Cisco Vulnerability Management Connector Migration

Here are some things to keep in mind when your organization wants to migrate from one connector to another connector (such as Rapid7 to Tenable, or Qualys to Rapid7).

If you own a Cisco Vulnerability Management test instance, it is likely you will want to deploy the connector in your Cisco Vulnerability Management test instance first. If you do not currently own a Cisco Vulnerability Management test instance, you will want to consider if you’d like to run the connectors concurrently against the same assets over a period of time, or if you’d like to run with your old connector until the new connector deployment is complete, and then switch over with no concurrent runs.

Key factors to consider while making this decision will include:

  • If you want to run the connectors concurrently against the same assets over a period of time, you will need a Support ticket to clean-up old assets and vulnerabilities after the switch.

  • If you’d like to switch over from one to another with no overlap, you will want to test the credentials in your Cisco Vulnerability Management instance first to ensure the connection is established.

  • If you are moving from an on-premises connector to a cloud-based connector (Rapid7 to Qualys) you will no longer need the Virtual Tunnel for your scanner (this does not mean you won’t need the Virtual Tunnel for other connections you might have). If you are moving from a cloud scanner to an on-premises scanner, you will need to deploy the Virtual Tunnel or Agent in the same environment as your scanner.

  • When setting up a new connector, will the change require modifications to risk meters, reports, or tagging?

Important: Removing the old connector outright will remove all closed vulnerabilities associated with the scanner from Cisco Vulnerability Environment. If you are tracking the total number of closed vulnerabilities in the environment, this will change once you remove the old connector. 

Historical information will persist in reporting, however scanner detections and other information will be removed. For items that have a different scanner type scanner detection, the detection will remain along with all custom information (custom fields). If the detection is only from that scanner or connector, the item will be removed. 

Option 1: Install a new connector in a Cisco Vulnerability Management test instance. (For those who own a Cisco Vulnerability Management test instance.)

 If the new connector is installed in a new instance for testing and evaluation and you want to eventually migrate it to the initial instance to preserve historical reporting about assets, vulnerabilities, risk meters, SLAs, and MTTR, ensure that you keep detailed notes for all the changes made in the test instance so they can be replicated in the Production environment during the change over.

 When testing is complete:

  1. Install the new connector in the production instance and populate data.

  2. Reproduce any changes and adjustments that had been made in the test instance.

  3. Remove the old VM connector (if you are running concurrently for some time, hold off until you are ready to complete the switch). After you’ve removed the VM connector, open a ticket with Cisco Support for help with searching for and removing orphaned data.

 Examples of possible Orphaned Data include:

      • Assets that are not closed out in old connector and not scanned by the new connector.

      • Assets defined differently in the two connectors.

If both connectors scan the same assets there can be confusion regarding which connector is causing what behavior in Cisco Vulnerability Management. Ensure that no orphan data is left behind, which might incorrectly inflate asset counts.

Option 2: Install a new connector in your Production Cisco Vulnerability Management instance with concurrent runs.

  1. Install the new connector.

  2. Run the new connector to populate data.

  3. Since you are running connectors concurrently, you will want to ensure that assets are being deduplicated properly and the data that the new connector ingests matches the old connector data.

  4. Once you’re satisfied with the status of the new connector, remove the old connector, and open a ticket with Cisco Support for help with searching for and removing orphaned data.

Option 3: Install a new connector in your production Cisco Vulnerability Management instance without concurrent runs.

  1. Remove the old connector, and open a ticket with Cisco Support  for help with searching and  removing orphaned data if any exists.

  2. Install the new connector.

  3. Run new connector to populate data.

  4. Since you’re running a new connector, you will want to ensure that risk meters are being populated properly if any are tag based risk meters.


Additional Assistance

Contact Support if you require any additional assistance.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.