Fortinet black logo

User Guide

Home FortiMonitor 24.2.0 User Guide

NCM installation and initial configuration

24.2.0
24.2.0
Copy Link
Copy Doc ID af1daa65-c273-11ec-9fd1-fa163e15d75b:500514
Download PDF

NCM installation and initial configuration

This article describes the steps on how to install and configure the FortiMonitor Network Configuration Management (NCM).

Note: NCM supports Fabric devices but that the IP address for the devices may not get passed by the Fabric integration and therefore may need to be manually updated on the device's Instance Details page

Prerequisites

Before getting started, you must have the following:

The NCM feature must be enabled on your account. Please contact our support team to enable this feature.

  • The latest version of the OnSight on the server where you want to install FortiMonitor NCM.

    • The OnSight must be running on a system that has SSH access to the network devices you want to use the NCM on.

    • SSH login credentials for these network devices.

    • Access-control lists and routing must also be in place to allow SSH from the OnSight to the network devices.

    • Shell access to the OnSight to allow installation using the command line. Ideally, use SSH so that you can copy and paste commands easily. You can also SSH into the OnSight or use the console of your hypervisor (for example, VMware).

    • The Onsight must be in an OnSight Group. To create an OnSight group or add an OnSight to an existing group, see Set up FortiMonitor OnSight in HA or for failover. Note that it is possible to install NCM with a single OnSight. However, the OnSight must still be added into a group even if it’s the only one there.

  • Network devices that are already in FortiMonitor.

    • The monitoring location of these devices must be the OnSight where you will install the NCM. Go to a device’s Instance Details page to see or change its monitoring location.

    • Ping or SNMP monitoring must already be setup for these devices, with the OnSight used as the monitoring location

Install the NCM

To install the NCM, do the following:

1. SSH into your OnSight vCollector.

2. Run the following command to confirm that you have the latest version of the OnSight.


onsight check-upgrade

a. If the OnSight’s version is 2020.68 or later, update it by running the following command:

onsight upgrade

b. If the OnSight’s version is 2020.50 to 2020.67, update it by running the following command:

curl -fsSL https://packages.panopta.com/install/onsight/onsight.sh --output /usr/bin/onsight

Then run:

onsight upgrade

c. If the OnSight’s version is 2020.49 or lower, use the instructions detailed in this article to update it.

3. Install the NCM by running the following command. It will take up to 5 minutes to complete the installation and for the NCM to initialize.

onsight ncm-install

4. Open a browser and go to http://<ONSIGHT-IP>. Where <ONSIGHT-IP> is the IP address of your OnSight. Go to the OnSight’s details page to obtain the IP address.

Your browser may prompt a certificate warning when accessing the NCM. To continue, you must accept the self-signed certificate. You can replace the certificate with your own later on.

5. Log in using the following credentials:

  • Username: fortimonitor

  • Password: The OnSight’s appliance key. To obtain the key, go to the OnSight’s details page or run the onsight status command from the command line.

After logging in, you will see the NCM UI.

Create a new credential

Once logged in, you need to set up the proper SSH credentials to provide the NCM modules access to the network devices. The credentials can be:

  • The username/password used to login to the network device.

  • An SSH private key which you can later upload to the NCM. The network device must already have the public key from the SSH key pair installed.

Credentials are stored encrypted on the NCM and are not synced up to the FortiMonitor control panel.

To create a credential, do the following:

  1. Log in to the NCM then click Credentials. The Credentials page will be displayed.

  2. Click Add. You can use either a username/password combination or an SSH key.

    • To use a username/password combination, select the Password option then enter a Username and a Password.

    • To upload an SSH key, select the SSH key option then click Choose File. Locate the SSH key that you want to upload.

  3. Enable the High security mode option. Enabling this option will prevent passwords and SSH keys from being displayed as cleartext anywhere in the NCM.

  4. Click Ok.

Discovery

After adding a credential, discovery will automatically start. All network devices that are being monitored by the OnSight appliance in the group will be pulled in upon startup, and then updated every 30 minutes.

Go to the Devices configuration and ensure that:

  • All devices you expect to be on the list are there.

  • The devices listed on the page should match the list of devices monitored from that OnSight.

  • The Last job status of all the devices in the table should be green. A green status indicates that discovery for each network device was successful.

Backup

Make sure that you back up all of the devices that have been discovered by the OnSight. To do this, select all of the devices then click Backup now.

Go to the Backup page and verify that all of the devices have been backed up. For more information, see Backup.

Uninstall the NCM

To uninstall NCM, run the following command:

onsight ncm-uninstall

The command tears down all NCM-related containers and removes NCM completely.

Previous
Next

NCM installation and initial configuration

This article describes the steps on how to install and configure the FortiMonitor Network Configuration Management (NCM).

Note: NCM supports Fabric devices but that the IP address for the devices may not get passed by the Fabric integration and therefore may need to be manually updated on the device's Instance Details page

Prerequisites

Before getting started, you must have the following:

The NCM feature must be enabled on your account. Please contact our support team to enable this feature.

  • The latest version of the OnSight on the server where you want to install FortiMonitor NCM.

    • The OnSight must be running on a system that has SSH access to the network devices you want to use the NCM on.

    • SSH login credentials for these network devices.

    • Access-control lists and routing must also be in place to allow SSH from the OnSight to the network devices.

    • Shell access to the OnSight to allow installation using the command line. Ideally, use SSH so that you can copy and paste commands easily. You can also SSH into the OnSight or use the console of your hypervisor (for example, VMware).

    • The Onsight must be in an OnSight Group. To create an OnSight group or add an OnSight to an existing group, see Set up FortiMonitor OnSight in HA or for failover. Note that it is possible to install NCM with a single OnSight. However, the OnSight must still be added into a group even if it’s the only one there.

  • Network devices that are already in FortiMonitor.

    • The monitoring location of these devices must be the OnSight where you will install the NCM. Go to a device’s Instance Details page to see or change its monitoring location.

    • Ping or SNMP monitoring must already be setup for these devices, with the OnSight used as the monitoring location

Install the NCM

To install the NCM, do the following:

1. SSH into your OnSight vCollector.

2. Run the following command to confirm that you have the latest version of the OnSight.


onsight check-upgrade

a. If the OnSight’s version is 2020.68 or later, update it by running the following command:

onsight upgrade

b. If the OnSight’s version is 2020.50 to 2020.67, update it by running the following command:

curl -fsSL https://packages.panopta.com/install/onsight/onsight.sh --output /usr/bin/onsight

Then run:

onsight upgrade

c. If the OnSight’s version is 2020.49 or lower, use the instructions detailed in this article to update it.

3. Install the NCM by running the following command. It will take up to 5 minutes to complete the installation and for the NCM to initialize.

onsight ncm-install

4. Open a browser and go to http://<ONSIGHT-IP>. Where <ONSIGHT-IP> is the IP address of your OnSight. Go to the OnSight’s details page to obtain the IP address.

Your browser may prompt a certificate warning when accessing the NCM. To continue, you must accept the self-signed certificate. You can replace the certificate with your own later on.

5. Log in using the following credentials:

  • Username: fortimonitor

  • Password: The OnSight’s appliance key. To obtain the key, go to the OnSight’s details page or run the onsight status command from the command line.

After logging in, you will see the NCM UI.

Create a new credential

Once logged in, you need to set up the proper SSH credentials to provide the NCM modules access to the network devices. The credentials can be:

  • The username/password used to login to the network device.

  • An SSH private key which you can later upload to the NCM. The network device must already have the public key from the SSH key pair installed.

Credentials are stored encrypted on the NCM and are not synced up to the FortiMonitor control panel.

To create a credential, do the following:

  1. Log in to the NCM then click Credentials. The Credentials page will be displayed.

  2. Click Add. You can use either a username/password combination or an SSH key.

    • To use a username/password combination, select the Password option then enter a Username and a Password.

    • To upload an SSH key, select the SSH key option then click Choose File. Locate the SSH key that you want to upload.

  3. Enable the High security mode option. Enabling this option will prevent passwords and SSH keys from being displayed as cleartext anywhere in the NCM.

  4. Click Ok.

Discovery

After adding a credential, discovery will automatically start. All network devices that are being monitored by the OnSight appliance in the group will be pulled in upon startup, and then updated every 30 minutes.

Go to the Devices configuration and ensure that:

  • All devices you expect to be on the list are there.

  • The devices listed on the page should match the list of devices monitored from that OnSight.

  • The Last job status of all the devices in the table should be green. A green status indicates that discovery for each network device was successful.

Backup

Make sure that you back up all of the devices that have been discovered by the OnSight. To do this, select all of the devices then click Backup now.

Go to the Backup page and verify that all of the devices have been backed up. For more information, see Backup.

Uninstall the NCM

To uninstall NCM, run the following command:

onsight ncm-uninstall

The command tears down all NCM-related containers and removes NCM completely.

Previous
Next