ON PREMISES SOLUTIONS

Switching the GravityZone management console from on-premises to cloud

This article provides all the information you need to switch your GravityZone management console from on-premises version to the one hosted in the cloud.

Migration requirements

  • Your license key must be compatible with GravityZone Cloud. If you are not sure, contact your Bitdefender partner or representative to check.

  • The instructions in this article imply applying a patch on the endpoints managed in GravityZone. The patch is supplied for network environments with more than 20 managed endpoints. In other cases, you need to manually reinstall and reconfigure the GravityZone security agents.

The benefits of using the cloud console

Why should you use a cloud-hosted GravityZone console rather than one on premises?

  1. Cost savings: A cloud hosted security solution provides you with a scalable management platform that accommodates increasing workloads without worrying about additional capacity in your own data center. While minimizing IT requirements and physical data storage, it provides you with significant savings.

  2. Security and compliance: Perhaps the biggest concerns in the initial days of cloud adoption were security and compliance. Today, this is no longer the case. Cloud service providers, such as Bitdefender, now provide higher levels of security, data integrity and compliance. We do this through investment in resources and technology, along with a skilled team of IT experts and engineers, that most smaller businesses could not afford for their own data center. Bitdefender has taken all the measures to ensure that GravityZone cloud platform is compliant with one of the leading cloud service provider certifications, SOC 2 Type 2.

  3. Connectivity & accessibility: The cloud console provides access to users anywhere and at any time, while keeping their accounts secure. This way, you stop punching holes in your corporate firewall just to have your users roam in.

  4. Faster deployment: Cloud-based services can be deployed within just an hour rather than days. Sometimes it can take even weeks to strategically plan, buy, build, and implement an internal infrastructure for an on-premises solution.

  5. Improved efficiency: After migrating to the cloud, you no longer need to worry about maintenance operations such as managing your own management cluster infrastructure, its scaling consideration, or regular software updates. Bitdefender does these operations for you so you can focus on managing security and not infrastructure.

Migrated artifacts

Through this procedure, you will be migrating the following artifacts:

  • The inventory of protected endpoints

    Tip

    To view the rest of the endpoints in your network, run a Network discovery task.

  • Encryption keys required by GravityZone Full Disk Encryption

This procedure does not cover the migration of the following artifacts:

Data

  • Existing reports

  • Sandbox Analyzer reports

  • Past events

  • Incidents

  • Local quarantine on the endpoints

    Note

    BEST will automatically restore or remove items in local quarantine based on the quarantine settings in the policy (Antimalware > Settings > Quarantine)

  • Exchange quarantine

Configuration

  • EDR Blocklist and Custom Rules

  • Security policies

  • Assignment rules

  • Configuration profiles

  • Installation packages

  • User accounts

  • Credentials

  • Integrations

Note

If you want Bitdefender Professional Services to operate this migration for you, please contact your Account Manager. This is a paid service.

Changes to consider

Before making this switch, take a few moments to note the differences between the GravityZone cloud and on-premises solutions:

  • Features set, both protection and administrative features. Some features are available only on-premises, some only in the cloud. Learn more from the GravityZone features matrix.

  • Firewall rules. GravityZone Cloud uses the following ports for communication.

  • GravityZone configuration. GravityZone Cloud console will have the default configuration. Integrations with Active Directory, Amazon AWS and SIEMs require reconfiguring to be enabled.

Best practices

  • Plan the migration in a maintenance window.

  • All endpoints should have internet access. They need to communicate with Control Center, either directly or through Relays.

  • Create a database backup of the on-premises instance from the Configuration > Backup page of Control Center. For details refer to Creating database backups.

  • Do not decommission the on-premises instance until your GravityZone cloud console configuration is complete and you no longer need the data from dashboards or in saved reports.

Migration steps

Update GravityZone on-premises console

  1. Log in to Control Center.

  2. Go to the Configuration > Update > GravityZone Roles page.

  3. Check that GravityZone on-premises console is up to date. Under the Current Status section, you have two options:

    1. Look over the message that shows the general status of your deployment. If GravityZone needs updating, the Update button will be available.

    2. Look at the version of the appliances in the Infrastructure grid. It must match the latest version in the changelog. You can find the link to the changelog in the Current Status section.

  4. If needed, update GravityZone and check once again the update status. Another update may be available.

Get access to GravityZone cloud console

  1. Go to the Bitdefender website and create a free trial account for GravityZone Business Security Enterprise.

    You will receive an email with the access details to your GravityZone cloud console.

  2. Log in to the GravityZone cloud management console.

  3. Replace the trial key with your license key in the GravityZone cloud console. For details, refer to Licensing.

Set up GravityZone cloud console

  1. Install Security Servers, if needed. For more information, refer to online documentation.

    Important

    Endpoints using Central Scan will remain unprotected if no Security Servers are configured in GravityZone cloud console.

  2. Create a default security policy with the critical settings such as Antimalware exclusions and Security Servers assignment. For more information, refer to:

  3. Create Assignment rules, if needed. For more information, refer to Assignment Rules.

    Important

    If you were using Assignment Rules on the on-premises instance, you need at least one Assignment Rule in GravityZone cloud console. You can remove it at the end of migration if it is not needed anymore.

Apply migration patches to security agents

  1. Get a copy of installer.xml from the endpoint installation package:

    1. In the GravityZone cloud console, go to the Network > Packages page.

    2. Create an installation package by clicking the Add button and then save it.

    3. Select the installation package.

    4. Click Download to get a copy of the installation kit.

    5. Extract the files from the archive.

    6. Keep the installer.xml file.

  2. Send the installer.xml file to Bitdefender Enterprise Support.

    You will receive migration patches to apply on the managed endpoints so that they will connect to the new Control Center console. The patch runs silently and may be deployed through GPO or any other tool for mass deployment of executable files.

  3. Install the patch on a test endpoint.

  4. Check the following:

    1. Endpoint communication with Control Center:

      1. The endpoint appears with the correct status in Control Center.

      2. Antimalware events are reported in Control Center.

        Tip

        For this purpose, you can use an antimalware test file available for download from EICAR website.

      3. Product update: The endpoint receives product and security content updates.

      4. Policy update: The policy on the endpoint is the one from GravityZone Cloud.

  5. Deploy the patches to the rest of the managed endpoints.

  6. Check deployment via Relay.

  7. Run a Reconfigure Client task on all endpoints, using the Match List option and select the modules you need.

    Note

    This operation will also install Endpoint Risk Analytics (ERA). ERA is available only in GravityZone Cloud, and it is present in all installation packages. Endpoints migrated from the GravityZone on-premises platform do not have this module. For more information about ERA, refer to the GravityZone documentation.

Continue the GravityZone cloud console setup

  1. Create GravityZone user accounts.

  2. Configure SSO authentication, if needed.

  3. Enable 2FA.

  4. Configure Network Inventory settings.

  5. Configure Active Directory integration, if needed.

    In GravityZone cloud console, the integration with Active Directory is performed through an endpoint set as AD Integrator. For details, refer to the online documentation.

  6. Configure Amazon EC2 integration, if needed.

    For details, refer to the online documentation.

  7. Create policies.

    Initially, all endpoints will receive the default policy once connected in cloud.

    You need to create new policies and assign them to the endpoints. To speed up the process, you can export the following policy settings from the on-premises console and then import them into the cloud console:

    • Firewall rules

    • Content Control > Web Access Control exclusions

  8. Assign policies to endpoints.

  9. Create installation packages for new deployments.

  10. Create scheduled reports.

  11. Configure notifications.

    Notifications to SIEMs from the cloud platform are sent via Event Push Service API rather than through Syslog.

    If your SIEM supports event ingestion via an HTTPS collecting mechanism, refer to SIEM integrations.

    If the SIEM supports event ingestion via Syslog only, refer to Sending events from GravityZone cloud platform to SIEMs lacking HTTPS listeners.

    For more information on the Event Push API, refer to GravityZone API Guide.