Kenna.VM Connector Migration

Here are some things to keep in mind when your organization wants to migrate from one connector to another connector (e.g. Rapid7 to Tenable, or Qualys to Rapid7)

If you own a Kenna Test Instance, it is likely you will want to deploy the connector in your Kenna.Test instance first. If you do not currently own a Kenna.Test instance, you will want to consider if you’d like to run the connectors concurrently against the same assets over a period of time, or if you’d like to run with your old connector until the new connector deployment is complete, and then switch over with no concurrent runs.

Key factors to consider while making this decision will include - 

  • If you want to run the connectors concurrently against the same assets over a period of time you will need a Support ticket to clean-up old assets and vulnerabilities after the switch.

  • If you’d like to switch over from one to another with no overlap, you will want to test the credentials in your Kenna instance first to ensure the connection is established.

  • If you are moving from an on-premise connector to a cloud-based connector (Rapid7 to Qualys) you will no longer need the Virtual Tunnel for your scanner (this does not mean you won’t need the VT for other connections you may have). If you are moving from a cloud scanner to an on-prem scanner, you will need to deploy the Kenna Virtual Tunnel or Kenna Agent within the same environment as your scanner.

  • When setting up a new connector, will the change require modifications to risk meters, reports or tagging?

*Important Note: removing the old connector outright will remove all closed vulns associated with the scanner from the Kenna Environment. If you are tracking the total # of closed vulnerabilities in the environment, this will change once you remove the old connector. 

Historical information will persist in reporting, however scanner detections and other information will be removed. For items that have a different scanner type scanner detection, the detection will remain along with all custom information (custom fields). If the detection is only from that scanner/connector, the item will be removed. 


Option 1 - Install new connector in a Kenna Test instance (For those who own a Kenna.Test instance)

 If the new connector is installed in a new instance for testing/evaluation and you want to eventually migrate it to the initial instance in order to preserve historical reporting about assets, vulns, risk meters, SLA's, MTTR, etc be sure to keep detailed notes for all the changes made in the Test instance so they can be replicated in the Production environment during the change over.

 When testing is complete -

  1. Install new connector in the Production instance and populate data.

  2. Reproduce any changes/adjustments that had been made in the test instance

  3. Remove the old VM connector (if you are running concurrently for some time, hold off until you are ready to complete the switch). After you’ve removed the VM connector, search for and remove orphaned data via a Support ticket.

    •  Examples of possible Orphaned Data include -

      •  Assets not closed out in old connector and not scanned by the new connector

      • Assets defined differently in the two connectors

    •  If the same assets are scanned by both connectors then there can be confusion regarding which connector is causing what behavior in Kenna. Be sure no orphan data is left behind, which may incorrectly inflate asset counts.


Option 2 - Install new connector in your Production Kenna instance with concurrent runs

  1. Install the new connector

  2. Run new connector to populate data

  3. Since you are running connectors concurrently, you will want to ensure that assets are being deduplicated properly and the data ingested by the new connector matches the old connector data.

  4. Once you’re satisfied with the status of the new connector, remove the old connector, and have support remove any Orphaned Data from the platform (if any).

Option 3 - Install new connector in your Production Kenna instance without concurrent runs

  1. Remove the old connector, and have support remove any Orphaned Data from the platform (if any).

  2. Install the new connector

  3. Run new connector to populate data

  4. Since you’re running a new connector, you will want to ensure that Risk Meters are being populated properly if any are Tag based Risk Meters.


If you have any issues please contact your Customer Success team, or Support.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.