Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiEDR/XDR 7.0.0 Administration Guide
    7.0.0
    7.0.0
    6.2.0
    6.0.0
    5.2.1
    5.2.0
    5.1.0
    5.0.0
    4.2.0
    4.1.1
    4.1.0

    Appendix C – ON PREMISE DEPLOYMENTS

    Appendix C – ON PREMISE DEPLOYMENTS

    This chapter describes how to set up the FortiEDR backend components for on-premise deployments. Before you start, make sure that on-premise deployment is the most suitable option for you.

    System requirements

    The following tables lists the system requirements of each backend component. Make sure that all devices, workstations, virtual machines and servers on which a FortiEDR backend component will be installed comply with those requirements.

    Component

    Central Manager

    Aggregator1

    Threat Hunting Repository

    Core2

    Reputation Server
    Processor

    Intel or AMD x86 (64-bit)

    Number of CPUs

    4

    4

    Varies by number of seats and period of required Threat Hunting data retention. Refer to the Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements section for requirements for one month of data retention for the extensive profile.

    • 4 for Core

    • 2 for Core running as a Jumpbox

    Note

    The following CPUs are unsupported:

    • E5-2440

    • E5-2650

    • E5-2660

    • E5-2690

    • E5-2699

    4
    Physical Memory

    16 GB

    16 GB

    • 16 GB for Core

    • 8 GB for Core running as a Jumpbox

    16 GB
    Disk Space

    150 GB, SSD

    80 GB

    • 250 GB SSD for Core

    • 50 GB (non-SSD) for Core running as a Jumpbox

    Note

    For a Threat Hunting license, each 1000 additional Collectors above the first 1000 require an additional 45 GB of disk space.

    120 GB
    ISO Image OS

    Ubuntu 22.04

    ESXi 7.0

    Ubuntu 22.04

    1If organizations will be defined and the number of Collectors exceeds 10000, set up an additional FortiEDR Aggregator VM on the top of the initial one.

    2Refer to the following guidelines to determine the number of Cores you need to set up:

    • Set up a separate Core for each Aggregator.

    • For every additional 5000 Collectors, set up at least one additional Core. The number of additional Cores required depends on the amount of Threat Hunting events data, which relates to the Data Collection profile, number of servers, etc.

    • You can set up a maximum of 50 Cores.
    Network ports

    Refer to the following image or table for the port information for communication between different components. Ensure that these ports or destination servers are not blocked by your firewall product (if one is deployed) and can be accessed by the corresponding component. You must also ensure that network ranges 10.42.x.x and 10.43.x.x are not used by any device.

    Source Destination Port Purpose
    Collector Aggregator 8081 Sending events, status, etc

    443

    Sending events, status, etc, only when a custom port is used
    Core 555 Collector to Core communication without SSL
    (Core 5.2.2 or later) 559 Collector to Core communication with SSL enabled

    (Windows Collector 5.2.5.0052 or later) Reputation service (both on-premise and cloud)

    443

    Sending requests for reputation data.

    Core

    Aggregator

    8081

    Core registration

    Threat Hunting Repository

    9092

    Kafka topic

    32100, 32000, 32001, 32002

    Kafka broker

    Reputation service (both on-premise and cloud)

    443

    Sending requests for reputation data.
    Aggregator

    		 Central Manager and Threat Hunting Repository 8090 AV Signature updates

    Central Manager

    8091

    Aggregator communication

    443

    Aggregator registration

    Central Manager

    Threat Hunting Repository

    8000

    “FortiEDR Connect” related

    8095

    Threat Hunting queries

    6379

    Redis MS

    Syslog

    (Optional) 6514

    Syslog messages from Central Manager IP to syslog server via UDP/TCP/TCP SSL

    SMTP

    (Optional) 587

    SSLv3/TLS protocol to email server

    rbq.cldsrv.ensilo.com

    5672

    To RabbitMQ

    cldsrv.ensilo.com

    443

    Data sent to FCS (rest over RabbitMQ)

    storage.googleapis.com

    oauth.googleapis.com

    oauth2.googleapis.com

    Localization, scheduled queries, etc

    fortiav.cloud.ensilo.com

    AV signatures updates

    Reputation service (cloud)

    443

    If proxy is not enabled, on-premise reputation service requests missing hashes from the cloud reputation service via the manager nginx.

    Threat Hunting Repository

    Central Manager

    8091

    Aggregator communication

    5005

    “FortiEDR Connect” dedicated tunnel

    443

    GUI access

    Central Manager and Aggregator

    22

    Communication with Central Manager and Aggregator during Threat Hunting Repository installation

    Admin PC

    Central Manager

    443

    FortiEDR console access

    Reputation service (on-premise)

    Central Manager

    8091

    If proxy is not enabled, on-premise reputation service requests missing hashes from the cloud reputation service via the manager nginx.

    Reputation service (cloud)

    Proxy port

    If proxy is enabled, on-premise reputation service requests missing hashes from the cloud reputation service via proxy.

    Machines connecting to Grafana or Kibana

    Threat Hunting Repository

    3000

    Grafana - monitoring

    5601

    Kibana - logging

    Machines accessing the Threat Hunting server via SSH

    Central Manager

    22

    SSH access

    Aggregator

    Threat Hunting Repository
    Note

    As a security best practice, it is recommended to update the firewall rules so that they only have a narrow opening. For example:

    • Only open the TCP outbound port 555 to the Core IP address.

    • Only open the TCP outbound port 8091 to the Central Manager IP address to be accessed by the Aggregator when the Aggregator is installed on premise while the Central Manager is in the cloud.
    Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements
    Number of Seats Number of VMs (Nodes) Number of CPUs per VM (Node) Memory per VM (Node) OS Disk per VM (Node) Data Disk per VM (Node)
    2000 or fewer

    1

    17

    40 GB

    100 GB, non-SSD

    Note

    For Hyper-V VMs, the disk should be IDE with at least 30% of the physical disk space remaining free at all times. Do not use a Hyper-V checkpoint which consumes the entire disk size every few hours.

    1500 GB SSD
    4000 27 40 GB 2310 GB SSD
    6000 37 41 GB 3410 GB SSD
    8000 47 48 GB 4510 GB SSD
    10000 57 55 GB 5610 GB SSD
    12000 67 62 GB 6710 GB SSD
    14000 77 69 GB 7810 GB SSD
    15000 3 30 27 GB 3249 GB SSD
    20000 40 35 GB 4318 GB SSD
    25000 49 42 GB 5387 GB SSD
    30000 58 47 GB 6456 GB SSD

    For the Threat Hunting Repository specifications required for supporting more than 30000 Collectors, please contact Fortinet Support.

    Setting up FortiEDR components on-premise

    Set up the system components top-down in the following order:

    1. Setting up a VM to be the FortiEDR Central Manager
    2. Setting up a VM to be the FortiEDR Aggregator
    3. Setting up the FortiEDR Threat Hunting Repository
    4. Setting up the FortiEDR reputation server
    5. Setting up the FortiEDR Core
    6. Installing FortiEDR Collectors
    Previous
    Next

    Appendix C – ON PREMISE DEPLOYMENTS

    Appendix C – ON PREMISE DEPLOYMENTS

    This chapter describes how to set up the FortiEDR backend components for on-premise deployments. Before you start, make sure that on-premise deployment is the most suitable option for you.

    System requirements

    The following tables lists the system requirements of each backend component. Make sure that all devices, workstations, virtual machines and servers on which a FortiEDR backend component will be installed comply with those requirements.

    Component

    Central Manager

    Aggregator1

    Threat Hunting Repository

    Core2

    Reputation Server
    Processor

    Intel or AMD x86 (64-bit)

    Number of CPUs

    4

    4

    Varies by number of seats and period of required Threat Hunting data retention. Refer to the Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements section for requirements for one month of data retention for the extensive profile.

    • 4 for Core

    • 2 for Core running as a Jumpbox

    Note

    The following CPUs are unsupported:

    • E5-2440

    • E5-2650

    • E5-2660

    • E5-2690

    • E5-2699

    4
    Physical Memory

    16 GB

    16 GB

    • 16 GB for Core

    • 8 GB for Core running as a Jumpbox

    16 GB
    Disk Space

    150 GB, SSD

    80 GB

    • 250 GB SSD for Core

    • 50 GB (non-SSD) for Core running as a Jumpbox

    Note

    For a Threat Hunting license, each 1000 additional Collectors above the first 1000 require an additional 45 GB of disk space.

    120 GB
    ISO Image OS

    Ubuntu 22.04

    ESXi 7.0

    Ubuntu 22.04

    1If organizations will be defined and the number of Collectors exceeds 10000, set up an additional FortiEDR Aggregator VM on the top of the initial one.

    2Refer to the following guidelines to determine the number of Cores you need to set up:

    • Set up a separate Core for each Aggregator.

    • For every additional 5000 Collectors, set up at least one additional Core. The number of additional Cores required depends on the amount of Threat Hunting events data, which relates to the Data Collection profile, number of servers, etc.

    • You can set up a maximum of 50 Cores.
    Network ports

    Refer to the following image or table for the port information for communication between different components. Ensure that these ports or destination servers are not blocked by your firewall product (if one is deployed) and can be accessed by the corresponding component. You must also ensure that network ranges 10.42.x.x and 10.43.x.x are not used by any device.

    Source Destination Port Purpose
    Collector Aggregator 8081 Sending events, status, etc

    443

    Sending events, status, etc, only when a custom port is used
    Core 555 Collector to Core communication without SSL
    (Core 5.2.2 or later) 559 Collector to Core communication with SSL enabled

    (Windows Collector 5.2.5.0052 or later) Reputation service (both on-premise and cloud)

    443

    Sending requests for reputation data.

    Core

    Aggregator

    8081

    Core registration

    Threat Hunting Repository

    9092

    Kafka topic

    32100, 32000, 32001, 32002

    Kafka broker

    Reputation service (both on-premise and cloud)

    443

    Sending requests for reputation data.
    Aggregator

    		 Central Manager and Threat Hunting Repository 8090 AV Signature updates

    Central Manager

    8091

    Aggregator communication

    443

    Aggregator registration

    Central Manager

    Threat Hunting Repository

    8000

    “FortiEDR Connect” related

    8095

    Threat Hunting queries

    6379

    Redis MS

    Syslog

    (Optional) 6514

    Syslog messages from Central Manager IP to syslog server via UDP/TCP/TCP SSL

    SMTP

    (Optional) 587

    SSLv3/TLS protocol to email server

    rbq.cldsrv.ensilo.com

    5672

    To RabbitMQ

    cldsrv.ensilo.com

    443

    Data sent to FCS (rest over RabbitMQ)

    storage.googleapis.com

    oauth.googleapis.com

    oauth2.googleapis.com

    Localization, scheduled queries, etc

    fortiav.cloud.ensilo.com

    AV signatures updates

    Reputation service (cloud)

    443

    If proxy is not enabled, on-premise reputation service requests missing hashes from the cloud reputation service via the manager nginx.

    Threat Hunting Repository

    Central Manager

    8091

    Aggregator communication

    5005

    “FortiEDR Connect” dedicated tunnel

    443

    GUI access

    Central Manager and Aggregator

    22

    Communication with Central Manager and Aggregator during Threat Hunting Repository installation

    Admin PC

    Central Manager

    443

    FortiEDR console access

    Reputation service (on-premise)

    Central Manager

    8091

    If proxy is not enabled, on-premise reputation service requests missing hashes from the cloud reputation service via the manager nginx.

    Reputation service (cloud)

    Proxy port

    If proxy is enabled, on-premise reputation service requests missing hashes from the cloud reputation service via proxy.

    Machines connecting to Grafana or Kibana

    Threat Hunting Repository

    3000

    Grafana - monitoring

    5601

    Kibana - logging

    Machines accessing the Threat Hunting server via SSH

    Central Manager

    22

    SSH access

    Aggregator

    Threat Hunting Repository
    Note

    As a security best practice, it is recommended to update the firewall rules so that they only have a narrow opening. For example:

    • Only open the TCP outbound port 555 to the Core IP address.

    • Only open the TCP outbound port 8091 to the Central Manager IP address to be accessed by the Aggregator when the Aggregator is installed on premise while the Central Manager is in the cloud.
    Threat Hunting Repository CPU, Physical Memory, and Disk Space Requirements
    Number of Seats Number of VMs (Nodes) Number of CPUs per VM (Node) Memory per VM (Node) OS Disk per VM (Node) Data Disk per VM (Node)
    2000 or fewer

    1

    17

    40 GB

    100 GB, non-SSD

    Note

    For Hyper-V VMs, the disk should be IDE with at least 30% of the physical disk space remaining free at all times. Do not use a Hyper-V checkpoint which consumes the entire disk size every few hours.

    1500 GB SSD
    4000 27 40 GB 2310 GB SSD
    6000 37 41 GB 3410 GB SSD
    8000 47 48 GB 4510 GB SSD
    10000 57 55 GB 5610 GB SSD
    12000 67 62 GB 6710 GB SSD
    14000 77 69 GB 7810 GB SSD
    15000 3 30 27 GB 3249 GB SSD
    20000 40 35 GB 4318 GB SSD
    25000 49 42 GB 5387 GB SSD
    30000 58 47 GB 6456 GB SSD

    For the Threat Hunting Repository specifications required for supporting more than 30000 Collectors, please contact Fortinet Support.

    Setting up FortiEDR components on-premise

    Set up the system components top-down in the following order:

    1. Setting up a VM to be the FortiEDR Central Manager
    2. Setting up a VM to be the FortiEDR Aggregator
    3. Setting up the FortiEDR Threat Hunting Repository
    4. Setting up the FortiEDR reputation server
    5. Setting up the FortiEDR Core
    6. Installing FortiEDR Collectors
    Previous
    Next