Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.1.0 Administration Guide

Installing FortiEDR

5.1.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0
Copy Link
Copy Doc ID b28358be-8e0c-11ec-9fd1-fa163e15d75b:633631
Download PDF

Installing FortiEDR

This chapter describes how to install each of the FortiEDR components

Before You Start

Before you start the FortiEDR installation process, please make sure that:

  • All devices, workstations, virtual machines and servers on which a FortiEDR component will be installed comply with the system requirements provided on Installing FortiEDR.
  • You have read and selected the most suitable deployment option for you.
  • FortiEDR Core, FortiEDR Aggregator and FortiEDR Central Manager use ports 555, 8081 and 443, respectively. Ensure that these ports are not blocked by your firewall product (if one is deployed).
    If the FortiEDR Aggregator and FortiEDR Central Manager are installed separately, port 8091 is used by the Aggregator to communicate with the Manager.

    As a security best practice, it is recommended to update the firewall rules so that they only have a narrow opening. For example:

    • Only open the TCP outbound port 555 to the Core IP address.
    • Only open the TCP outbound port 8081 to the Aggregator IP address.

    • Only open TCP outbound port 8091 to the Central Manager IP address to be accessed by the Aggregator when the Aggregator is installed on premise, while the Central Manager is in the Cloud.

The default deployment mode of FortiEDR backend components is in the cloud and is provided by Fortinet. Cloud components are installed for you by Fortinet.

If you require that the FortiEDR Threat Hunting Repository, Central Manager, Aggregator, or Core would be deployed on your organization’s premises (on-premises), see Appendix C, On-Premise Deployments in Appendix C – ON PREMISE DEPLOYMENTS.

System Requirements

Component

System Requirements
Processor
  • The FortiEDR Collector runs on Intel or AMD x86 – both 32-bit and 64-bit and on Apple M1 (ARM) hardware.
  • FortiEDR Core, FortiEDR Aggregator and FortiEDR Central Manager run on Intel or AMD x86 64-bit.
  • FortiEDR is designed to use less than 1% CPU for the FortiEDR Collector.
  • FortiEDR Aggregator and Central Manager require a minimum of four CPUs.
  • FortiEDR Core requires a minimum of four CPUs.
  • FortiEDR Core running as a Jumpbox requires two CPUs.
Physical Memory
  • FortiEDR Collector requires at least 60 MB of RAM.
  • FortiEDR Core requires at least 16 GB of RAM.
  • FortiEDR Core running as a Jumpbox requires 4 GB of RAM.
  • FortiEDR Aggregator requires at least 16 GB of RAM.
  • FortiEDR Central Manager requires at least 16 GB of RAM.
Disk Space
  • FortiEDR Collector installation requires at least 20 MB of disk space.
  • FortiEDR Core requires an SSD disk with at least 80 GB of disk space. For a Threat Hunting license, each 1k of Collectors, over and above the first 1k, require an additional 45 GB.
  • FortiEDR Core running as a Jumpbox requires 50 GB of disk space (non-SSD).
  • FortiEDR Aggregator installation and logs space requires at least 80 GB of disk space.
  • FortiEDR Central Manager installation and logs space requires at least 150 GB of disk space (SSD).
Threat Hunting Repository
  • The number of required CPUs (Cores) depends on the number of seats and the required Threat Hunting data retention. A minimum of 16 CPUs is required for a month’s worth of retention with a default Collection profile for 4k FortiEDR Collectors. The addition of each 2k of Collectors requires an additional 6 CPUs.
  • Disk Size:
    • OS disk: 50 GB
    • Requires an SSD disk - Minimum of 1.5 TB of available space for a month’s worth of retention with a default Collection profile for 4k FortiEDR Collectors. The addition of each 2k of Collectors requires an additional 1.1 TB.

    • Note that in the case of installing in Hyper-V: disk should be IDE

  • Minimum of 1.5 TB of available space for a month’s worth of retention with a default Collection profile for 4k FortiEDR Collectors. The addition of each 2k of Collectors requires an additional 1.1 TB.
  • Memory: At least 32 GB are required for a month’s worth of retention with a default Threat Hunting data Collection profile for 4k FortiEDR Collectors. The addition of each 2k of Collectors requires an additional 6GB of memory.
  • For the specifications required for supporting more than 10k Collectors, please contact Fortinet Support.
Connectivity
  • FortiEDR Core listens to communication on port 555.
  • FortiEDR Aggregator listens to communication on port 8081.

  • FortiEDR Central Manager listens to communication from the Aggregator on port 8091.

  • Browser connection to the FortiEDR Central Manager is via port 443.

  • FortiEDR Threat Hunting Repository listens to communication from the Core on port 32100, 32001

  • FortiEDR Threat Hunting Repository listens to communication from the Central Manager on port 8095

  • FortiEDR Core, FortiEDR Aggregator and FortiEDR Central Manager components must be assigned a static IP address or domain name. The FortiEDR Aggregator and FortiEDR Central Manager can be installed on the same machine.
  • Network connectivity between all system components is required.
  • Allow up to 5 Mbps of additional network workload for each 1,000 Collectors.
Supported Operating Systems

The FortiEDR Collector can be installed on any of the following operating systems (both 32-bit and 64-bit versions):

  • Windows XP SP2/SP3, 7 SP1, 8, 8.1, 10, and 11.
  • Windows Server 2003 SP2, R2 SP2, 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, and 2022.
  • MacOS Versions: El Capitan (10.11), Sierra (10.12), High Sierra (10.13), Mojave (10.14), Catalina (10.15), Big Sur (11), Monterey (12), and Sonoma (14).
  • Linux Versions: RedHat Enterprise Linux and CentOS 6.8+, 7.2+ and 8+, Ubuntu LTS 16.04.5+, 18.04 and 20.04 server, 64-bit, Oracle Linux 6.10, 7.7+, and 8.2+, Amazon Linux AMI 2 2018 and SUSE Linux Enterprise Server SLES v15. The complete list of supported Linux versions and kernels is updated regularly and can be provided upon request.
  • VDI Environments: VMware Horizons 6 and 7 and Citrix XenDesktop 7.
  • The FortiEDR Core, Repository Server, FortiEDR Aggregator and FortiEDR Central Manager components are supplied in ISO format, which includes a CentOS 7 image. FortiEDR Core, FortiEDR Aggregator and FortiEDR Central Manager can be installed on a virtual machine or a dedicated workstation or server.
Supported Browsers The FortiEDR Central Manager console can be accessed using the Google Chrome, Firefox Mozilla, Microsoft Edge and Apple Safari browsers.
Previous
Next

Installing FortiEDR

This chapter describes how to install each of the FortiEDR components

Before You Start

Before you start the FortiEDR installation process, please make sure that:

  • All devices, workstations, virtual machines and servers on which a FortiEDR component will be installed comply with the system requirements provided on Installing FortiEDR.
  • You have read and selected the most suitable deployment option for you.
  • FortiEDR Core, FortiEDR Aggregator and FortiEDR Central Manager use ports 555, 8081 and 443, respectively. Ensure that these ports are not blocked by your firewall product (if one is deployed).
    If the FortiEDR Aggregator and FortiEDR Central Manager are installed separately, port 8091 is used by the Aggregator to communicate with the Manager.

    As a security best practice, it is recommended to update the firewall rules so that they only have a narrow opening. For example:

    • Only open the TCP outbound port 555 to the Core IP address.
    • Only open the TCP outbound port 8081 to the Aggregator IP address.

    • Only open TCP outbound port 8091 to the Central Manager IP address to be accessed by the Aggregator when the Aggregator is installed on premise, while the Central Manager is in the Cloud.

The default deployment mode of FortiEDR backend components is in the cloud and is provided by Fortinet. Cloud components are installed for you by Fortinet.

If you require that the FortiEDR Threat Hunting Repository, Central Manager, Aggregator, or Core would be deployed on your organization’s premises (on-premises), see Appendix C, On-Premise Deployments in Appendix C – ON PREMISE DEPLOYMENTS.

System Requirements

Component

System Requirements
Processor
  • The FortiEDR Collector runs on Intel or AMD x86 – both 32-bit and 64-bit and on Apple M1 (ARM) hardware.
  • FortiEDR Core, FortiEDR Aggregator and FortiEDR Central Manager run on Intel or AMD x86 64-bit.
  • FortiEDR is designed to use less than 1% CPU for the FortiEDR Collector.
  • FortiEDR Aggregator and Central Manager require a minimum of four CPUs.
  • FortiEDR Core requires a minimum of four CPUs.
  • FortiEDR Core running as a Jumpbox requires two CPUs.
Physical Memory
  • FortiEDR Collector requires at least 60 MB of RAM.
  • FortiEDR Core requires at least 16 GB of RAM.
  • FortiEDR Core running as a Jumpbox requires 4 GB of RAM.
  • FortiEDR Aggregator requires at least 16 GB of RAM.
  • FortiEDR Central Manager requires at least 16 GB of RAM.
Disk Space
  • FortiEDR Collector installation requires at least 20 MB of disk space.
  • FortiEDR Core requires an SSD disk with at least 80 GB of disk space. For a Threat Hunting license, each 1k of Collectors, over and above the first 1k, require an additional 45 GB.
  • FortiEDR Core running as a Jumpbox requires 50 GB of disk space (non-SSD).
  • FortiEDR Aggregator installation and logs space requires at least 80 GB of disk space.
  • FortiEDR Central Manager installation and logs space requires at least 150 GB of disk space (SSD).
Threat Hunting Repository
  • The number of required CPUs (Cores) depends on the number of seats and the required Threat Hunting data retention. A minimum of 16 CPUs is required for a month’s worth of retention with a default Collection profile for 4k FortiEDR Collectors. The addition of each 2k of Collectors requires an additional 6 CPUs.
  • Disk Size:
    • OS disk: 50 GB
    • Requires an SSD disk - Minimum of 1.5 TB of available space for a month’s worth of retention with a default Collection profile for 4k FortiEDR Collectors. The addition of each 2k of Collectors requires an additional 1.1 TB.

    • Note that in the case of installing in Hyper-V: disk should be IDE

  • Minimum of 1.5 TB of available space for a month’s worth of retention with a default Collection profile for 4k FortiEDR Collectors. The addition of each 2k of Collectors requires an additional 1.1 TB.
  • Memory: At least 32 GB are required for a month’s worth of retention with a default Threat Hunting data Collection profile for 4k FortiEDR Collectors. The addition of each 2k of Collectors requires an additional 6GB of memory.
  • For the specifications required for supporting more than 10k Collectors, please contact Fortinet Support.
Connectivity
  • FortiEDR Core listens to communication on port 555.
  • FortiEDR Aggregator listens to communication on port 8081.

  • FortiEDR Central Manager listens to communication from the Aggregator on port 8091.

  • Browser connection to the FortiEDR Central Manager is via port 443.

  • FortiEDR Threat Hunting Repository listens to communication from the Core on port 32100, 32001

  • FortiEDR Threat Hunting Repository listens to communication from the Central Manager on port 8095

  • FortiEDR Core, FortiEDR Aggregator and FortiEDR Central Manager components must be assigned a static IP address or domain name. The FortiEDR Aggregator and FortiEDR Central Manager can be installed on the same machine.
  • Network connectivity between all system components is required.
  • Allow up to 5 Mbps of additional network workload for each 1,000 Collectors.
Supported Operating Systems

The FortiEDR Collector can be installed on any of the following operating systems (both 32-bit and 64-bit versions):

  • Windows XP SP2/SP3, 7 SP1, 8, 8.1, 10, and 11.
  • Windows Server 2003 SP2, R2 SP2, 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, and 2022.
  • MacOS Versions: El Capitan (10.11), Sierra (10.12), High Sierra (10.13), Mojave (10.14), Catalina (10.15), Big Sur (11), Monterey (12), and Sonoma (14).
  • Linux Versions: RedHat Enterprise Linux and CentOS 6.8+, 7.2+ and 8+, Ubuntu LTS 16.04.5+, 18.04 and 20.04 server, 64-bit, Oracle Linux 6.10, 7.7+, and 8.2+, Amazon Linux AMI 2 2018 and SUSE Linux Enterprise Server SLES v15. The complete list of supported Linux versions and kernels is updated regularly and can be provided upon request.
  • VDI Environments: VMware Horizons 6 and 7 and Citrix XenDesktop 7.
  • The FortiEDR Core, Repository Server, FortiEDR Aggregator and FortiEDR Central Manager components are supplied in ISO format, which includes a CentOS 7 image. FortiEDR Core, FortiEDR Aggregator and FortiEDR Central Manager can be installed on a virtual machine or a dedicated workstation or server.
Supported Browsers The FortiEDR Central Manager console can be accessed using the Google Chrome, Firefox Mozilla, Microsoft Edge and Apple Safari browsers.
Previous
Next