3. Migrating from GOS 3 to GOS 4

Version 4 of the Greenbone operating system is the most extensive overhaul compared to any prior version. Many internal functions and features were redesigned. This is also true for the graphical web interface and the command line interface for the administration. The following sections briefly explain the steps required during the migration of the appliances and the changes of default behaviour between version 3 and 4 you should be aware of.

With increasing complexity of a GSM setup, the migration can get complex as well. Customers are encouraged to plan and execute the migration in close coordination with the Greenbone Support.

3.1. GSM ONE

This section covers the migration of your data from a GSM ONE using GOS 3.1 to a GSM ONE using GOS 4. An usual update of the system like in the past is not supported. This is attributed to the extensive modifications in the system and the new database management system. The migration is achieved in three steps:

  • Backup of the user data on the GSM ONE using GOS 3.1
  • Export of the backup file
  • Import and restore of the backup on the GSM ONE using GOS 4

Please contact the Greenbone Support and request a virtual image of GSM ONE with GOS 4. Provide your subscription key ID. You will receive a virtual image with GOS 4 and a guide for the migration.

3.2. GSM 25V

The virtual sensors are replaced by new virtual images. Please contact the Greenbone Support Team to receive GOS 4 images of the GSM 25V and provide the subscriptions key IDs for the respective sensors.

Because sensors do not store scan data, the setup and configuration of the sensor will be solely done in GOS 4. No migration steps are required.

3.3. GSM 25 and GSM 100

The small hardware appliances GSM 25 and GSM 100 require a migration of the user data via a USB Stick. GOS 4 eliminates this limitation for future upgrades.

Before starting the migration process please contact Greenbone Support. You will receive a detailed guide for the migration as well as advice tailored to your specific setup.

If you intend to keep the user data of the GSM, it is mandatory to create a userdata backup via USB Stick and store the settings as well, which could be done via copy & paste. In case you have no physical access to the GSM, please contact the Greenbone Support for an alternative procedure involving additional manual steps.

A pre-condition for the migration of a GSM is that it has direct access to the Greenbone Security Feed service. If it doesn’t (for example Airgap or separate security zones), please contact Greenbone Support for an alternative procedure involving additional manual steps.

To start the migration, your appliance needs to be at least at GOS version 3.1.42 or newer. Earlier GOS versions do not offer a migration. Note that you should have physical or at least console access to the system(s) in question. It might be necessary to configure some initial settings to reintegrate the GSM into the network.

In GOS 4 you are offered a guided setup. Via the Setup menu the userdata backup is imported with item Data Import.

3.4. GSM 400 up-to 6400

All hardware appliances offer a seamless migration from GOS 3.1 to GOS 4. The user data will be moved to the new version and your system settings will be kept for the most part, although there are exceptions. Especially complex setups like Master-Slave, Airgap or Expert-Net should be carefully planned accordingly.

Before starting the migration process please contact Greenbone Support. You will receive a detailed guide for the migration as well as advice tailored to your specific setup.

As a general guideline, you should begin by creating a user data backup and store it on a USB Stick. While your user data should be moved automatically during the migration, a backup is a safety measure that should always be undertaken.

A pre-condition for the migration of a GSM is that it has direct access to the Greenbone Security Feed service. If it doesn’t (for example Airgap or separate security zones), please contact Greenbone Support for an alternative procedure involving additional manual steps.

To start the migration, your appliance needs to be at least at GOS version 3.1.42 or newer. Earlier GOS versions do not offer a migration. Note that you should have physical or at least console access to the system(s) in question. It might be necessary to configure some initial settings to reintegrate the GSM into the network.

In GOS 4 you are offered a guided setup and migration. You have the option to restore the migrated user data from 3.1. This is a one-time offer. If you deny, the data will be deleted from the appliance and the only copy left is the backup on your USB Stick.

3.5. Changes of default behaviour

The following list displays the changes of default behaviour from GOS 3 to GOS 4. Depending on the current features used, these changes may apply to the currently deployed setup. Please check the following list to decide whether changes to the currently deployed setup are required. Greenbone Support may help during this process.

  • NVTs: Starting with GOS 4.2 policy violation NVTs now have a score of 10 by default (see section Compliance and special scans). In the past these NVTs had a score of 0 and overrides were required (see section Severity, Severity, Severity, etc.)
  • GMP: The OpenVAS Management Protocol has been replaced with the Greenbone Management Protocol. The major difference is the transport channel used. While OMP uses a SSL-encrypted channel on port 9390/tcp GMP uses ssh. Therefore the older omp.exe tool cannot connect to GOS 4 appliances. The new appliances require the GVM-Tools (see section Greenbone Management Protocol). The GVM-Tools are compatible with GOS 3.1, so that you can migrate your scripts prior to migrating the GSM.
  • GMP: The Greenbone Management Protocol changed the API lightly. New commands are available and some commands have changed their usage. The complete reference guide and the changes are available at http://docs.greenbone.net/API/OMP/omp-7.0.html#changes.
  • TLS: If an external CA should be used (see section Certificate), the certificate requests generated by the GOS menu option now generate 3072 bit keys. Some CAs do not support such long keys yet. In those cases the PKCS12 import still support keys with a key length of 2048 bits.
  • Master/Slave: While deployment using GOS 3.1 require two ports for a master/slave setup starting with GOS 4.2 only one port is required. The port 22/tcp is used for controlling the slave and the synchronization of updates and feeds. The former used port 9390/tcp for the remote control of the slaves by the master is not used anymore. In addition, as a security measure, the identity of all linked master/slave appliances is now validated via a key exchange in GOS 4. It will be necessary to perform this key exchange when migrating old GOS 3.1 slaves or sensors. Note that on GOS 4, slaves are regarded a special type of scanners and are configured in the web interface under the respective section.
  • Report Format Plugins: In contrast to GOS 3.1, Report Format Plugins in GOS 4 connected to an Alert will not be executed if the RFP was set to disabled.
  • Report Format Plugins: All Report Format Plugins (RFPs) which were uploaded manually in GOS 3.1 or which were created by cloning another RFP will be automatically disabled during the migration to GOS 4. Some might not work on GOS 4 anymore. If they are not used anywhere, you should remove them. For some RFPs we meanwhile have advanced versions in the pre-configured set of RFPs and you should switch to those if you want to use them for example in an Alert. Before re-activating a RFP, test it with a report and make sure it is not automatically used with an Alert in the background while you are testing it. If in doubt, you can also ask the Greenbone Support what to do with a certain RFP.
  • Expert-Net: If you had Expert networking mode (Expert-Net) enabled in GOS 3.1, the network configuration will be reset after upgrading to GOS 4. Please contact Greenbone Support for further details and be prepared to configure your GSM without remote network access.