Migrate policies to Workload Security

This is one part of the process for migrating from Deep Security to Workload Security. For a complete picture of the migration process, see Migrate from Deep Security to Workload Security.

You may want to use the same policies in Workload Security as you used in Deep Security. You can manually re-create the policies in Workload Security, or automate the policy migration using the migration tool (described in this article) or one other the other methods for migrating policies.

Prerequisites

  • Check that you're running Deep Security Manager 20.0.513 (20 LTS Update 2021-10-14) or later.

    If you don't want to upgrade to a supported Deep Security 20 version to migrate policies, this Deep Security 12 article describes how to migrate policies by exporting them to XML and then importing via API into Workload Security.

  • Update to and apply the latest Deep Security Rule Updates (DSRU). In Deep Security Manager, go to Administration > Updates > Security > Rules

    If your migration results in error 303, it is mostly likely because you failed to update the DSRU.

  • If you haven't done so already, complete the earlier steps described in Migrate from Deep Security to Workload Security, including creating a Trend Micro Cloud One account, creating an API key, and preparing a link to Workload Security.

Limitations

  • Policies containing SAP Scanner module configurations can be migrated or imported, but those settings will not be visible unless your Workload Security account is also licensed for the SAP Scanner.
  • Policies containing VMware agentless configurations are not supported in Workload Security.
  • Application Control settings are not migrated.
  • Network-dependent objects and settings (proxy settings, syslog configurations, and so on) may not be migrated.
  • Common objects referenced by the policy are also migrated. If a common object being migrated has the same name as an existing common object in Workload Security, the existing object will be overwritten by the migrated object.

Migrate policies using the migration tool

  1. In upper-right corner of the Deep Security Manager console, select Support > Migrate to Workload Security.

    Screenshot of Manager window with Support menu displayed

  2. The Migrate to Workload Security page appears with the Configurations tab selected. Click Migrate Policy to expand that section.

    If a Link to Workload Security Account page appears first, see Prepare a link to Workload Security for information on how to configure the link.

  3. Select Migrate. The migration tool targets all policies on Deep Security Manager.
  4. The migration tool displays a status.

    Migrate Configrations tab with Migrate Policy section expanded

    You can also check in Workload Security by going to the Policies page. Any migrated policies will appear in the list, showing a timestamp and the Deep Security Manager hostname.

    Migrate Configrations tab with Migrate Policy section expanded

    These are the possible statuses:

    • Migration requested: A policy migration task to Workload Security has been requested but the policy migration hasn't started yet.
    • Migrating: Policies are being migrated to Workload Security. If the status stuck in "Migrating", it means the Deep Security Manager cannot get the response from Workload Security. Please check the network configuration.
    • Migrated: Policies have been migrated successfully to Workload Security.
    • Failed: Policies have failed to migrate to Workload Security for some reason. Check the error code:
      • Error code 303: The policies being migrated reference one or more rules that are not available on Workload Security. Please ensure that Deep Security Manager and Workload Security are using the same Rule Update version.
      • Other error codes less than 900: There is a failure from Workload Security. Please contact support.
      • Error codes greater than or equal to 900: Deep Security Manager has a problem communicating with Workload Security. Please make sure the Workload Security Link is correctly configured, or check server0.log for details.

Next, migrate your common objects to Workload Security.

Other methods for migrating policies

In addition to using the migration tool, you can also use these methods for migrating policies to Workload Security:

  • Migrate policies directly using the Deep Security policy migration API and Workload Security Link feature, available in Deep Security Manager 20.0.463 (20 LTS Update 2021-07-22) or later. For instructions, see Migrate using the Deep Security and Workload Security APIs.
  • Export the policy XML from Deep Security and then use the Workload Security Policy Import API. If you're using an older version of Deep Security or if a direct connection from Deep Security to Workload Security is not possible, you can export policies from Deep Security 12 or later and then import them into Workload Security using the Policy Import API. For details, see Migrating policies to Workload Security in the Deep Security 12 help.