Basic setup

The portal interacts with FortiManager, and the collector, typically, interacts with FortiAnalyzer. To avoid the portal or collector becoming a bottleneck, you can adjust their maximum CPU and memory sizes so that they equal the values for the FortiManager and FortiAnalyzer devices they interact with.

Basic setup covers the following tasks:

MySQL prerequisite
Sizing
Default login credentials
Database installation
Portal installation
Collector installation
FortiManager configuration
FortiAnalyzer configuration

MySQL prerequisite

Before using MySQL, you need to check if MySQL is configured properly. The 'local_infile' variable needs to be on.

To check if the 'local_infile' variable is on, run the following query from the MySQL console:

SHOW GLOBAL VARIABLES LIKE 'local_infile';

If the 'local_infile' variable is off, run the following query to turn it on:

SET GLOBAL local_infile = 'ON';

When the 'local_infile' variable is off, FortiPortal will experience various issues, such as FortiView finding no matching records for session logs.

Sizing

FortiPortal sizing can be complex. Fortinet recommends that you work with your Fortinet systems engineer when possible. However, using the following guidelines, you can successfully complete this task:

Portal VM—The default storage disk size is 80 GB, which is the recommended minimum. (The 2-GB disk in the VM is the flash memory; the 80-GB disk is storage.) If you have many customer logins and many devices, then increase the memory and disk sizes for improved performance.
Collector VM—The storage disk size depends on the number of FortiGate units logging to it. The default 80-GB storage supports approximately 20 FortiGate units. (You can increase the disk size to support more FortiGate units. But a single collector has a maximum rate of 15,000 logs per second.)
Portal and collector databases server VMs—The minimum customer (database) storage size is 5 GB, which comfortably supports about 100 logs per second with an aggregate log retention period of 30 days. Of this 5 GB, by default, 80 percent is stored in the collector database as raw logs and 20 percent is stored in the portal database as aggregate logs. (You can adjust this value to increase storage for aggregate logs.) So, for an 80/20 split, 4 GB is required for the collector database and 1 GB for the portal database. For example, if you have 100 customers, you need a minimum 500-GB database storage with the default 5-GB storage: 100 GB for portal and 400 GB for collector. Configure the database servers to accommodate growth because these require the most storage. For example, start with 1 TB or more, each, for the portal and collector database servers. You then set the size of both the portal and collector databases in the FortiPortal application.

If too much space is allocated for portal and collector databases, no new customer users can be created.

For customer users who are not using analytics, the service provider can disable analytics in the Edit Customer form for those customer users, which will reduce the total storage from a default of 5 GB to 100 MB.
For customer users who do not use a lot of collector storage, the service provider can change the Collector/FPC Storage Percentage value in the Edit Customer form to 50/50 for those customer users.
The service provider can now increase the value of the FPC Data Store Size in the Administrative Settings form. Fortinet recommends reserving 60% to 70% of the customer user space for database storage.
The service provider should set up an SNMP trap to monitor and take appropriate steps to avoid service interruptions when 80% of the database server disk has been used.

(See Appendix: Sizing for further information about sizing. Using VMs, you can easily increase the amount of memory or disk sizes with Logical Volume Manager [LVM].)

Default login credentials

The following are the default user names and passwords for the FortiPortal components:

Component	Default User Name	Default password
Portal	`admin`	No password
Collector	`admin`	No password
Portal database VM	`fpc`	`fpc`
Collector database VM	`fpc`	`fpc`
Portal database and collector database (MySQL)	`root`	`admin`

Database installation

Fortinet does not provide this server as part of FortiPortal. Fortinet supports the databases created by FortiPortal and the connections to them.

The following is the overall installation procedure, which starts by configuring the database servers:

After you create the database server image, you must install at least two instances, one for the portal database and one for each collector database.
Create the server VM and install the database server. FortiPortal supports MariaDB 10.2 and MySQL 5.7.
Install the portal. The portal requires a license.
Install the collector(s). (No licenses are required for the collector, so you can add as many collectors as needed if you need more log storage and an increased logging rate.)
After FortiPortal is running, you can add FortiManager devices and set up customers. See Add a FortiManager and Add or edit a customer.

After you create the server VM and install the database server, configure the following settings in MySQL (version 5.7 or later) or MariaDB (version 10.2):

Set the MySQL server bind-address and sql_mode parameters in the [mysqld] section of one of the following files:

For MariaSQL:/etc/mysql/my.cnf
For MariaDB 10.2:/etc/mysql/mysql.conf.d/mysqld.cnf
For MariaDB 10.2.x:/etc/mysql/mariadb.conf.d/50-server.cnf

For example:

[mysqld] ... bind-address = 10.220.64.121 ... sql_mode = STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
From the MySQL console, use the show variables command to check that the following parameters are correctly set:

mysql -u root -p
Create a user for the portal, grant privileges to the user, and check that the user is created:

create user '<database_user_name>'@'%' identified by '<database_user_password>'; GRANT ALL PRIVILEGES ON *.* TO '<database_user_name>'@'%' IDENTIFIED BY <database_user_password>; flush privileges; # Use the following query to check that the user and host are entered correctly select host,user from mysql.user;

For example:

> create user 'fpc'@'%' identified by 'fpc'; > GRANT ALL PRIVILEGES ON *.* TO 'fpc'@'%' IDENTIFIED BY 'fpc'; > flush privileges; > select host,user from mysql.user;

Portal installation

Before doing the portal installation, Fortinet recommends taking a snapshot of the portal database server in its initial state. If there are any errors installing portal, you can revert the database server to its initial state.

Install the portal VM image. For a new VMware installation, use the fpcvm64imagePortal.out.ovf.zip file. For the KVM version, see Appendix: Installation using OpenStack.
Configure the CLI settings. For example:

config system global

set hostname portal # use whatever name that you want to give the VM

set timezone 28 # use ? to identify the correct value for your region

end

config system interface

edit port1

set ip 10.220.64.120/24

set allowaccess ping https ssh http

end

config system route

edit 1

set device port1

set gateway 10.220.64.1

end

config system sql

set status remote

set database-name fp_fazlite # use the same database name when you configure the collector VM

set database-type mysql # REQUIRED. If you omit this step, there will be problems with generating the portal database and collector database.

set database-port 3365 # this example changes the default MySQL port from 3306 to 3365

set username fpc # use the database user name instead of fpc

set password xyz # use the password for the database user name

set server 10.220.64.121 # use the same IP address or fully qualified domain name for the collector when you configure it from the CLI

end
Check the NTP settings with the show system ntp command. Modify the settings for your environment if necessary.

The NTP source should be the same for all portal and collector VMs to synchronize the log time stamps across all devices.
Reboot the VM.
From the database console, check the FortiPortal version information:

select * from ftntpmcdb.fpc_version;
Log in to FortiPortal using the user name spuser and the password test123:

https://10.220.64.120/fpc/login

The left pane is common for all of the pages (Dashboard, Customers, Devices, Admin, and Audit).
Next, you need to set the portal database size available on the portal database server. Go to Admin > Settings to specify the FPC Data Store Size. For example, 1024 GB.

The mail settings must also be configured during the first-time configuration.
Next, upload the license file. Go to Admin > System Info and select Upload License.
After the license is uploaded, check that the license status is valid and the number of devices allowed is correct.

The individual portal and collector VMs do not have serial numbers.

Updating the SSL certificate file

If you are setting up a demo server, you can skip this procedure.

You must upload the license first.

Use the following steps to import an SSL certificate for the FortiPortal VM.

From the Admin portal, select Admin > System Info to display information about the SSL certificate.

System Info page

The Certificate Information panel displays the certificate file name and private key file name.

From this panel, you can select and upload a new certificate and private key for the FortiPortal (using the PKCS#8 format).

Do not use certificate import and export commands from the portal or collector VMs because they apply to the administration interface and not the FortiPortal application. The certificate signing request must be done on an external host and the signed certificate imported. For example:

openssl genrsa -des3 -out server.key 1024

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

openssl req -new -key server.key -out server.csr

openssl pkcs8 -topk8 -nocrypt -in server.key -out portal.key

openssl x509 -req -days 365 -in server.csr -signkey portal.key -out server.crt

After these steps are done, you need to upload the certificate file (*.crt file) and portal.key file from the FortiPortal UI (as instructed in the administration guide). After uploading the certificate file, restart your portal VM.

Collector installation

Use the following instructions to install and configure the first collector. You can add multiple collectors for more storage and an increased log rate.

Install the collector VM image using the fpcvm64imageCollector.out.ovf.zip file.
Configure the CLI settings.

The database server defined with the config system sql command is the portal database. The collector databases are configured from the FortiPortal application.

For example:

config system global

set hostname collector

set timezone 28

end

config system interface

edit port1

set ip 10.220.64.122/24

set allowaccess ping https ssh http

end

config system route

edit 1

set device port1

set gateway 10.220.64.1

end

config system sql

set status remote

set database-name fp_fazlite # use the same database name that you previously configured in the portal VM

set database-type mysql

set password xyz

set server 10.220.64.121

set username fpc

end
Check the NTP settings with the show system ntp command. Modify the settings for your environment if necessary.
Reboot the collector.
Log in to the collectorʼs management GUI to verify the installation:
https://10.220.64.122:4443

Adding the collector to the portal

Log in to FortiPortal using the user name spuser and the password test123.
Go to Devices > FPC Collectors and then select Add.
Enter a name and the IP address of the collector.
Select Standalone for the mode. If you are configuring a collector HA, select Master.
Enter the collector user name and password. By default, the user name is admin.
Enter the collector database IP address, user name, and password.
Enter the data storage size in GB.
Select Save.
Check the data store size again. It should be larger now that it includes the collector.

The storage indicator increments by the collector database storage allocation. The overall storage indicator combines the portal database and all collector databases.

FortiManager configuration

You need to configure FortiManager to work with FortiPortal.

The ADOM mode must be enabled for FortiManager to work with FortiPortal. If needed, enable ADOMs and the advanced adom-mode on FortiManager so that you can add VDOMs on the same physical device to different ADOMs.

config system global

set adom-status enable

set adom-mode advanced

y

end
Create a portal user with read-and-write permission:

config system admin user

edit fpc

set profileid Super_User

set adom all_adoms

set policy-package all_policy_packages

set password fortinet

set rpc-permit read-write

next

end
The workspace mode must be enabled for FortiManager to work with FortiPortal.

config system global

set workspace-mode normal

end
Add your FortiManager device using the JSON port. You must poll FortiManager to see the device list. For more information about adding FortiManagers to the portal, see FortiManager devices.

FortiAnalyzer configuration

To add a FortiAnalyzer, see FortiAnalyzer devices.

You need to configure FortiAnalyzer to work with FortiPortal.

The ADOM mode must be enabled for FortiAnalyzer to work with FortiPortal. You must enable the interface permission webservice on FortiAnalyzer for the portal-facing interface.
You must allow remote procedure calls. Create an admin user for portal:

config system admin user

edit <user_name>

set rpc-permit read-write

end

Basic setup

Basic setup covers the following tasks:

MySQL prerequisite
Sizing
Default login credentials
Database installation
Portal installation
Collector installation
FortiManager configuration
FortiAnalyzer configuration

MySQL prerequisite

Before using MySQL, you need to check if MySQL is configured properly. The 'local_infile' variable needs to be on.

To check if the 'local_infile' variable is on, run the following query from the MySQL console:

SHOW GLOBAL VARIABLES LIKE 'local_infile';

If the 'local_infile' variable is off, run the following query to turn it on:

SET GLOBAL local_infile = 'ON';

When the 'local_infile' variable is off, FortiPortal will experience various issues, such as FortiView finding no matching records for session logs.

Sizing

Portal VM—The default storage disk size is 80 GB, which is the recommended minimum. (The 2-GB disk in the VM is the flash memory; the 80-GB disk is storage.) If you have many customer logins and many devices, then increase the memory and disk sizes for improved performance.
Collector VM—The storage disk size depends on the number of FortiGate units logging to it. The default 80-GB storage supports approximately 20 FortiGate units. (You can increase the disk size to support more FortiGate units. But a single collector has a maximum rate of 15,000 logs per second.)
Portal and collector databases server VMs—The minimum customer (database) storage size is 5 GB, which comfortably supports about 100 logs per second with an aggregate log retention period of 30 days. Of this 5 GB, by default, 80 percent is stored in the collector database as raw logs and 20 percent is stored in the portal database as aggregate logs. (You can adjust this value to increase storage for aggregate logs.) So, for an 80/20 split, 4 GB is required for the collector database and 1 GB for the portal database. For example, if you have 100 customers, you need a minimum 500-GB database storage with the default 5-GB storage: 100 GB for portal and 400 GB for collector. Configure the database servers to accommodate growth because these require the most storage. For example, start with 1 TB or more, each, for the portal and collector database servers. You then set the size of both the portal and collector databases in the FortiPortal application.

If too much space is allocated for portal and collector databases, no new customer users can be created.

For customer users who are not using analytics, the service provider can disable analytics in the Edit Customer form for those customer users, which will reduce the total storage from a default of 5 GB to 100 MB.
For customer users who do not use a lot of collector storage, the service provider can change the Collector/FPC Storage Percentage value in the Edit Customer form to 50/50 for those customer users.
The service provider can now increase the value of the FPC Data Store Size in the Administrative Settings form. Fortinet recommends reserving 60% to 70% of the customer user space for database storage.
The service provider should set up an SNMP trap to monitor and take appropriate steps to avoid service interruptions when 80% of the database server disk has been used.

(See Appendix: Sizing for further information about sizing. Using VMs, you can easily increase the amount of memory or disk sizes with Logical Volume Manager [LVM].)

Default login credentials

The following are the default user names and passwords for the FortiPortal components:

Component	Default User Name	Default password
Portal	`admin`	No password
Collector	`admin`	No password
Portal database VM	`fpc`	`fpc`
Collector database VM	`fpc`	`fpc`
Portal database and collector database (MySQL)	`root`	`admin`

Database installation

Fortinet does not provide this server as part of FortiPortal. Fortinet supports the databases created by FortiPortal and the connections to them.

The following is the overall installation procedure, which starts by configuring the database servers:

After you create the database server image, you must install at least two instances, one for the portal database and one for each collector database.
Create the server VM and install the database server. FortiPortal supports MariaDB 10.2 and MySQL 5.7.
Install the portal. The portal requires a license.
Install the collector(s). (No licenses are required for the collector, so you can add as many collectors as needed if you need more log storage and an increased logging rate.)
After FortiPortal is running, you can add FortiManager devices and set up customers. See Add a FortiManager and Add or edit a customer.

After you create the server VM and install the database server, configure the following settings in MySQL (version 5.7 or later) or MariaDB (version 10.2):

Set the MySQL server bind-address and sql_mode parameters in the [mysqld] section of one of the following files:

For MariaSQL:/etc/mysql/my.cnf
For MariaDB 10.2:/etc/mysql/mysql.conf.d/mysqld.cnf
For MariaDB 10.2.x:/etc/mysql/mariadb.conf.d/50-server.cnf

For example:

[mysqld] ... bind-address = 10.220.64.121 ... sql_mode = STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
From the MySQL console, use the show variables command to check that the following parameters are correctly set:

mysql -u root -p
Create a user for the portal, grant privileges to the user, and check that the user is created:

create user '<database_user_name>'@'%' identified by '<database_user_password>'; GRANT ALL PRIVILEGES ON *.* TO '<database_user_name>'@'%' IDENTIFIED BY <database_user_password>; flush privileges; # Use the following query to check that the user and host are entered correctly select host,user from mysql.user;

For example:

> create user 'fpc'@'%' identified by 'fpc'; > GRANT ALL PRIVILEGES ON *.* TO 'fpc'@'%' IDENTIFIED BY 'fpc'; > flush privileges; > select host,user from mysql.user;

Portal installation

Install the portal VM image. For a new VMware installation, use the fpcvm64imagePortal.out.ovf.zip file. For the KVM version, see Appendix: Installation using OpenStack.
Configure the CLI settings. For example:

config system global

set hostname portal # use whatever name that you want to give the VM

set timezone 28 # use ? to identify the correct value for your region

end

config system interface

edit port1

set ip 10.220.64.120/24

set allowaccess ping https ssh http

end

config system route

edit 1

set device port1

set gateway 10.220.64.1

end

config system sql

set status remote

set database-name fp_fazlite # use the same database name when you configure the collector VM

set database-type mysql # REQUIRED. If you omit this step, there will be problems with generating the portal database and collector database.

set database-port 3365 # this example changes the default MySQL port from 3306 to 3365

set username fpc # use the database user name instead of fpc

set password xyz # use the password for the database user name

set server 10.220.64.121 # use the same IP address or fully qualified domain name for the collector when you configure it from the CLI

end
Check the NTP settings with the show system ntp command. Modify the settings for your environment if necessary.

The NTP source should be the same for all portal and collector VMs to synchronize the log time stamps across all devices.
Reboot the VM.
From the database console, check the FortiPortal version information:

select * from ftntpmcdb.fpc_version;
Log in to FortiPortal using the user name spuser and the password test123:

https://10.220.64.120/fpc/login

The left pane is common for all of the pages (Dashboard, Customers, Devices, Admin, and Audit).
Next, you need to set the portal database size available on the portal database server. Go to Admin > Settings to specify the FPC Data Store Size. For example, 1024 GB.

The mail settings must also be configured during the first-time configuration.
Next, upload the license file. Go to Admin > System Info and select Upload License.
After the license is uploaded, check that the license status is valid and the number of devices allowed is correct.

The individual portal and collector VMs do not have serial numbers.

Updating the SSL certificate file

If you are setting up a demo server, you can skip this procedure.

You must upload the license first.

Use the following steps to import an SSL certificate for the FortiPortal VM.

From the Admin portal, select Admin > System Info to display information about the SSL certificate.

System Info page

The Certificate Information panel displays the certificate file name and private key file name.

From this panel, you can select and upload a new certificate and private key for the FortiPortal (using the PKCS#8 format).

openssl genrsa -des3 -out server.key 1024

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

openssl req -new -key server.key -out server.csr

openssl pkcs8 -topk8 -nocrypt -in server.key -out portal.key

openssl x509 -req -days 365 -in server.csr -signkey portal.key -out server.crt

Collector installation

Use the following instructions to install and configure the first collector. You can add multiple collectors for more storage and an increased log rate.

Install the collector VM image using the fpcvm64imageCollector.out.ovf.zip file.
Configure the CLI settings.

The database server defined with the config system sql command is the portal database. The collector databases are configured from the FortiPortal application.

For example:

config system global

set hostname collector

set timezone 28

end

config system interface

edit port1

set ip 10.220.64.122/24

set allowaccess ping https ssh http

end

config system route

edit 1

set device port1

set gateway 10.220.64.1

end

config system sql

set status remote

set database-name fp_fazlite # use the same database name that you previously configured in the portal VM

set database-type mysql

set password xyz

set server 10.220.64.121

set username fpc

end
Check the NTP settings with the show system ntp command. Modify the settings for your environment if necessary.
Reboot the collector.
Log in to the collectorʼs management GUI to verify the installation:
https://10.220.64.122:4443

Adding the collector to the portal

Log in to FortiPortal using the user name spuser and the password test123.
Go to Devices > FPC Collectors and then select Add.
Enter a name and the IP address of the collector.
Select Standalone for the mode. If you are configuring a collector HA, select Master.
Enter the collector user name and password. By default, the user name is admin.
Enter the collector database IP address, user name, and password.
Enter the data storage size in GB.
Select Save.
Check the data store size again. It should be larger now that it includes the collector.

The storage indicator increments by the collector database storage allocation. The overall storage indicator combines the portal database and all collector databases.

FortiManager configuration

You need to configure FortiManager to work with FortiPortal.

The ADOM mode must be enabled for FortiManager to work with FortiPortal. If needed, enable ADOMs and the advanced adom-mode on FortiManager so that you can add VDOMs on the same physical device to different ADOMs.

config system global

set adom-status enable

set adom-mode advanced

y

end
Create a portal user with read-and-write permission:

config system admin user

edit fpc

set profileid Super_User

set adom all_adoms

set policy-package all_policy_packages

set password fortinet

set rpc-permit read-write

next

end
The workspace mode must be enabled for FortiManager to work with FortiPortal.

config system global

set workspace-mode normal

end
Add your FortiManager device using the JSON port. You must poll FortiManager to see the device list. For more information about adding FortiManagers to the portal, see FortiManager devices.

FortiAnalyzer configuration

To add a FortiAnalyzer, see FortiAnalyzer devices.

You need to configure FortiAnalyzer to work with FortiPortal.

The ADOM mode must be enabled for FortiAnalyzer to work with FortiPortal. You must enable the interface permission webservice on FortiAnalyzer for the portal-facing interface.
You must allow remote procedure calls. Create an admin user for portal:

config system admin user

edit <user_name>

set rpc-permit read-write

end

Administration Guide

Basic setup

Basic setup

MySQL prerequisite

Sizing

Default login credentials

Database installation

After you create the server VM and install the database server, configure the following settings in MySQL (version 5.7 or later) or MariaDB (version 10.2):

Portal installation

Updating the SSL certificate file

System Info page

Collector installation

Adding the collector to the portal

FortiManager configuration

FortiAnalyzer configuration

Basic setup

MySQL prerequisite

Sizing

Default login credentials

Database installation

After you create the server VM and install the database server, configure the following settings in MySQL (version 5.7 or later) or MariaDB (version 10.2):

Portal installation

Updating the SSL certificate file

System Info page

Collector installation

Adding the collector to the portal

FortiManager configuration

FortiAnalyzer configuration