Fortinet black logo

User Guide

24.2.0
24.2.0

Migrate configuration to FortiMonitor Agent

Migrating a Panopta Agent configuration to FortiMonitor Agent

The following sections describe how to migrate your existing Panopta Agent configuration to a new FortiMonitor Agent installation.

Linux Panopta Agent migration

Note: Python 3 is required for all Linux Agent installations. Ensure that Python 3 is installed before proceeding with the migration. See FortiMonitor Agent Security for encryption and communication ports/ protocols.

To migrate your Panopta Linux Agent configuration, run the following command:

curl -s https://repo.fortimonitor.com/install/linux/fm_agent_install.sh | bash /dev/stdin -c <customer-key> -x

Where -x is the argument for migration.

When the migrate flag (-x) is used to install the new FortiMonitor Linux Agent on a server that already has the Panopta Agent installed, the following occurs:

  1. The migrate flag alerts the install script to create and configure a new FortiMonitor manifest file (/etc/fm-agent-manifest) based on the existing Panopta Agent configuration file (/etc/panopta-agent/).

    • If the panopta_agent.cfg file does not exist, a very unlikely scenario, a new clean manifest file will be generated. The Agent will still merge to the existing instance, however, the FortiMonitor configuration file (/etc/fm-agent/fm_agent.cfg) will only contain default properties. Any additional properties or code blocks that were previously configured will not be present and the aggregator_url property will default to rx.us01.fortimonitor.com.

    • If the aggregator_url property in the existing panopta_agent.cfg file is configured to the default Panopta value (aggregator2.panopta.com:443), it will be changed to the new default (rx.us01.fortimonitor.com). All other existing values, including proxy settings will be migrated over.

  2. The FortiMonitor Agent installation process is started.

    • If the connectivity test to rx.us01.fortimonitor.com fails, the installation process stops, and the current Panopta Agent installation remains.

  3. A backup of the following is created in this directory /tmp/panopta-agent-migration-bkp.

    • Panopta Agent configuration file: /etc/panopta-agent/panopta_agent.cfg

    • Panopta CounterMeasures: /usr/lib/panopta-agent/countermeasures/plugins

    • Panopta custom plugins: /usr/share/panopta-agent/

  4. The custom plugins from /usr/share/panopta-agent/ are migrated to /usr/share/fm-agent/.

  5. The custom CounterMeasures from /usr/lib/panopta-agent/countermeasures/plugins are migrated to /usr/share/fm-agent/countermeasures.

  6. The Panopta Agent is uninstalled.

Migrate using a local Linux Agent package

For Linux servers that are restricted from accessing the internet, the Panopta Agent can be migrated using a local Agent package.

  1. Download the latest Agent package. Contact support for the download information.

  2. Copy the package to the Agent server.

  3. Run the following command:
    python3 linux_fm_agent_install.py --migrate --customer-key <customer-key> --local <path to local rpm/deb pkg>

  4. Verify that all of the custom metrics, plugins, and CounterMeasures are migrated to the new FortiMonitor Agent.

Windows Panopta Agent migration

To migrate your Panopta Windows Agent configuration:

  1. Open PowerShell in administrator mode and run the following command to enable tls1.1 and 1.2 for the current session:

    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls11 -bor [System.Net.SecurityProtocolType]::Tls12;

  2. Run the following command:

Invoke-WebRequest https://repo.fortimonitor.com/install/win/fm-upgrade.ps1 -OutFile fm-upgrade.ps1

.\fm-upgrade.ps1

The migration script only takes one optional argument, -autoupdate. If this is set, it modifies the Agent configuration file to enable autoupdate.

When the fm-upgrade.ps1 script is used on a server that already has the Panopta Agent installed, the following occurs:

  1. A backup of the following sources is created in the Windows User Temp Folder (C:\Users\{user}\AppData\Local\Temp\ panoptabkp_{random_characters}).

    • Panopta Agent configuration file: C:\Program Files (x86)\PanoptaAgent\Agent.config

    • Panopta Agent CounterMeasures: C:\Program Files (x86)\PanoptaAgent\cm_ps_plugins

    • Panopta Agent Custom Plugins: C:\Program Files (x86)\PanoptaAgent\ps_plugins

  2. The Panopta Agent is uninstalled.

  3. The FortiMonitor Agent installation process is started.

  4. The AggregatorUrl property of the Agent configuration file is checked. If it is pointing to aggregator2.panopta.com and the connectivity check to the new aggregator rx.us01.fortimonitor.com:443 is successful, the AggregatorUrl property will be updated to rx.us01.fortimonitor.com:443. Otherwise, the AggregatorUrl will remain pointing to aggregator2.panopta.com.

  5. The backup is copied to the following directories:

    • Panopta Agent configuration file to C:\Program Files (x86)\FortiMonitor\Agent.config

    • Panopta Agent CounterMeasures to C:\Program Files (x86)\ FortiMonitor \cm_ps_plugins

    • Panopta Agent custom plugins to C:\Program Files (x86)\ FortiMonitor \ps_plugins

Migrate using a local Windows Agent package

For Windows servers that are restricted from accessing the internet, the Panopta Agent can be migrated using a local Agent package.

  1. Download the latest Agent package. Contact support for the download information.

  2. Copy the package to the Agent server.

  3. Run the following command:
    Invoke-WebRequest https://repo.fortimonitor.com/install/win/fm-upgrade.ps1 -OutFile fm-upgrade.ps1 .\fm-upgrade.ps1 -local <FILENAME>
    Where <FILENAME> is the path to the downloaded MSI file. If you are specifying a full path, use quotes.

  4. Verify that all of the custom metrics, plugins, and CounterMeasures are migrated to the new FortiMonitor Agent.

Previous
Next

Migrating a Panopta Agent configuration to FortiMonitor Agent

The following sections describe how to migrate your existing Panopta Agent configuration to a new FortiMonitor Agent installation.

Linux Panopta Agent migration

Note: Python 3 is required for all Linux Agent installations. Ensure that Python 3 is installed before proceeding with the migration. See FortiMonitor Agent Security for encryption and communication ports/ protocols.

To migrate your Panopta Linux Agent configuration, run the following command:

curl -s https://repo.fortimonitor.com/install/linux/fm_agent_install.sh | bash /dev/stdin -c <customer-key> -x

Where -x is the argument for migration.

When the migrate flag (-x) is used to install the new FortiMonitor Linux Agent on a server that already has the Panopta Agent installed, the following occurs:

  1. The migrate flag alerts the install script to create and configure a new FortiMonitor manifest file (/etc/fm-agent-manifest) based on the existing Panopta Agent configuration file (/etc/panopta-agent/).

    • If the panopta_agent.cfg file does not exist, a very unlikely scenario, a new clean manifest file will be generated. The Agent will still merge to the existing instance, however, the FortiMonitor configuration file (/etc/fm-agent/fm_agent.cfg) will only contain default properties. Any additional properties or code blocks that were previously configured will not be present and the aggregator_url property will default to rx.us01.fortimonitor.com.

    • If the aggregator_url property in the existing panopta_agent.cfg file is configured to the default Panopta value (aggregator2.panopta.com:443), it will be changed to the new default (rx.us01.fortimonitor.com). All other existing values, including proxy settings will be migrated over.

  2. The FortiMonitor Agent installation process is started.

    • If the connectivity test to rx.us01.fortimonitor.com fails, the installation process stops, and the current Panopta Agent installation remains.

  3. A backup of the following is created in this directory /tmp/panopta-agent-migration-bkp.

    • Panopta Agent configuration file: /etc/panopta-agent/panopta_agent.cfg

    • Panopta CounterMeasures: /usr/lib/panopta-agent/countermeasures/plugins

    • Panopta custom plugins: /usr/share/panopta-agent/

  4. The custom plugins from /usr/share/panopta-agent/ are migrated to /usr/share/fm-agent/.

  5. The custom CounterMeasures from /usr/lib/panopta-agent/countermeasures/plugins are migrated to /usr/share/fm-agent/countermeasures.

  6. The Panopta Agent is uninstalled.

Migrate using a local Linux Agent package

For Linux servers that are restricted from accessing the internet, the Panopta Agent can be migrated using a local Agent package.

  1. Download the latest Agent package. Contact support for the download information.

  2. Copy the package to the Agent server.

  3. Run the following command:
    python3 linux_fm_agent_install.py --migrate --customer-key <customer-key> --local <path to local rpm/deb pkg>

  4. Verify that all of the custom metrics, plugins, and CounterMeasures are migrated to the new FortiMonitor Agent.

Windows Panopta Agent migration

To migrate your Panopta Windows Agent configuration:

  1. Open PowerShell in administrator mode and run the following command to enable tls1.1 and 1.2 for the current session:

    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls11 -bor [System.Net.SecurityProtocolType]::Tls12;

  2. Run the following command:

Invoke-WebRequest https://repo.fortimonitor.com/install/win/fm-upgrade.ps1 -OutFile fm-upgrade.ps1

.\fm-upgrade.ps1

The migration script only takes one optional argument, -autoupdate. If this is set, it modifies the Agent configuration file to enable autoupdate.

When the fm-upgrade.ps1 script is used on a server that already has the Panopta Agent installed, the following occurs:

  1. A backup of the following sources is created in the Windows User Temp Folder (C:\Users\{user}\AppData\Local\Temp\ panoptabkp_{random_characters}).

    • Panopta Agent configuration file: C:\Program Files (x86)\PanoptaAgent\Agent.config

    • Panopta Agent CounterMeasures: C:\Program Files (x86)\PanoptaAgent\cm_ps_plugins

    • Panopta Agent Custom Plugins: C:\Program Files (x86)\PanoptaAgent\ps_plugins

  2. The Panopta Agent is uninstalled.

  3. The FortiMonitor Agent installation process is started.

  4. The AggregatorUrl property of the Agent configuration file is checked. If it is pointing to aggregator2.panopta.com and the connectivity check to the new aggregator rx.us01.fortimonitor.com:443 is successful, the AggregatorUrl property will be updated to rx.us01.fortimonitor.com:443. Otherwise, the AggregatorUrl will remain pointing to aggregator2.panopta.com.

  5. The backup is copied to the following directories:

    • Panopta Agent configuration file to C:\Program Files (x86)\FortiMonitor\Agent.config

    • Panopta Agent CounterMeasures to C:\Program Files (x86)\ FortiMonitor \cm_ps_plugins

    • Panopta Agent custom plugins to C:\Program Files (x86)\ FortiMonitor \ps_plugins

Migrate using a local Windows Agent package

For Windows servers that are restricted from accessing the internet, the Panopta Agent can be migrated using a local Agent package.

  1. Download the latest Agent package. Contact support for the download information.

  2. Copy the package to the Agent server.

  3. Run the following command:
    Invoke-WebRequest https://repo.fortimonitor.com/install/win/fm-upgrade.ps1 -OutFile fm-upgrade.ps1 .\fm-upgrade.ps1 -local <FILENAME>
    Where <FILENAME> is the path to the downloaded MSI file. If you are specifying a full path, use quotes.

  4. Verify that all of the custom metrics, plugins, and CounterMeasures are migrated to the new FortiMonitor Agent.

Previous
Next