Fortinet white logo
Fortinet white logo

Administration Guide

Appendix C – ON PREMISE DEPLOYMENTS

Appendix C – ON PREMISE DEPLOYMENTS

This chapter describes how to set up the FortiEDR backend components for on-premise deployments. Before you start, make sure that on-premise deployment is the most suitable option for you.

System requirements

The following tables lists the system requirements of each backend component. Make sure that all devices, workstations, virtual machines and servers on which a FortiEDR backend component will be installed comply with those requirements.

Component

Central Manager

Aggregator1

Threat Hunting Repository

Core2

Processor

Intel or AMD x86 (64-bit)

Number of CPUs

4

4

Varies by number of seats and period of required Threat Hunting data retention. Refer to the Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements section for requirements for one month of data retention for the extensive profile.

  • 4 for Core

  • 2 for Core running as a Jumpbox

Physical Memory

16 GB

16 GB

  • 16 GB for Core

  • (CentOS 7) 4 GB for Core running as a Jumpbox

  • (Ubuntu 22.04) 8 GB for Core running as a Jumpbox

Disk Space

150 GB, SSD

80 GB

  • 250 GB SSD for Core

  • 50 GB (non-SSD) for Core running as a Jumpbox

Note

For a Threat Hunting license, each 1000 additional Collectors above the first 1000 require an additional 45 GB of disk space.

ISO Image OS CentOS 7

CentOS 7

ESXi 7.0

CentOS 7/Ubuntu 22.043

1If organizations will be defined and the number of Collectors exceeds 10000, set up an additional FortiEDR Aggregator VM on the top of the initial one.

2Refer to the following guidelines to determine the number of Cores you need to set up:

  • Set up a separate Core for each Aggregator.

  • For every additional 5000 Collectors, set up at least one additional Core. The number of additional Cores required depends on the amount of Threat Hunting events data, which relates to the Data Collection profile, number of servers, etc.

  • You can set up a maximum of 50 Cores.

3Ubuntu 22.04 support requires Core - Build 6.0.1.0646 or later. Refer to the FortiEDR 6.2 Administration Guide for instructions of migrating your CentOS environment to Ubuntu.

Network ports

Refer to the following image or table for the port information for communication between different components. Ensure that these ports or destination servers are not blocked by your firewall product (if one is deployed) and can be accessed by the corresponding component. You must also ensure that network ranges 10.42.x.x and 10.43.x.x are not used by any device as these ranges are reserved for Kubernetes internal networking.

Source Destination Port Purpose
Collector Aggregator 8081 Sending events, status, etc

443

Sending events, status, etc, only when a custom port is used

Core 555 Collector to Core communication without SSL
(Core 5.2.2 or later) 559 Collector to Core communication with SSL enabled

Core

Aggregator

8081

Core registration

Threat Hunting Repository

9092

Kafka topic

32100, 32000, 32001, 32002

Kafka broker

Reputation.cloud.ensilo.com

443

Fortinet Reputation servers for AV signature file updates

Aggregator

Central Manager and Threat Hunting Repository 8090 AV Signature updates

Central Manager

8091

Aggregator communication

443

Aggregator registration

Central Manager

Threat Hunting Repository

8000

“FortiEDR Connect” related

8095

Threat Hunting queries

6379

Redis MS

Syslog

(Optional) 6514

UDP/TCP/TCP SSL to syslog server

SMTP

(Optional) 587

SSLv3/TLS protocol to email server

rbq.cldsrv.ensilo.com

5672

To RabbitMQ

cldsrv.ensilo.com

443

Data sent to FCS (rest over RabbitMQ)

storage.googleapis.com

oauth.googleapis.com

oauth2.googleapis.com

Localization, scheduled queries, etc

fortiav.cloud.ensilo.com

AV signatures updates

Threat Hunting Repository

Central Manager

8091

Aggregator communication

5005

“FortiEDR Connect” dedicated tunnel

443

GUI access

Central Manager and Aggregator

22

Communication with Central Manager and Aggregator during Threat Hunting Repository installation

Admin PC

Central Manager

443

FortiEDR console access

Machines connecting to Grafana or Kibana

Threat Hunting Repository

3000

Grafana - monitoring

5601

Kibana - logging

Machines accessing the Threat Hunting server via SSH

Central Manager

22

SSH access

Aggregator

Threat Hunting Repository

Note

As a security best practice, it is recommended to update the firewall rules so that they only have a narrow opening. For example:

  • Only open the TCP outbound port 555 to the Core IP address.
  • Only open the TCP outbound port 8091 to the Central Manager IP address to be accessed by the Aggregator when the Aggregator is installed on premise while the Central Manager is in the cloud.

Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements
Number of Seats Number of VMs (Nodes) Number of CPUs per VM (Node) Memory per VM (Node) OS Disk per VM (Node) Data Disk per VM (Node)
2000 or fewer

1

17

32 GB

50 GB, non-SSD

Note

For Hyper-V VMs, the disk should be IDE with at least 30% of the physical disk space remaining free at all times. Do not use a Hyper-V checkpoint which consumes the entire disk size every few hours.

1500 GB SSD

4000 27 34 GB 2310 GB SSD
6000 37 41 GB 3410 GB SSD
8000 47 48 GB 4510 GB SSD
10000 57 55 GB 5610 GB SSD
12000 67 62 GB 6710 GB SSD
14000 77 69 GB 7810 GB SSD
15000 3 30 27 GB 3249 GB SSD
20000 40 35 GB 4318 GB SSD
25000 49 42 GB 5387 GB SSD
30000 58 47 GB 6456 GB SSD

For the Threat Hunting Repository specifications required for supporting more than 30000 Collectors, please contact Fortinet Support.

Setting up FortiEDR components on-premise

Set up the system components top-down in the following order:

  1. Setting up a VM to be the FortiEDR Central Manager
  2. Setting up a VM to be the FortiEDR Aggregator
  3. Setting up the FortiEDR Threat Hunting Repository
  4. Setting up the FortiEDR Core
  5. Installing FortiEDR Collectors

Appendix C – ON PREMISE DEPLOYMENTS

Appendix C – ON PREMISE DEPLOYMENTS

This chapter describes how to set up the FortiEDR backend components for on-premise deployments. Before you start, make sure that on-premise deployment is the most suitable option for you.

System requirements

The following tables lists the system requirements of each backend component. Make sure that all devices, workstations, virtual machines and servers on which a FortiEDR backend component will be installed comply with those requirements.

Component

Central Manager

Aggregator1

Threat Hunting Repository

Core2

Processor

Intel or AMD x86 (64-bit)

Number of CPUs

4

4

Varies by number of seats and period of required Threat Hunting data retention. Refer to the Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements section for requirements for one month of data retention for the extensive profile.

  • 4 for Core

  • 2 for Core running as a Jumpbox

Physical Memory

16 GB

16 GB

  • 16 GB for Core

  • (CentOS 7) 4 GB for Core running as a Jumpbox

  • (Ubuntu 22.04) 8 GB for Core running as a Jumpbox

Disk Space

150 GB, SSD

80 GB

  • 250 GB SSD for Core

  • 50 GB (non-SSD) for Core running as a Jumpbox

Note

For a Threat Hunting license, each 1000 additional Collectors above the first 1000 require an additional 45 GB of disk space.

ISO Image OS CentOS 7

CentOS 7

ESXi 7.0

CentOS 7/Ubuntu 22.043

1If organizations will be defined and the number of Collectors exceeds 10000, set up an additional FortiEDR Aggregator VM on the top of the initial one.

2Refer to the following guidelines to determine the number of Cores you need to set up:

  • Set up a separate Core for each Aggregator.

  • For every additional 5000 Collectors, set up at least one additional Core. The number of additional Cores required depends on the amount of Threat Hunting events data, which relates to the Data Collection profile, number of servers, etc.

  • You can set up a maximum of 50 Cores.

3Ubuntu 22.04 support requires Core - Build 6.0.1.0646 or later. Refer to the FortiEDR 6.2 Administration Guide for instructions of migrating your CentOS environment to Ubuntu.

Network ports

Refer to the following image or table for the port information for communication between different components. Ensure that these ports or destination servers are not blocked by your firewall product (if one is deployed) and can be accessed by the corresponding component. You must also ensure that network ranges 10.42.x.x and 10.43.x.x are not used by any device as these ranges are reserved for Kubernetes internal networking.

Source Destination Port Purpose
Collector Aggregator 8081 Sending events, status, etc

443

Sending events, status, etc, only when a custom port is used

Core 555 Collector to Core communication without SSL
(Core 5.2.2 or later) 559 Collector to Core communication with SSL enabled

Core

Aggregator

8081

Core registration

Threat Hunting Repository

9092

Kafka topic

32100, 32000, 32001, 32002

Kafka broker

Reputation.cloud.ensilo.com

443

Fortinet Reputation servers for AV signature file updates

Aggregator

Central Manager and Threat Hunting Repository 8090 AV Signature updates

Central Manager

8091

Aggregator communication

443

Aggregator registration

Central Manager

Threat Hunting Repository

8000

“FortiEDR Connect” related

8095

Threat Hunting queries

6379

Redis MS

Syslog

(Optional) 6514

UDP/TCP/TCP SSL to syslog server

SMTP

(Optional) 587

SSLv3/TLS protocol to email server

rbq.cldsrv.ensilo.com

5672

To RabbitMQ

cldsrv.ensilo.com

443

Data sent to FCS (rest over RabbitMQ)

storage.googleapis.com

oauth.googleapis.com

oauth2.googleapis.com

Localization, scheduled queries, etc

fortiav.cloud.ensilo.com

AV signatures updates

Threat Hunting Repository

Central Manager

8091

Aggregator communication

5005

“FortiEDR Connect” dedicated tunnel

443

GUI access

Central Manager and Aggregator

22

Communication with Central Manager and Aggregator during Threat Hunting Repository installation

Admin PC

Central Manager

443

FortiEDR console access

Machines connecting to Grafana or Kibana

Threat Hunting Repository

3000

Grafana - monitoring

5601

Kibana - logging

Machines accessing the Threat Hunting server via SSH

Central Manager

22

SSH access

Aggregator

Threat Hunting Repository

Note

As a security best practice, it is recommended to update the firewall rules so that they only have a narrow opening. For example:

  • Only open the TCP outbound port 555 to the Core IP address.
  • Only open the TCP outbound port 8091 to the Central Manager IP address to be accessed by the Aggregator when the Aggregator is installed on premise while the Central Manager is in the cloud.

Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements
Number of Seats Number of VMs (Nodes) Number of CPUs per VM (Node) Memory per VM (Node) OS Disk per VM (Node) Data Disk per VM (Node)
2000 or fewer

1

17

32 GB

50 GB, non-SSD

Note

For Hyper-V VMs, the disk should be IDE with at least 30% of the physical disk space remaining free at all times. Do not use a Hyper-V checkpoint which consumes the entire disk size every few hours.

1500 GB SSD

4000 27 34 GB 2310 GB SSD
6000 37 41 GB 3410 GB SSD
8000 47 48 GB 4510 GB SSD
10000 57 55 GB 5610 GB SSD
12000 67 62 GB 6710 GB SSD
14000 77 69 GB 7810 GB SSD
15000 3 30 27 GB 3249 GB SSD
20000 40 35 GB 4318 GB SSD
25000 49 42 GB 5387 GB SSD
30000 58 47 GB 6456 GB SSD

For the Threat Hunting Repository specifications required for supporting more than 30000 Collectors, please contact Fortinet Support.

Setting up FortiEDR components on-premise

Set up the system components top-down in the following order:

  1. Setting up a VM to be the FortiEDR Central Manager
  2. Setting up a VM to be the FortiEDR Aggregator
  3. Setting up the FortiEDR Threat Hunting Repository
  4. Setting up the FortiEDR Core
  5. Installing FortiEDR Collectors