Trend Micro Policy Migrator

Moves your existing on-prem Deep Security deployment to CloudOne Workload Security.

Automatically.

TABLE OF CONTENTS

• Quickstart
• Capabilities
  • Known limitations
• Usage
  • Command Reference
  • Use Environment Variables
• Requirements
• Contributing
• Support
• License

Quickstart

Use the package manager pip to install dsmigrator.

1. Run pip install dsmigrator on a machine with access to your DSM.

2. Run dsmg -k and fill out the credential prompts.

Capabilities

Here's the current feature map of what the tool can migrate:

• Policies
• Policy settings
• Anti-Malware Scan Configurations
• IPS, LI, and IM custom rules
• Firewall rules
• Schedules
• Contexts
• IP lists
• MAC lists
• Port lists
• [BETA] Tasks (still quite buggy)
• [BETA] Computer Groups
• Application Control (everything)
• Self-signed certificate support for authenticated requests

Known limitations

• Cannot migrate customized IM/LI/IP rules. Another tool will be incoming to help aid a manual process in identifying each rule that has been customized, but they will never migrate automatically due to an API limitation
• Won't migrate cloud accounts. Must be reconfigured/reauthenticated in Cloud One
• Doesn't migrate DSM settings, make sure to check these manually.
• Application Control support is not on the roadmap currently. Please open an issue if this is

Usage

Command Reference

Usage: dsmg [OPTIONS]

  Moves your on-prem DS deployment to the cloud!

Options:
  -ou, --original-url TEXT        A resolvable FQDN for the old DSM, with port
                                  number (e.g. https://192.168.1.1:4119/)

  -oa, --original-api-key TEXT    API key for the old DSM with Full Access
                                  permissions

  -nu, --new-url TEXT             Destination url  [default:
                                  https://cloudone.trendmicro.com/]

  -coa, --cloud-one-api-key TEXT  API key for Cloud One Workload Security with
                                  Full Access permissions

  -d, --delete-policies / --keep-policies
                                  Wipes existing policies in Cloud One (not
                                  required, but will give best results)

  -t, --tasks                     (BETA) Enable the task migrator (may be
                                  buggy)

  -k, --insecure                  Suppress the InsecureRequestWarning for
                                  self-signed certificates

  -f, --filter TEXT               A list of policy names in form '[name, name,
                                  ...]' which are the only ones which will be
                                  transferred.

  --help                          Show this message and exit.

Use Environment Variables

You can optionally use the following environment variables to pass in your credentials:

• ORIGINAL_API_KEY
• ORIGINAL_URL
• CLOUD_ONE_API_KEY

Requirements

• Python3 (only tested on Python 3.7 or greater so far, so your mileage may vary)
• One api key for your old Deep Security Manager with "Full Access" permissions
• One api key for your Cloud One account with "Full Access" permissions
• A resolvable FQDN to your old Deep Security Manager

NOTE: DS Migrator currently only supports migrations from Deep Security 20 and 12.

Contributing

1. Run ./dev-setup.sh, which will download nix and nix flakes.
2. Run nix develop which will download and build dependencies, and drop you in a shell.

Support

For support, please open an issue on Github.

License

GNU General Public License