Appendix C – ON PREMISE DEPLOYMENTS

This chapter describes how to set up the FortiEDR backend components for on-premise deployments. Before you start, make sure that on-premise deployment is the most suitable option for you.

System requirements

The following tables lists the system requirements of each backend component. Make sure that all devices, workstations, virtual machines and servers on which a FortiEDR backend component will be installed comply with those requirements.

Component

Central Manager

Aggregator¹

Threat Hunting Repository

Core²

Processor

Intel or AMD x86 (64-bit)

Number of CPUs

Varies by number of seats and period of required Threat Hunting data retention. Refer to the next table for requirements for one month of data retention for the extensive profile.

4 for Core

2 for Core running as a Jumpbox

Physical Memory

16 GB

16 GB for Core

4 GB for Core running as a Jumpbox

Disk Space

150 GB, SSD

80 GB

250 GB SSD for Core
50 GB (non-SSD) for Core running as a Jumpbox

For a Threat Hunting license, each 1000 additional Collectors above the first 1000 require an additional 45 GB of disk space.

ISO Image OS

CentOS 7

ESXi 7.0

CentOS 7

Listening Port³

443

8081 if installed on the same machine as Central Manager
8091 if installed separately with Central Manager

32100, 32000, 32001, and 32002 for Core
3000 and 5601 for web browser for monitoring purposes (Grafana and Kibana web services)
8095 for Central Manager

555

Server Connectivity⁴

For communication with FortiEDR Cloud Service (FCS):

cldsrv.ensilo.com

rbq.cldsrv.ensilo.com

For Connectors and other integrations:

storage.googleapis.com
oauth.googleapis.com
oauth2.googleapis.com

For AV signatures update:

fortiav.cloud.ensilo.com

N/A

reputation.cloud.ensilo.com—For access to the Fortinet Reputation servers for file reputation updates.

¹Refer to the following guidelines to determine the number of Aggregators you need to set up:

If no organization will be defined and the number of Collectors doesn’t exceed 5000, set up one VM to act as both the Central Manager and the Aggregator.
If organizations will be defined and the number of Collectors is between 5000 and 10000, set up a separate VM for the Aggregator than the Central Manager.
If organizations will be defined and the number of Collectors exceeds 10000, set up additional FortiEDR Aggregator VMs on the top of the initial one.

²Refer to the following guidelines to determine the number of Cores you need to set up:

Set up a separate Core for each Aggregator.
For every additional 5000 Collectors, set up at least one additional Core. The number of additional Cores required depends on the amount of Threat Hunting events data, which relates to the Data Collection profile, number of Servers, etc.
You can set up a maximum of 50 Cores.

³Ensure that these ports are not blocked by your firewall product (if one is deployed). As a security best practice, it is recommended to update the firewall rules so that they only have a narrow opening. For example:

Only open the TCP outbound port 555 to the Core IP address.
Only open the TCP outbound port 8081 to the Aggregator IP address.
Only open the TCP outbound port 8091 to the Central Manager IP address to be accessed by the Aggregator when the Aggregator is installed on premise while the Central Manager is in the cloud.

⁴Ensure that these servers are not blocked by your firewall product (if one is deployed) and can be accessed by the corresponding component.

Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements

Number of Seats

Number of VMs (Nodes)

Number of CPUs per VM (Node)

Memory per VM (Node)

OS Disk per VM (Node)

Data Disk per VM (Node)

2000 or fewer

32 GB

50 GB, non-SSD

For Hyper-V VMs, the disk should be IDE with at least 30% of the physical disk space remaining free at all times. Do not use a Hyper-V checkpoint which consumes the entire disk size every few hours.

1187 GB SSD or 34 GB SSD + 1153 GB non-SSD

4000

34 GB

2310 GB SSD or 34 GB SSD + 2300 GB non-SSD

6000

41 GB

3410 GB SSD or 34 GB SSD + 3400 GB non-SSD

8000

48 GB

4510 GB SSD or 34 GB SSD + 4500 GB non-SSD

10000

55 GB

5610 GB SSD or 34 GB SSD + 5600 GB non-SSD

12000

62 GB

6710 GB SSD or 34 GB SSD + 6700 GB non-SSD

14000

69 GB

7810 GB SSD or 34 GB SSD + 7800 GB non-SSD

15000

27 GB

3249 GB SSD or 11 GB SSD + 3237 GB non-SSD

20000

35 GB

4318 GB SSD or 11 GB SSD + 4306 GB non-SSD

25000

42 GB

5387 GB SSD or 11 GB SSD + 5375 GB non-SSD

30000

47 GB

6456 GB SSD or 11 GB SSD + 6444 GB non-SSD

For the Threat Hunting Repository specifications required for supporting more than 30000 Collectors, please contact Fortinet Support.

Setting up FortiEDR components on-premise

Set up the system components top-down in the following order:

Appendix C – ON PREMISE DEPLOYMENTS

This chapter describes how to set up the FortiEDR backend components for on-premise deployments. Before you start, make sure that on-premise deployment is the most suitable option for you.

System requirements

Component

Central Manager

Aggregator¹

Threat Hunting Repository

Core²

Processor

Intel or AMD x86 (64-bit)

Number of CPUs

Varies by number of seats and period of required Threat Hunting data retention. Refer to the next table for requirements for one month of data retention for the extensive profile.

4 for Core

2 for Core running as a Jumpbox

Physical Memory

16 GB

16 GB for Core

4 GB for Core running as a Jumpbox

Disk Space

150 GB, SSD

80 GB

250 GB SSD for Core
50 GB (non-SSD) for Core running as a Jumpbox

For a Threat Hunting license, each 1000 additional Collectors above the first 1000 require an additional 45 GB of disk space.

ISO Image OS

CentOS 7

ESXi 7.0

CentOS 7

Listening Port³

443

8081 if installed on the same machine as Central Manager
8091 if installed separately with Central Manager

32100, 32000, 32001, and 32002 for Core
3000 and 5601 for web browser for monitoring purposes (Grafana and Kibana web services)
8095 for Central Manager

555

Server Connectivity⁴

For communication with FortiEDR Cloud Service (FCS):

cldsrv.ensilo.com

rbq.cldsrv.ensilo.com

For Connectors and other integrations:

storage.googleapis.com
oauth.googleapis.com
oauth2.googleapis.com

For AV signatures update:

fortiav.cloud.ensilo.com

N/A

reputation.cloud.ensilo.com—For access to the Fortinet Reputation servers for file reputation updates.

¹Refer to the following guidelines to determine the number of Aggregators you need to set up:

If no organization will be defined and the number of Collectors doesn’t exceed 5000, set up one VM to act as both the Central Manager and the Aggregator.
If organizations will be defined and the number of Collectors is between 5000 and 10000, set up a separate VM for the Aggregator than the Central Manager.
If organizations will be defined and the number of Collectors exceeds 10000, set up additional FortiEDR Aggregator VMs on the top of the initial one.

²Refer to the following guidelines to determine the number of Cores you need to set up:

Set up a separate Core for each Aggregator.
For every additional 5000 Collectors, set up at least one additional Core. The number of additional Cores required depends on the amount of Threat Hunting events data, which relates to the Data Collection profile, number of Servers, etc.
You can set up a maximum of 50 Cores.

Only open the TCP outbound port 555 to the Core IP address.
Only open the TCP outbound port 8081 to the Aggregator IP address.
Only open the TCP outbound port 8091 to the Central Manager IP address to be accessed by the Aggregator when the Aggregator is installed on premise while the Central Manager is in the cloud.

⁴Ensure that these servers are not blocked by your firewall product (if one is deployed) and can be accessed by the corresponding component.

Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements

Number of Seats

Number of VMs (Nodes)

Number of CPUs per VM (Node)

Memory per VM (Node)

OS Disk per VM (Node)

Data Disk per VM (Node)

2000 or fewer

32 GB

50 GB, non-SSD

For Hyper-V VMs, the disk should be IDE with at least 30% of the physical disk space remaining free at all times. Do not use a Hyper-V checkpoint which consumes the entire disk size every few hours.

1187 GB SSD or 34 GB SSD + 1153 GB non-SSD

4000

34 GB

2310 GB SSD or 34 GB SSD + 2300 GB non-SSD

6000

41 GB

3410 GB SSD or 34 GB SSD + 3400 GB non-SSD

8000

48 GB

4510 GB SSD or 34 GB SSD + 4500 GB non-SSD

10000

55 GB

5610 GB SSD or 34 GB SSD + 5600 GB non-SSD

12000

62 GB

6710 GB SSD or 34 GB SSD + 6700 GB non-SSD

14000

69 GB

7810 GB SSD or 34 GB SSD + 7800 GB non-SSD

15000

27 GB

3249 GB SSD or 11 GB SSD + 3237 GB non-SSD

20000

35 GB

4318 GB SSD or 11 GB SSD + 4306 GB non-SSD

25000

42 GB

5387 GB SSD or 11 GB SSD + 5375 GB non-SSD

30000

47 GB

6456 GB SSD or 11 GB SSD + 6444 GB non-SSD

For the Threat Hunting Repository specifications required for supporting more than 30000 Collectors, please contact Fortinet Support.

Setting up FortiEDR components on-premise

Set up the system components top-down in the following order:

Administration Guide

Appendix C – ON PREMISE DEPLOYMENTS

Appendix C – ON PREMISE DEPLOYMENTS

System requirements

Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements

Setting up FortiEDR components on-premise

Appendix C – ON PREMISE DEPLOYMENTS

System requirements

Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements

Setting up FortiEDR components on-premise