Migrate to Workload Security tool) enables migration for both Trend Vision One Endpoint Security - Server & Workload Protection and for Trend Cloud One - Endpoint & Workload Security. Note that in addition the tool itself, the related role configurations have been renamed.

  1. In the Deep Security Manager console, select Support > Migrate to Trend Vision One Endpoint Security.
  2. On the Migrate to Trend Vision One Endpoint Security page that appears with the Configurations tab selected, click Migrate Policy to expand that section.

    If a Link to Trend Vision One Endpoint Security Account page appears first, see Prepare a link to Workload Security for information on how to configure the link.

  3. Select Migrate. The migration tool targets all policies on Deep Security Manager.

    When the migration tool displays a status, you can also check it in Workload Security by going to Policies. Any migrated policies appear in the list, showing a timestamp and the Deep Security Manager hostname.

    The following are the possible statuses:

    • Migration requested: A policy migration task to Workload Security has been requested but the policy migration has not started yet.
    • Migrating: Policies are being migrated to Workload Security. If the status stuck in Migrating, it means the Deep Security Manager cannot get the response from Workload Security. Check the network configuration.
    • Migrated: Policies have been migrated successfully to Workload Security.
    • Failed: Policies have failed to migrate to Workload Security for some reason. Check the error code:
      • Error code 303: The policies being migrated reference one or more rules that are not available on Workload Security. Please ensure that Deep Security Manager and Workload Security are using the same Rule Update version.
      • Other error codes less than 900: There is a failure from Workload Security. Contact Trend Micro support.
      • Error codes greater than or equal to 900: Deep Security Manager has a problem communicating with Workload Security. Please make sure the Workload Security Link is correctly configured, or check server0.log for details.

Next, migrate your common objects to Workload Security.

Other methods for migrating policies

In addition to using the migration tool, you can use the following methods for migrating policies to Workload Security:

  • Migrate policies directly using the Deep Security policy migration API and Workload Security Link feature, available in Deep Security Manager 20.0.463 (20 LTS Update 2021-07-22) or later. For instructions, see Migrate using the Deep Security and Workload Security APIs.
  • Export the policy XML from Deep Security and then use the Workload Security Policy Import API. If you are using an older version of Deep Security or if a direct connection from Deep Security to Workload Security is not possible, you can export policies from Deep Security 12 or later and then import them into Workload Security using the Policy Import API. For details, see Migrating policies to Workload Security in the Deep Security 12 help.