IMPORTANT: This article is applicable ONLY IF you are using DLP Endpoint 9.3 and earlier versions and need to migrate to later version.
DLP Endpoint uses new schemas that are incompatible with DLP Endpoint policies and event formats. To migrate policies and data to the new schema, use ePolicy Orchestrator (ePO) server tasks.
Before you begin, review and complete the following:
- Update DLP Endpoint to the latest version before you convert policies or migrate the data.
- Review your DLP Endpoint policy before conversion to verify the status of rules you want to convert. The policy conversion task only converts rules that are enabled and applied to the database.
- Run the DLP policy conversion task after you install the latest version of DLP Endpoint extension in ePO. McAfee recommends that you schedule the migration tasks for weekends or other non-work hours because of the load they place on the processor.
To begin conversion, do the following:
- Select Menu, Automation, Server Tasks.
- Select DLP Policy Conversion, and then click Actions, Run.
You can verify that the task is running on the Server Task Log page.
NOTE: The task fails if it has run previously. If you change the DLP Endpoint policy and want to rerun the conversion, edit the server task. Deselect the option Do not run policy conversion if rule set Policy Conversion Rule Set on the Actions page. The previous rule set is then deleted and replaced.
- Return to the Server Tasks page, select DLP Incident Migration, and click Actions, Edit.
NOTE: The DLP Operational Events Migration can be performed in the same way.
- Select Schedule status, Enabled, and then click Next twice.
NOTE: The migration is pre-programmed, so you can skip the Actions page.
- Select a schedule type and occurrence frequency. McAfee recommends the following settings:
- Schedule type: Hourly.
- Set the Start date and End date to define a weekend or part of a weekend.
- Schedule the task for every hour.
Incidents are migrated in chunks of 200,000. Schedule task repetition according to the size of the incident database you need to migrate.
- Click Next to review the settings, and then click Save.
Additional Information
- Predefine RM server, Seclore, and FRP before you run conversion tasks. If non-existent keys or an RM policy is used, the task stops.
- DLP Endpoint 9.3 Agent configurations are not migrated to later DLP Endpoint client configurations.
- Device rules that have Exclude and Local Users are split. Local users are created as a separate rule.
- Protection rules with no user assignment groups are migrated to Any user.
- Only run the Policy Conversion Task once. To overwrite a task, go to Task Configuration and deselect the do not run policy conversion if rule set 'Policy Conversion Rule Set' exists checkbox.
- The Removable storage file access device rule converts with Block action only. This mode provides no Report Incident or user notification.
- DLP Endpoint regular expressions including keywords are converted to Advanced pattern in DLP Endpoint later versions.
Limitations
The following list describes limitations of the policy migration task configuration feature.
- The policy must be applied before the migration task runs.
- Only enabled rules are migrated.
- The X (OR) NOT parameter has changed to X (And) NOT (example: Group 1 (OR) NOT User 1 has changed to Group 1 (And) NOT User 1.)
- Rule Descriptions are omitted after conversion.
- RE2 Syntax RegEx are not supported and are not migrated, though these items are captured in conversion logs.
- The task stops if non-existent keys or an RM policy are used.
- Default notifications are changed in this release.
- The migration of an Organizational Unit (OU) as part of a User Assignment Group (UAG) is converted to Any user. The UAG that includes the OU as end user converts to Everyone.
- Users\Groups migrate only the SID without a name. But, if you define the LDAP server in the registered server before the conversion, you see the names correctly.
- Keywords inside the Advanced pattern are not supported if they do not use RE2 syntax.
- If a tag has manual tagging, it has the everyone tag in DLP Endpoint later versions. The ability to choose a User Assignment group for each classification has also been added in the latest versions.
- Built-in Device classes are not converted.
- User assignment does not exist in the DLP Endpoint Discovery rules and is not converted. Discovery rules run at the system level.
- The Cloud Protection Rule: Groove (OneDrive for business) is not yet supported.
- Older DLP Endpoint tasks are not converted. This conversion must be done manually.
