Basic setup
|
|
The portal interacts with FortiManager, and the collector, typically, interacts with FortiAnalyzer. To avoid the portal or collector becoming a bottleneck, you can adjust their maximum CPU and memory sizes so that they equal the values for the FortiManager and FortiAnalyzer devices they interact with. |
Basic setup covers the following tasks:
- MySQL prerequisite
- Sizing
- Default login credentials
- Database installation
- Portal installation
- Collector installation
- FortiManager configuration
- FortiAnalyzer configuration
MySQL prerequisite
Before using MySQL, you need to check if MySQL is configured properly. The 'local_infile' variable needs to be on.
To check if the 'local_infile' variable is on, run the following query from the MySQL console:
SHOW GLOBAL VARIABLES LIKE 'local_infile';
If the 'local_infile' variable is off, run the following query to turn it on:
SET GLOBAL local_infile = 'ON';
When the 'local_infile' variable is off, FortiPortal will experience various issues, such as FortiView finding no matching records for session logs.
Sizing
FortiPortal sizing can be complex. Fortinet recommends that you work with your Fortinet systems engineer when possible. However, using the following guidelines, you can successfully complete this task:
- Portal VM—The default storage disk size is 80 GB, which is the recommended minimum. (The 2-GB disk in the VM is the flash memory; the 80-GB disk is storage.) If you have many customer logins and many devices, then increase the memory and disk sizes for improved performance.
- Collector VM—The storage disk size depends on the number of FortiGate units logging to it. The default 80-GB storage supports approximately 20 FortiGate units. (You can increase the disk size to support more FortiGate units. But a single collector has a maximum rate of 15,000 logs per second.)
- Portal and collector databases server VMs—The minimum customer (database) storage size is 5 GB, which comfortably supports about 100 logs per second with an aggregate log retention period of 30 days. Of this 5 GB, by default, 80 percent is stored in the collector database as raw logs and 20 percent is stored in the portal database as aggregate logs. (You can adjust this value to increase storage for aggregate logs.) So, for an 80/20 split, 4 GB is required for the collector database and 1 GB for the portal database. For example, if you have 100 customers, you need a minimum 500-GB database storage with the default 5-GB storage: 100 GB for portal and 400 GB for collector. Configure the database servers to accommodate growth because these require the most storage. For example, start with 1 TB or more, each, for the portal and collector database servers. You then set the size of both the portal and collector databases in the FortiPortal application.
|
|
If too much space is allocated for portal and collector databases, no new customer users can be created. |
- For customer users who are not using analytics, the service provider can disable analytics in the Edit Customer form for those customer users, which will reduce the total storage from a default of 5 GB to 100 MB.
- For customer users who do not use a lot of collector storage, the service provider can change the Collector/FPC Storage Percentage value in the Edit Customer form to 50/50 for those customer users.
- The service provider can now increase the value of the FPC Data Store Size in the Administrative Settings form. Fortinet recommends reserving 60% to 70% of the customer user space for database storage.
- The service provider should set up an SNMP trap to monitor and take appropriate steps to avoid service interruptions when 80% of the database server disk has been used.
(See Appendix: Sizing for further information about sizing. Using VMs, you can easily increase the amount of memory or disk sizes with Logical Volume Manager [LVM].)
Default login credentials
The following are the default user names and passwords for the FortiPortal components:
|
Component |
Default User Name |
Default password |
|---|---|---|
|
Portal |
|
No password |
|
Collector |
|
No password |
|
Portal database VM |
|
|
|
Collector database VM |
|
|
|
Portal database and collector database (MySQL) |
|
|
Database installation
|
|
Fortinet does not provide this server as part of FortiPortal. Fortinet supports the databases created by FortiPortal and the connections to them. |
The following is the overall installation procedure, which starts by configuring the database servers:
- After you create the database server image, you must install at least two instances, one for the portal database and one for each collector database.
- Create the server VM and install the database server. FortiPortal supports MariaDB 10.2 and MySQL 5.7.
- Install the portal. The portal requires a license.
- Install the collector(s). (No licenses are required for the collector, so you can add as many collectors as needed if you need more log storage and an increased logging rate.)
- After FortiPortal is running, you can add FortiManager devices and set up customers. See Add a FortiManager and Add or edit a customer.
After you create the server VM and install the database server, configure the following settings in MySQL (version 5.7 or later) or MariaDB (version 10.2):
- Set the MySQL server
bind-addressandsql_modeparameters in the[mysqld]section of one of the following files:
For MariaSQL:/etc/mysql/my.cnf
For MariaDB 10.2:/etc/mysql/mysql.conf.d/mysqld.cnf
For MariaDB 10.2.x:/etc/mysql/mariadb.conf.d/50-server.cnf
For example:[mysqld]
...
bind-address = 10.220.64.121
...
sql_mode = STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
- From the MySQL console, use the
show variablescommand to check that the following parameters are correctly set:mysql -u root -p
- Create a user for the portal, grant privileges to the user, and check that the user is created:
create user '<database_user_name>'@'%' identified by '<database_user_password>';
GRANT ALL PRIVILEGES ON *.* TO '<database_user_name>'@'%' IDENTIFIED BY <database_user_password>;
flush privileges;
# Use the following query to check that the user and host are entered correctly
select host,user from mysql.user;
For example:> create user 'fpc'@'%' identified by 'fpc';
> GRANT ALL PRIVILEGES ON *.* TO 'fpc'@'%' IDENTIFIED BY 'fpc';
> flush privileges;
> select host,user from mysql.user;
Portal installation
|
|
Before doing the portal installation, Fortinet recommends taking a snapshot of the portal database server in its initial state. If there are any errors installing portal, you can revert the database server to its initial state. |
- Install the portal VM image. For a new VMware installation, use the
fpcvm64imagePortal.out.ovf.zipfile. For the KVM version, see Appendix: Installation using OpenStack. - Configure the CLI settings. For example:
config system global
set hostname portal # use whatever name that you want to give the VM
set timezone 28 # use ? to identify the correct value for your region
end
config system interface
edit port1
set ip 10.220.64.120/24
set allowaccess ping https ssh http
end
config system route
edit 1
set device port1
set gateway 10.220.64.1
end
config system sql
set status remote
set database-name fp_fazlite # use the same database name when you configure the collector VM
set database-type mysql # REQUIRED. If you omit this step, there will be problems with generating the portal database and collector database.
set database-port 3365 # this example changes the default MySQL port from 3306 to 3365
set username fpc # use the database user name instead of fpc
set password xyz # use the password for the database user name
set server 10.220.64.121 # use the same IP address or fully qualified domain name for the collector when you configure it from the CLI
end
-
Check the NTP settings with the
show system ntpcommand. Modify the settings for your environment if necessary.
The NTP source should be the same for all portal and collector VMs to synchronize the log time stamps across all devices.
- Reboot the VM.
- From the database console, check the FortiPortal version information:
select * from ftntpmcdb.fpc_version;
- Log in to FortiPortal using the user name
spuserand the passwordtest123:
https://10.220.64.120/fpc/login
The left pane is common for all of the pages (Dashboard, Customers, Devices, Admin, and Audit). -
Next, you need to set the portal database size available on the portal database server. Go to Admin > Settings to specify the FPC Data Store Size. For example, 1024 GB.
The mail settings must also be configured during the first-time configuration.
- Next, upload the license file. Go to Admin > System Info and select Upload License.
- After the license is uploaded, check that the license status is valid and the number of devices allowed is correct.
The individual portal and collector VMs do not have serial numbers.
Updating the SSL certificate file
If you are setting up a demo server, you can skip this procedure.
|
|
You must upload the license first. |
Use the following steps to import an SSL certificate for the FortiPortal VM.
From the Admin portal, select Admin > System Info to display information about the SSL certificate.
System Info page
The Certificate Information panel displays the certificate file name and private key file name.
From this panel, you can select and upload a new certificate and private key for the FortiPortal (using the PKCS#8 format).
|
|
Do not use certificate import and export commands from the portal or collector VMs because they apply to the administration interface and not the FortiPortal application. The certificate signing request must be done on an external host and the signed certificate imported. For example: openssl genrsa -des3 -out server.key 1024 cp server.key server.key.org openssl rsa -in server.key.org -out server.key openssl req -new -key server.key -out server.csr openssl pkcs8 -topk8 -nocrypt -in server.key -out portal.key openssl x509 -req -days 365 -in server.csr -signkey portal.key -out server.crt |
After these steps are done, you need to upload the certificate file (*.crt file) and portal.key file from the FortiPortal UI (as instructed in the administration guide).
After uploading the certificate file, restart your portal VM.
Collector installation
Use the following instructions to install and configure the first collector. You can add multiple collectors for more storage and an increased log rate.
- Install the collector VM image using the
fpcvm64imageCollector.out.ovf.zipfile. - Configure the CLI settings.
The database server defined with the
config system sqlcommand is the portal database. The collector databases are configured from the FortiPortal application.For example:
config system global
set hostname collector
set timezone 28
end
config system interface
edit port1
set ip 10.220.64.122/24
set allowaccess ping https ssh http
end
config system route
edit 1
set device port1
set gateway 10.220.64.1
end
config system sql
set status remote
set database-name fp_fazlite # use the same database name that you previously configured in the portal VM
set database-type mysql
set password xyz
set server 10.220.64.121
set username fpc
end
- Check the NTP settings with the
show system ntpcommand. Modify the settings for your environment if necessary. - Reboot the collector.
- Log in to the collectorʼs management GUI to verify the installation:
Adding the collector to the portal
-
Log in to FortiPortal using the user name
spuserand the passwordtest123. - Go to Devices > FPC Collectors and then select Add.
- Enter a name and the IP address of the collector.
- Select Standalone for the mode. If you are configuring a collector HA, select Master.
- Enter the collector user name and password. By default, the user name is
admin. - Enter the collector database IP address, user name, and password.
- Enter the data storage size in GB.
- Select Save.
- Check the data store size again. It should be larger now that it includes the collector.
|
|
The storage indicator increments by the collector database storage allocation. The overall storage indicator combines the portal database and all collector databases. |
FortiManager configuration
You need to configure FortiManager to work with FortiPortal.
-
The ADOM mode must be enabled for FortiManager to work with FortiPortal. If needed, enable ADOMs and the advanced adom-mode on FortiManager so that you can add VDOMs on the same physical device to different ADOMs.
config system global
set adom-status enable
set adom-mode advanced
y
end
- Create a portal user with read-and-write permission:
config system admin user
edit fpc
set profileid Super_User
set adom all_adoms
set policy-package all_policy_packages
set password fortinet
set rpc-permit read-write
next
end
-
The workspace mode must be enabled for FortiManager to work with FortiPortal.
config system global
set workspace-mode normal
end
- Add your FortiManager device using the JSON port. You must poll FortiManager to see the device list. For more information about adding FortiManagers to the portal, see FortiManager devices.
FortiAnalyzer configuration
|
|
To add a FortiAnalyzer, see FortiAnalyzer devices. |
You need to configure FortiAnalyzer to work with FortiPortal.
- The ADOM mode must be enabled for FortiAnalyzer to work with FortiPortal. You must enable the interface permission
webserviceon FortiAnalyzer for the portal-facing interface. - You must allow remote procedure calls. Create an admin user for portal:
config system admin user
edit <user_name>
set rpc-permit read-write
end