Migrate from Traps Endpoint Security Manager to Cortex XDR

You can easily migrate the management of your Traps™ agents from Endpoint Security Manager (ESM) to Cortex XDR™.
You can easily migrate the management of your Traps™ agents from Endpoint Security Manager (ESM) to Cortex XDR™.
Before you migrate to Cortex XDR:
  • Review Differences Between Endpoint Security Manager and Cortex XDR to determine whether upgrading to Cortex XDR is right for you.
  • Upgrade your ESM and Traps agent to 4.2.7. Then, from ESM 4.2.7, you can upgrade the agent from 4.2.7 to 5.0.10, 7.1.0, or 7.2.0. After you upgrade to the major release number, you can subsequently continue to upgrade to the desired maintenance release in Cortex XDR.
  • Sanitize your Security policy. Because the policy structure for Cortex XDR is different than for ESM, you cannot migrate rules from an existing deployment. Before you migrate to Cortex XDR, Palo Alto Networks recommends that you review existing user rules for each policy type and remove any that you no longer need. For example, remove all rules that are resolved in content updates or that apply only to earlier versions of the Traps agent.
  • Review
    restore candidates
    . Before you migrate to Cortex XDR, review all quarantined files and determine whether they need to be restored or whether they require additional action to remediate the endpoint. After you upgrade the agent to an agent version supported by Cortex XDR, the agent will not communicate with ESM and, therefore, will not respond to requests from ESM to restore files.
  • Review
    security events
    . Review and address all events that require remediation before you migrate to Cortex XDR. During the migration, Cortex XDR migrates any security events the Traps agent sent to the ESM before the new Cortex XDR agent was installed on the endpoint. Any unsent security events on the endpoint will not be migrated to Cortex XDR.
  1. After you receive your Cortex XDR Prevent license, you can activate Cortex XDR from the hub.
    During activation, you can also associate Cortex XDR with a Cortex Data Lake instance and a Directory Sync Service instance.
  2. Import hash overrides as hash exceptions in Cortex XDR.
    1. From the ESM Console, select
      Settings
      .
    2. Generate
      a Tech Support File and download it when it finishes.
    3. Extract the
      TechSupport
      ZIP file, which contains two zipped files (one for
      Core
      and one for
      Console
      ).
    4. Extract the
      Console
      ZIP file.
    5. Open the
      DBQueries
      folder and locate the
      Verdict_Override_Exports.csv
      file.
      This file contains all the hash overrides defined in the ESM Console.
    6. Review the number of entries in the
      Verdict_Override_Exports.csv
      file.
      If you have more than 5,000 hashes, divide the hashes and verdicts into files that contain 5,000 or fewer hashes and verdicts.
    7. In Cortex XDR, Import File Hash Exceptions for each file.
  3. Migrate trusted signers and allow list paths.
    1. From Cortex XDR, Add a New Malware Security Profile for any platforms to which you want to add signers or paths to your allow list. Use the default profile settings or modify an existing profile that you already created.
    2. To allow trusted signers previously seen in your environment, add the signer name (Windows) or SHA256 of the certificate that signs the file (macOS) to the
      Allow List Signers
      list of the appropriate Malware Security Profile.
    3. Evaluate the WildFire
      ®
      rules for each platform on the ESM Console and identify any paths you want included in your allow list that are still relevant and add them to the
      Allow List Folders
      area of the appropriate Malware Security Profile on Cortex XDR.
      There may be more than one WildFire rules with the allow list. While ESM merges WildFire rules, this capability is not available in Cortex XDR.
      Ensure that you migrate paths to the appropriate Malware Security Profile for each platform:
      • Copy paths in macOS WildFire rules to the Mach-O Files whitelist in a macOS profile.
      • Copy paths in Windows WildFire rules for Executables and DLL files to the Portable Executables and DLLs allow list in a Windows profile.
      • Copy paths in Windows WildFire rules for Office files to the Office Files allow list in a Windows profile.
    4. Apply Security Profiles for each group of target objects to which the profile (and any associated hash exceptions) applies.
      You can return to the Malware Profile to specify the target objects after you upgrade the Traps agent.
  4. Migrate rules which disable protection on processes.
    For each remaining rule that disables protection on a specific process or that disables a specific protection module on the process, record the target endpoints to which the exception applies. After you upgrade the Traps agent, you can return to Cortex XDR to apply any exceptions for specific endpoints.
  5. Upgrade the Traps agent to Traps 5.0, Cortex XDR 7.1, or Cortex XDR 7.2.
    Upgrades are supported from Traps 4.2.7. There are three options for upgrading earlier Traps versions:
    • Upgrade the earlier version to a version which supports migration using action rules and then use the workflow below to upgrade the Traps agent.
    • Upgrade the Traps agent using a third-party software deployment tool, such as JAMF or SCCM. With this method you must uninstall the agent and install a fresh installation package of Traps 5.0 instead of an upgrade package.
    • Manually uninstall the earlier Traps agent and install a fresh installation package of Traps 5.0.
    To upgrade from Traps 4.2.7 or a later release, continue with the following workflow:
    1. From Cortex XDR, Create an Agent Installation Package with the installation type set to
      Upgrade from ESM
      .
      For Linux endpoints, you must use the default shell package instead of the package manager.
    2. Download the package to a location reachable from the ESM.
    3. From the ESM Console, disable service protection.
    4. Create an agent action rule to upgrade the Traps agent using the package created from Cortex XDR. If you need the agent to communicate through a proxy server, you can specify a Proxy List in the action rule. The list supports up to ten proxy servers, comma-separated, and in the format
      <serverIPaddress>
      :
      <port>
      .
      Because this procedure is valid only for a specific version of Traps agents, we recommend that you use a condition for the action rule to upgrade the agents matching the Traps agent version.
    5. Save and Apply
      the rule.
  6. Customize your Endpoint Security Policy and set exceptions, as needed, for specific endpoints.
    If you have policy exceptions, you can either configure global endpoint policy exceptions or add conditions to the allow list within endpoint security profiles that apply to the specific endpoints.

Recommended For You