Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.0.0 Administration Guide

Automated FortiEDR Collector Deployment

5.0.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0
Copy Link
Copy Doc ID 82fbe02c-e479-11eb-97f7-00505692583a:868969
Download PDF

Automated FortiEDR Collector Deployment

Automated FortiEDR Collector Deployment on Windows

FortiEDR can be installed automatically via any software installation and distribution system.

To deploy a FortiEDR Collector via a command line:
  1. Use the following command syntax:
    msiexec /i FortiEDRCollectorInstaller64.msi /qn AGG=10.0.0.1:8081 PWD=1234
    For example, to install a FortiEDR Collector on a 64-bit machine, connect it to a FortiEDR Aggregator on IP address 10.0.0.1 and use the device registration password 1234, enter the following command:
    msiexec /i FortiEDRCollectorInstaller64.msi /qn AGG=10.0.0.1:8081 PWD=1234

    You can specify which Collector Group to assign this Collector to by adding the DEFGROUP parameter. This parameter is optional. When you specify this parameter, the first time that this Collector registers with the system, it is automatically assigned to the Collector Group specified by the DEFGROUP parameter.

    For example, to install a FortiEDR Collector on a 64-bit machine, connect it to a FortiEDR Aggregator on IP address 10.0.0.1, use the device registration password 1234, use the DEFGROUP parameter and enter the following command:

    msiexec /i FortiEDRCollectorInstaller64.msi /qn AGG=10.0.0.1:8081 PWD=1234 DEFGROUP=server

    Note: The name of the Collector MSI file may be different.

    For Collectors version 3.0.0 and above, you can set a designated group and/or organization. To do so, enter the following command:

    ./CustomerBootstrapGenerator --aggregator [IP] --password '[PASSWORD]' --organization '[ORGANIZATION]' --group '[GROUP]' > CustomerBootstrap.js
  2. Using web proxy can be configured for Collectors version 3.0.0 and above. To do so, append the parameter PROXY=1 to the command syntax shown above.
  3. In general, a FortiEDR Collector does not require the device on which it is installed to reboot after its installation. However, in some cases, you may want to couple the installation of the FortiEDR Collector with a reboot of the device. To do so, append the parameter NEEDREBOOT=1 to the command syntax shown above.

    Collectors that are installed with this flag appear in the FortiEDR Central Manager as Pending Reboot (page 87) and will not start operating until the after the device is rebooted.

    Note:In general, rebooting the device after installing a FortiEDR Collector is good practice, but is not mandatory. Rebooting may prevent a threat actor from attempting to exfiltrate data on a previously existing connection that was established before installation of the FortiEDR Collector.

  4. When installing on a Citrix PVS golden image, append the parameter CITRIXPVS=1 to the command syntax shown above.
  5. If your software distribution system does not allow the addition of specific parameters to the command, you can use the custom FortiEDR Collector installer, which can be accessed via the Central Manager Console using the required DNS or IP address and password that is already embedded inside. For more details see Requesting and Obtaining a Collector Installer.
  6. If another AV product is also installed on the machine, exclude AV exceptions by following the instructions in Setting up exclusions with other AV products.

Automated FortiEDR Collector Deployment on Mac

To deploy a custom FortiEDR macOS Collector via a command line:
  1. Get a pre-populated customized Collector installer for macOS as described in Requesting and Obtaining a Collector Installer.
  2. Run the following command in order to install using the specified settings:
    sudo installer -pkg <package path> -target /

    For example, if the package file is FortiEDRInstallerOSX_2.5.2.38.pkg, use the following command:

    sudo installer -pkg ./FortiEDRInstallerOSX_2.5.2.38.pkg -target /
  3. If another AV product is also installed on the machine, exclude AV exceptions by following the instructions in Setting up exclusions with other AV products.
To deploy a non-customized FortiEDR macOS Collector via a command line:

Run the following command line to generate the settings file:

./CustomBootstrapGenerator --aggregator [IP] --password [PASSWORD] > CustomerBootstrap.jsn

If the Aggregator port is different than 8081 (which is set by default), you can add the following:

./CustomBootstrapGenerator --aggregator [IP] --password [PASSWORD] --port 8083 > CustomerBootstrap.jsn

The following are optional parameters that can be used with the custom installer generator:

  • If the Collector should be part of a designated Collector Group, use --group ‘[GROUP]’.
  • For a multi-tenant setup, the organization to which this device belongs to can be added using
    --organization ‘[ORGANIZATION]’
  • If a web proxy is being used to filter requests in this device’s network, use
     --useProxy '1'

The following is an example that includes all optional parameters:

./CustomBootstrapGenerator --aggregator [IP] --password [PASSWORD] --useProxy '1' --organization ‘[ORGANIZATION]’ --group ‘[GROUP]’ > CustomerBootstrap.jsn

If another AV product is also installed on the machine, exclude AV exceptions by following the instructions in Setting up exclusions with other AV products.

Automated FortiEDR macOS Collector deployment on Big Sur operating system devices with MDM

When distributed with MDM solutions such as Jamf, FortiEDR can be allowlisted with the following Team ID and Bundle ID identifiers:

  • A97R6J3L29 com.ensilo.ftnt
  • A97R6J3L29 com.ensilo.ftnt.sysext
Previous
Next

Automated FortiEDR Collector Deployment

Automated FortiEDR Collector Deployment on Windows

FortiEDR can be installed automatically via any software installation and distribution system.

To deploy a FortiEDR Collector via a command line:
  1. Use the following command syntax:
    msiexec /i FortiEDRCollectorInstaller64.msi /qn AGG=10.0.0.1:8081 PWD=1234
    For example, to install a FortiEDR Collector on a 64-bit machine, connect it to a FortiEDR Aggregator on IP address 10.0.0.1 and use the device registration password 1234, enter the following command:
    msiexec /i FortiEDRCollectorInstaller64.msi /qn AGG=10.0.0.1:8081 PWD=1234

    You can specify which Collector Group to assign this Collector to by adding the DEFGROUP parameter. This parameter is optional. When you specify this parameter, the first time that this Collector registers with the system, it is automatically assigned to the Collector Group specified by the DEFGROUP parameter.

    For example, to install a FortiEDR Collector on a 64-bit machine, connect it to a FortiEDR Aggregator on IP address 10.0.0.1, use the device registration password 1234, use the DEFGROUP parameter and enter the following command:

    msiexec /i FortiEDRCollectorInstaller64.msi /qn AGG=10.0.0.1:8081 PWD=1234 DEFGROUP=server

    Note: The name of the Collector MSI file may be different.

    For Collectors version 3.0.0 and above, you can set a designated group and/or organization. To do so, enter the following command:

    ./CustomerBootstrapGenerator --aggregator [IP] --password '[PASSWORD]' --organization '[ORGANIZATION]' --group '[GROUP]' > CustomerBootstrap.js
  2. Using web proxy can be configured for Collectors version 3.0.0 and above. To do so, append the parameter PROXY=1 to the command syntax shown above.
  3. In general, a FortiEDR Collector does not require the device on which it is installed to reboot after its installation. However, in some cases, you may want to couple the installation of the FortiEDR Collector with a reboot of the device. To do so, append the parameter NEEDREBOOT=1 to the command syntax shown above.

    Collectors that are installed with this flag appear in the FortiEDR Central Manager as Pending Reboot (page 87) and will not start operating until the after the device is rebooted.

    Note:In general, rebooting the device after installing a FortiEDR Collector is good practice, but is not mandatory. Rebooting may prevent a threat actor from attempting to exfiltrate data on a previously existing connection that was established before installation of the FortiEDR Collector.

  4. When installing on a Citrix PVS golden image, append the parameter CITRIXPVS=1 to the command syntax shown above.
  5. If your software distribution system does not allow the addition of specific parameters to the command, you can use the custom FortiEDR Collector installer, which can be accessed via the Central Manager Console using the required DNS or IP address and password that is already embedded inside. For more details see Requesting and Obtaining a Collector Installer.
  6. If another AV product is also installed on the machine, exclude AV exceptions by following the instructions in Setting up exclusions with other AV products.

Automated FortiEDR Collector Deployment on Mac

To deploy a custom FortiEDR macOS Collector via a command line:
  1. Get a pre-populated customized Collector installer for macOS as described in Requesting and Obtaining a Collector Installer.
  2. Run the following command in order to install using the specified settings:
    sudo installer -pkg <package path> -target /

    For example, if the package file is FortiEDRInstallerOSX_2.5.2.38.pkg, use the following command:

    sudo installer -pkg ./FortiEDRInstallerOSX_2.5.2.38.pkg -target /
  3. If another AV product is also installed on the machine, exclude AV exceptions by following the instructions in Setting up exclusions with other AV products.
To deploy a non-customized FortiEDR macOS Collector via a command line:

Run the following command line to generate the settings file:

./CustomBootstrapGenerator --aggregator [IP] --password [PASSWORD] > CustomerBootstrap.jsn

If the Aggregator port is different than 8081 (which is set by default), you can add the following:

./CustomBootstrapGenerator --aggregator [IP] --password [PASSWORD] --port 8083 > CustomerBootstrap.jsn

The following are optional parameters that can be used with the custom installer generator:

  • If the Collector should be part of a designated Collector Group, use --group ‘[GROUP]’.
  • For a multi-tenant setup, the organization to which this device belongs to can be added using
    --organization ‘[ORGANIZATION]’
  • If a web proxy is being used to filter requests in this device’s network, use
     --useProxy '1'

The following is an example that includes all optional parameters:

./CustomBootstrapGenerator --aggregator [IP] --password [PASSWORD] --useProxy '1' --organization ‘[ORGANIZATION]’ --group ‘[GROUP]’ > CustomerBootstrap.jsn

If another AV product is also installed on the machine, exclude AV exceptions by following the instructions in Setting up exclusions with other AV products.

Automated FortiEDR macOS Collector deployment on Big Sur operating system devices with MDM

When distributed with MDM solutions such as Jamf, FortiEDR can be allowlisted with the following Team ID and Bundle ID identifiers:

  • A97R6J3L29 com.ensilo.ftnt
  • A97R6J3L29 com.ensilo.ftnt.sysext
Previous
Next