Migrating a Panopta Agent configuration to FortiMonitor Agent
The following sections describe how to migrate your existing Panopta Agent configuration to a new FortiMonitor Agent installation.
Linux Panopta Agent migration
Note: Python 3 is required for all Linux Agent installations. Ensure that Python 3 is installed before proceeding with the migration. See FortiMonitor Agent Security for encryption and communication ports/ protocols.
To migrate your Panopta Linux Agent configuration, run the following command:
curl -s https://repo.fortimonitor.com/install/linux/fm_agent_install.sh | bash /dev/stdin -c <customer-key> -x
Where -x is the argument for migration.
When the migrate flag (-x) is used to install the new FortiMonitor Linux Agent on a server that already has the Panopta Agent installed, the following occurs:
-
The migrate flag alerts the install script to create and configure a new FortiMonitor manifest file (/etc/fm-agent-manifest) based on the existing Panopta Agent configuration file (/etc/panopta-agent/).
-
If the panopta_agent.cfg file does not exist, a very unlikely scenario, a new clean manifest file will be generated. The Agent will still merge to the existing instance, however, the FortiMonitor configuration file (/etc/fm-agent/fm_agent.cfg) will only contain default properties. Any additional properties or code blocks that were previously configured will not be present and the aggregator_url property will default to rx.us01.fortimonitor.com.
-
If the aggregator_url property in the existing panopta_agent.cfg file is configured to the default Panopta value (aggregator2.panopta.com:443), it will be changed to the new default (rx.us01.fortimonitor.com). All other existing values, including proxy settings will be migrated over.
-
-
The FortiMonitor Agent installation process is started.
-
If the connectivity test to rx.us01.fortimonitor.com fails, the installation process stops, and the current Panopta Agent installation remains.
-
-
A backup of the following is created in this directory /tmp/panopta-agent-migration-bkp.
-
Panopta Agent configuration file: /etc/panopta-agent/panopta_agent.cfg
-
Panopta CounterMeasures: /usr/lib/panopta-agent/countermeasures/plugins
-
Panopta custom plugins: /usr/share/panopta-agent/
-
-
The custom plugins from /usr/share/panopta-agent/ are migrated to /usr/share/fm-agent/.
-
The custom CounterMeasures from /usr/lib/panopta-agent/countermeasures/plugins are migrated to /usr/share/fm-agent/countermeasures.
-
The Panopta Agent is uninstalled.
Migrate using a local Linux Agent package
For Linux servers that are restricted from accessing the internet, the Panopta Agent can be migrated using a local Agent package.
-
Download the latest Agent package. Contact support for the download information.
-
Copy the package to the Agent server.
-
Run the following command:
python3 linux_fm_agent_install.py --migrate --customer-key <customer-key> --local <path to local rpm/deb pkg>
-
Verify that all of the custom metrics, plugins, and CounterMeasures are migrated to the new FortiMonitor Agent.
Windows Panopta Agent migration
To migrate your Panopta Windows Agent configuration:
-
Open PowerShell in administrator mode and run the following command to enable tls1.1 and 1.2 for the current session:
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls11 -bor [System.Net.SecurityProtocolType]::Tls12;
-
Run the following command:
Invoke-WebRequest https://repo.fortimonitor.com/install/win/fm-upgrade.ps1 -OutFile fm-upgrade.ps1
.\fm-upgrade.ps1
The migration script only takes one optional argument, -autoupdate. If this is set, it modifies the Agent configuration file to enable autoupdate.
When the fm-upgrade.ps1 script is used on a server that already has the Panopta Agent installed, the following occurs:
-
A backup of the following sources is created in the Windows User Temp Folder (C:\Users\{user}\AppData\Local\Temp\ panoptabkp_{random_characters}).
-
Panopta Agent configuration file: C:\Program Files (x86)\PanoptaAgent\Agent.config
-
Panopta Agent CounterMeasures: C:\Program Files (x86)\PanoptaAgent\cm_ps_plugins
-
Panopta Agent Custom Plugins: C:\Program Files (x86)\PanoptaAgent\ps_plugins
-
-
The Panopta Agent is uninstalled.
-
The FortiMonitor Agent installation process is started.
-
The AggregatorUrl property of the Agent configuration file is checked. If it is pointing to aggregator2.panopta.com and the connectivity check to the new aggregator rx.us01.fortimonitor.com:443 is successful, the AggregatorUrl property will be updated to rx.us01.fortimonitor.com:443. Otherwise, the AggregatorUrl will remain pointing to aggregator2.panopta.com.
-
The backup is copied to the following directories:
-
Panopta Agent configuration file to C:\Program Files (x86)\FortiMonitor\Agent.config
-
Panopta Agent CounterMeasures to C:\Program Files (x86)\ FortiMonitor \cm_ps_plugins
-
Panopta Agent custom plugins to C:\Program Files (x86)\ FortiMonitor \ps_plugins
-
Migrate using a local Windows Agent package
For Windows servers that are restricted from accessing the internet, the Panopta Agent can be migrated using a local Agent package.
-
Download the latest Agent package. Contact support for the download information.
-
Copy the package to the Agent server.
-
Run the following command:
Invoke-WebRequest https://repo.fortimonitor.com/install/win/fm-upgrade.ps1 -OutFile fm-upgrade.ps1 .\fm-upgrade.ps1 -local <FILENAME>
Where<FILENAME>
is the path to the downloaded MSI file. If you are specifying a full path, use quotes. -
Verify that all of the custom metrics, plugins, and CounterMeasures are migrated to the new FortiMonitor Agent.