JANUARY 6, 2021

The following instructions are intended for customers of the following Orion Platform versions, which are known to be affected by the SUNBURST malware and are considered a Category 3 from the CISA recommended categorizations classification at https://cyber.dhs.gov/ed/21-01/#supplemental-guidance:

  • 2019.4 HF 5
  • 2020.2 RC 1
  • 2020.2 RC 2
  • 2020.2 unpatched
  • 2020.2 HF 1 and Orion Platform 2020 versions.

If you’re not considered a Category 3 by the CISA criteria, but plan to upgrade to the latest version of the Orion Platform, along with the latest versions of the Windows and SQL Server systems, please follow our normal upgrade documentation available in your Customer Portal at https://customerportal.solarwinds.com or at https://www.solarwinds.com/securityadvisory/faq#question10 to upgrade to the latest version of the Orion Platform from your current version. These instructions are designed for those who are starting a new Orion Platform environment but who cannot use the existing Orion database due to malicious activity associated with the SUNBURST attack. 

These instructions and scripts are designed to help an Orion administrator configure a new Orion system built on the latest version of the Orion Platform (version 2020.2.1 HF 2) but still utilizing data from the existing Orion database to help “bootstrap” the new Orion Platform instance to behave like the old Orion Platform instance.

These instructions are designed to help you to ensure your new Orion Platform instance is configured as similarly to the old system as possible. These instructions assume you will have access to the existing Orion database. Note, the Orion database does not need a network connection, nor does the new Orion instance need a network connection to the old Orion database. The administrator would be benefitted most if they’re able to transfer files between the old Orion database SQL Server and a  server with connectivity to the new SQL Server to which the new Orion instance will connect. This file transfer could, for example, be facilitated via a USB drive to copy SQL scripts and output CSV files from one environment to the other.

Please check back to this page regularly as we continue to add steps and dates for transferring data and configurations for each of the Orion modules.


Basic recommendations:

  • If you were using NetFlow Traffic Analyzer (NTA) or Log Analyzer (LA) (Syslog and Traps) features, we recommend using the same IP addresses for your Orion servers, if possible. This will minimize the number of changes you need to make to your devices that were sending NetFlow and syslog data to your server.
  • Please ensure the new Orion servers and new SQL Server are fully patched and are able to execute PowerShell scripts. These instructions use PowerShell to help you set up your new Orion Platform instance as efficiently as possible.

Please follow the instructions carefully for each feature you want to migrate from the old Orion Platform instance to the new instance.

Step 1: Install a fresh Orion Platform instance per the installation guide with all the modules you’re licensed to use.

  • If you are using NetFlow Traffic Analyzer (NTA) or Log Analyzer (LA), please ensure all of the databases necessary for each module are up and running. If you were running multiple polling engines (MPE), or any high availability (HA) engines, please have those configured before starting the migration of data. 

Step 2: Conduct basic discovery and import of your Orion Nodes.

  • Log in to your old Orion SQL Server and execute this script in SQL Server Management Studio.

SELECT [E].[EngineID],

[E].[ServerName] AS [PollingEngineName]

FROM [Engines] [E]


  • This script outputs all of your engines and their IDs. You’ll use this information to help build a discovery for each polling engine. You’ll need to have a map of names of your new polling engines to your old ones so you add the nodes back to the correct, corresponding polling engine.
  • For each polling engine, execute this script by replacing the “<enter ID Here>” text with the ID of each of your polling engines:



FROM [dbo].[Nodes] [N]

JOIN [Engines] [E] ON [E].[EngineID] = [N].[EngineID]

WHERE [N].[DynamicIP] = 0 AND [E].[EngineID] = <enter ID Here>



  • This script outputs all the IP addresses for all the nodes in your Nodes tables monitored by your polling engines. Use the SSMS feature to save this output to a file you can transfer to the new Orion server. These IP addresses will be used in a discovery to populate your new Orion Platform instance.
  • These steps will guide you to create a new discovery for each polling engine in your environment.
  • For each polling engine, go the Network Sonar Discovery page. Create a new discovery for this polling engine.
  • Open the file created for your polling engine Node IP addresses from above. Open the output CSV file in Notepad or an equivalent text editor.
  • Copy the IP addresses from the CSV file to the Network Sonar Wizard IP Addresses Section of the discovery wizard.
  • Add the necessary credentials and other information for the discovery per the instructions here: https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Core-Network-Discovery-Using-the-Network-Sonar-Wizard-sw1574.htm.
  • Be sure you select the correct polling engine from the Network Sonar Discovery wizard that maps to your old Orion polling engine. See this page for details: https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/onboarding/core-ob_advanced_discovery.htm.
  • Repeat the above steps for each polling engine in your environment.


Directions to import configurations for the following Orion Platform products will be provided soon – check back on this page for updates:

  • Orion Platform Features
  • Network Performance Monitor (NPM)
  • IP Address Manager (IPAM)
  • Log Analyzer (LA)
  • Network Configuration Manager (NCM)
  • NetFlow Traffic Analyzer (NTA)
  • Server & Application Monitor (SAM)
  • Server Configuration Monitor (SCM)
  • Storage Resource Monitor (SRM)
  • User Device Tracker (UDT)
  • Virtualization Manager (VMAN)
  • VoIP & Network Quality Manager (VNQM)
  • Web Performance Monitor (WPM)

FAQ: Security Advisory