Switching the GravityZone management console from on premises to cloud
This article provides all the information you need to switch your GravityZone management console (Control Center) from the on-premises version to the one hosted in the cloud.
Migration requirements
Your license key must be compatible with GravityZone Cloud. If you are not sure, verify the information with your Bitdefender partner or representative.
Some of the instructions in this article will guide you through applying a patch on the endpoints managed in GravityZone. The patch is supplied for network environments with more than 20 managed endpoints. In all other cases, you need to manually reinstall and reconfigure the GravityZone security agents.
Note
If your products do not correspond to the current portfolio, you need to replace your license keys with ones that provide the same functionality in the GravityZone Cloud platform.
Contact your Bitdefender Account Manager or Bitdefender Enterprise Support to receive a new set of keys.
The benefits of using the cloud console
Why should you use a cloud-hosted GravityZone console rather than one on premises?
Cost savings: A cloud-hosted security solution provides a scalable management platform. It accommodates increasing workloads without you worrying about additional capacity in your own data center. It is cost effective because it minimizes IT requirements and physical data storage.
Security and compliance: Perhaps the biggest concerns in the initial days of cloud adoption were security and compliance. Today, this is no longer the case. Cloud service providers, such as Bitdefender, now provide higher levels of security, data integrity and compliance. Bitdefender does this through investment in resources and technology, along with a skilled team of IT experts and engineers, that most smaller businesses could not afford for their own data center. Bitdefender has taken all the measures to ensure that GravityZone cloud platform is compliant with one of the leading cloud service provider certifications, SOC 2 Type 2.
Connectivity & accessibility: The cloud console provides access to users anywhere and at any time, while keeping their accounts secure. This way, you don't have to punch holes in your corporate firewall just to provide your users with the access they need.
Faster deployment: Cloud-based services can be deployed within just an hour rather than days. Sometimes it can take even weeks to strategically plan, buy, build, and implement an internal infrastructure for an on-premises solution.
Improved efficiency: After migrating to the cloud, you no longer need to worry about maintenance operations such as managing your own cluster infrastructure, its scaling consideration, or regular software updates. Bitdefender does these operations for you, so you can focus on managing security and not infrastructure.
Migrated artifacts
This procedure helps you migrate the following artifacts:
The inventory of protected endpoints
Tip
To view the rest of the endpoints in your network, run a Network discovery task.
Encryption keys required by GravityZone Full Disk Encryption
This procedure does not cover the migration of the following artifacts:
Data
Existing reports
Sandbox Analyzer reports
Past events
Incidents
Local quarantine on the endpoints
Note
BEST will automatically restore or remove items in local quarantine based on the quarantine settings in the policy (Antimalware > Settings > Quarantine).
Exchange quarantine
Configuration settings
EDR Blocklist and Custom Rules
Security policies
Assignment rules
Configuration profiles
Installation packages
User accounts
Credentials
Integrations
Note
If you want Bitdefender Professional Services to operate this migration for you, contact your Account Manager. This is a paid service.
Changes to consider
Before making this switch, take a few moments to note the differences between the GravityZone cloud and on-premises solutions:
Features set (both protection and administrative features). Some features are available only for on premises, some only in the cloud. To learn more about this, refer to the feature matrix for GravityZone On Premises and GravityZone Cloud.
Note
Once you migrate from GravityZone On Premise to Cloud, the Application Control module will no longer be available.
Firewall rules. GravityZone Cloud uses the following ports for communication.
GravityZone configuration. GravityZone Cloud console will have the default configuration. Integrations with Active Directory, Amazon AWS and SIEMs need to be reconfigured.
Best practices
Plan the migration in a maintenance window.
All endpoints should have internet access. They need to communicate with the console, either directly or through Relays.
Create a database backup of the on-premises instance from the Configuration > Backup page of the console. For details, refer to Creating database backups.
Do not decommission the on-premises instance until your GravityZone cloud console configuration is complete and you no longer need the data from dashboards or in saved reports.
Create a Reconfigure agent task to remove all the modules that are not going to be available for GravityZone Cloud or are not covered by the new license.
Note
For details on configuring and using the Reconfigure agent task, refer to this topic.
Update Bitdefender Endpoint Security Tools to the latest version. To see the latest version of BEST, refer to:
Bitdefender Endpoint Security Tools for Windows release notes.
Bitdefender Endpoint Security Tools for Linux release notes.
Bitdefender Endpoint Security Tools for Mac release notes.
Migration steps
Update GravityZone on-premises console
Log in to Control Center.
Go to the Configuration > Update > GravityZone Roles page.
Check that GravityZone on-premises console is up to date. Under the Current Status section, you have two options:
Look over the message that shows the general status of your deployment. If GravityZone needs updating, the Update button will be available.
Look at the version of the appliances in the Infrastructure grid. It must match the latest version in the changelog. You can find the link to the changelog in the Current Status section.
If needed, update GravityZone and check the update status again. Another update may be available.
Get access to GravityZone cloud console
Go to the Bitdefender website and create a free trial account for GravityZone Business Security Enterprise.
You will receive an email with the access details to your GravityZone cloud console.
Log in to the GravityZone cloud management console.
Replace the trial key with your license key in the GravityZone cloud console. For details, refer to Licensing.
Set up GravityZone cloud console
Install Security Servers, if needed. For more information, refer to Install Security Server through Control Center.
Important
Endpoints using Central Scan will remain unprotected if no Security Servers are configured in GravityZone cloud console.
Create and configure a default security policy with critical settings such as Antimalware exclusions and Security Server assignment. For more information, refer to:
Create Assignment rules, if needed. For more information, refer to Assigning policies.
Important
If you were using Assignment Rules on the on-premises instance, you need at least one Assignment Rule in GravityZone cloud console. You can remove it at the end of the migration process, if it is no longer needed.
Apply migration patches to security agents
Get a copy of the
installer.xml
file from the endpoint installation package.In the GravityZone cloud console, go to the Network > Packages page.
Create an installation package by clicking the Add button and click Save.
Select the installation package from the grid.
Click Download to get a copy of the installation kit.
Extract the files from the archive.
Keep the
installer.xml
file.
Send the
installer.xml
file to Bitdefender Enterprise Support.You will receive migration patches to apply on the managed endpoints so that they will connect to the new console. The patch runs silently and may be deployed through GPO or any other tool for mass deployment of executable files.
Install the patch on a test endpoint.
Check the following:
Endpoint communication with the console:
The endpoint appears with the correct status in the console.
Antimalware events are reported in the console.
Tip
For this purpose, you can use an antimalware test file available for download from the EICAR website.
Product update: The endpoint receives product and security content updates.
Policy update: The policy on the endpoint is the one from GravityZone Cloud.
Deploy the patches to the rest of the managed endpoints.
Check deployment via Relay.
Run a Reconfigure agent task on all endpoints, using the Match List option and select the modules you need.
Note
This operation will also install Endpoint Risk Analytics (ERA). ERA is available only in GravityZone Cloud, and it is present in all installation packages. Endpoints migrated from the GravityZone on-premises platform do not have this module. For more information about ERA, refer to Endpoint Risk Analytics (ERA).
Continue the GravityZone cloud console setup
Create GravityZone user accounts.
Configure SSO authentication, if needed.
Configure Network Inventory settings.
Configure Active Directory integration, if needed.
In GravityZone cloud console, the integration with Active Directory is performed through an endpoint set as AD Integrator. For details, refer to Integrating with Active Directory.
Configure the Amazon EC2 integration, if needed.
Create policies.
Initially, all endpoints will receive the default policy once connected in the cloud.
You need to create new policies and assign them to the endpoints. To speed up the process, you can export the following policy settings from the on-premises console, and then import them into the cloud console:
Firewall rules
Content Control > Web Access Control exclusions
Assign policies to endpoints.
Create installation packages for new deployments.
Create scheduled reports.
Configure notifications.
Notifications to SIEMs from the cloud platform are sent via Event Push Service API rather than through Syslog.
If your SIEM supports event ingestion via an HTTPS collecting mechanism, refer to SIEM integrations.
If the SIEM supports event ingestion via Syslog only, refer to Sending events from GravityZone cloud platform to SIEMs lacking HTTPS listeners.
For more information on the Event Push API, refer to Push.