Appendix C – ON PREMISE DEPLOYMENTS
This chapter describes how to set up the FortiEDR backend components for on-premise deployments. Before you start, make sure that on-premise deployment is the most suitable option for you.
System requirements
The following tables lists the system requirements of each backend component. Make sure that all devices, workstations, virtual machines and servers on which a FortiEDR backend component will be installed comply with those requirements.
Component |
Central Manager |
Aggregator1 |
Threat Hunting Repository |
Core2 |
|
---|---|---|---|---|---|
Processor |
Intel or AMD x86 (64-bit) |
||||
Number of CPUs |
4 |
4 |
Varies by number of seats and period of required Threat Hunting data retention. Refer to the Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements section for requirements for one month of data retention for the extensive profile. |
|
|
Physical Memory |
16 GB |
16 GB |
|
||
Disk Space |
150 GB, SSD |
80 GB |
|
||
ISO Image OS | CentOS 7 |
CentOS 7 |
ESXi 7.0 |
CentOS 7 |
|
1Refer to the following guidelines to determine the number of Aggregators you need to set up:
2Refer to the following guidelines to determine the number of Cores you need to set up:
|
Network ports
Refer to the following image or table for the port information for communication between different components. Ensure that these ports or destination servers are not blocked by your firewall product (if one is deployed) and can be accessed by the corresponding component. You must also ensure that network ranges 10.42.x.x
and 10.43.x.x
are not used by any device.
Source | Destination | Port | Purpose | ||
---|---|---|---|---|---|
Collector | Aggregator | 8081 | Sending events, status, etc | ||
Core | 555 | Collector to Core communication without SSL | |||
559 | Collector to Core communication with SSL enabled | ||||
Core |
Aggregator |
8081 |
Sending events, status, etc |
||
Threat Hunting Repository |
9092, 32100, 32000, 32001, 32002 |
Threat hunting telemetry |
|||
|
443 |
Reputation queries |
|||
Aggregator
|
Central Manager
|
443 |
Aggregator to Central Manager communication | ||
8091 |
Aggregator to Central Manager communication when the Aggregator is installed separately with the Central Manager |
||||
Threat Hunting Repository | 8090 | AV Signature updates | |||
(Optional) 3000 |
Grafana |
||||
(Optional) 5601 |
Kibana |
||||
|
443 |
AV Signatures updates |
|||
Central Manager |
Threat Hunting Repository |
8000 |
“FortiEDR Connect” related |
||
8095 |
Threat Hunting queries |
||||
Syslog |
(Optional) 6514 |
UDP/TCP/TCP SSL to syslog server |
|||
SMTP |
(Optional) 587 |
SSLv3/TLS protocol to email server |
|||
FortiEDR Cloud Service (FCS) provided URLs:
|
443 |
Communication with FCS provided URLs |
|||
Threat Hunting Repository |
Central Manager |
8091 |
AV Signature update related |
||
5005 |
“FortiEDR Connect” dedicated tunnel |
||||
443 |
Configuration retrieval |
||||
Central Manager and Aggregator |
22 |
Communication with Central Manager and Aggregator during Threat Hunting Repository installation |
|||
Admin PC |
Central Manager |
443 |
FortiEDR Console access |
||
|
Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements
Number of Seats | Number of VMs (Nodes) | Number of CPUs per VM (Node) | Memory per VM (Node) | OS Disk per VM (Node) | Data Disk per VM (Node) | ||
---|---|---|---|---|---|---|---|
2000 or fewer |
1 |
17 |
32 GB |
50 GB, non-SSD
|
1187 GB SSD or 34 GB SSD + 1153 GB non-SSD |
||
4000 | 27 | 34 GB | 2310 GB SSD or 34 GB SSD + 2300 GB non-SSD | ||||
6000 | 37 | 41 GB | 3410 GB SSD or 34 GB SSD + 3400 GB non-SSD | ||||
8000 | 47 | 48 GB | 4510 GB SSD or 34 GB SSD + 4500 GB non-SSD | ||||
10000 | 57 | 55 GB | 5610 GB SSD or 34 GB SSD + 5600 GB non-SSD | ||||
12000 | 67 | 62 GB | 6710 GB SSD or 34 GB SSD + 6700 GB non-SSD | ||||
14000 | 77 | 69 GB | 7810 GB SSD or 34 GB SSD + 7800 GB non-SSD | ||||
15000 | 3 | 30 | 27 GB | 3249 GB SSD or 11 GB SSD + 3237 GB non-SSD | |||
20000 | 40 | 35 GB | 4318 GB SSD or 11 GB SSD + 4306 GB non-SSD | ||||
25000 | 49 | 42 GB | 5387 GB SSD or 11 GB SSD + 5375 GB non-SSD | ||||
30000 | 58 | 47 GB | 6456 GB SSD or 11 GB SSD + 6444 GB non-SSD | ||||
For the Threat Hunting Repository specifications required for supporting more than 30000 Collectors, please contact Fortinet Support. |
Setting up FortiEDR components on-premise
Set up the system components top-down in the following order: