Basic setup
The portal interacts with FortiManager. To avoid the portal becoming a bottleneck, you can adjust the maximum CPU and memory sizes so that they equal the values for the FortiManager devices they interact with.
Basic setup covers the following tasks:
- MySQL prerequisite
- Sizing
- Default login credentials
- Database installation
- Portal installation
- Basic setup
- FortiManager configuration
- FortiAnalyzer configuration
MySQL prerequisite
Before using MySQL, you need to check if MySQL is configured properly. The 'local_infile'
variable needs to be on.
To check if the 'local_infile'
variable is on, run the following query from the MySQL console:
SHOW GLOBAL VARIABLES LIKE 'local_infile';
If the 'local_infile'
variable is off, run the following query to turn it on:
SET GLOBAL local_infile = 'ON';
When the 'local_infile'
variable is off, FortiPortal will experience various issues, such as FortiView finding no matching records for session logs.
Sizing
FortiPortal sizing can be complex. Fortinet recommends that you work with your Fortinet systems engineer when possible. However, using the following guidelines, you can successfully complete this task:
- Portal VM—The default storage disk size is 80 GB, which is the recommended minimum. (The 2-GB disk in the VM is the flash memory; the 80-GB disk is storage.) If you have many customer logins and many devices, then increase the memory and disk sizes for improved performance.
Default login credentials
The following are the default user names and passwords for the FortiPortal components:
Component |
Default User Name |
Default password |
---|---|---|
Portal |
|
No password |
Database installation
Fortinet does not provide this server as part of FortiPortal. Fortinet supports the databases created by FortiPortal and the connections to them.
The following is the overall installation procedure, which starts by configuring the database servers:
- After you create the database server image, you must install at least once instance for the portal database.
- Create the server VM and install the database server. FortiPortal supports MariaDB 10.2 and MySQL 5.7.
- Install the portal. The portal requires a license.
- After FortiPortal is running, you can add FortiManager devices and set up customers. See FortiManager devices and Add or edit a customer.
After you create the server VM and install the database server, configure the following settings in MySQL (version 5.7 or later) or MariaDB (version 10.2):
- Set the MySQL server
bind-address
andsql_mode
parameters in the[mysqld]
section of one of the following files:
For MariaSQL:/etc/mysql/my.cnf
For MariaDB 10.2:/etc/mysql/mysql.conf.d/mysqld.cnf
For MariaDB 10.2.x:/etc/mysql/mariadb.conf.d/50-server.cnf
For example:[mysqld]
...
bind-address = 10.220.64.121
...
sql_mode = STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
- From the MySQL console, use the
show variables
command to check that the following parameters are correctly set:mysql -u root -p
- Create a user for the portal, grant privileges to the user, and check that the user is created:
create user '<database_user_name>'@'%' identified by '<database_user_password>';
GRANT ALL PRIVILEGES ON *.* TO '<database_user_name>'@'%' IDENTIFIED BY <database_user_password>;
flush privileges;
# Use the following query to check that the user and host are entered correctly
select host,user from mysql.user;
For example:> create user 'fpc'@'%' identified by 'fpc';
> GRANT ALL PRIVILEGES ON *.* TO 'fpc'@'%' IDENTIFIED BY 'fpc';
> flush privileges;
> select host,user from mysql.user;Ensure that from the MySQL instance you can resolve the MySQL server hostname (e.g. by pinging it), and that you can resolve the portal IP. Adding entries to /etc/hosts on the MySQL instance is one way of doing this.
Portal installation
Before doing the portal installation, Fortinet recommends taking a snapshot of the portal database server in its initial state. If there are any errors installing portal, you can revert the database server to its initial state.
- Install the portal VM image. For a new VMware installation, use the
fpcvm64imagePortal.out.ovf.zip
file. For the KVM version, see Appendix: Installation using OpenStack. - Configure the CLI settings. For example:
config system global
set hostname portal # use whatever name that you want to give the VM
set timezone 28 # use ? to identify the correct value for your region
end
config system interface
edit port1
set ip 10.220.64.120/24
set allowaccess ping https ssh http
end
config system route
edit 1
set device port1
set gateway 10.220.64.1
end
config system sql
set status remote
set database-name fp_fazlite
set database-type mysql # REQUIRED. If you omit this step, there will be problems with generating the portal database.
set database-port 3365 # this example changes the default MySQL port from 3306 to 3365
set username fpc # use the database user name instead of fpc
set password xyz # use the password for the database user name
set server 10.220.64.121
end
FortiPortal must be rebooted after a change is made to
config system sql
.Using the
config system sql
command updates the database property file with the current values even if no changes are made. This causes the GUI session to disconnect.If you want to only check the SQL settings, use
show system sql
command. -
Check the NTP settings with the
show system ntp
command. Modify the settings for your environment if necessary.The NTP source should be the same for all portal VMs to synchronize the log time stamps across all devices.
- Reboot the VM.
- From the database console, check the FortiPortal version information:
select * from ftntpmcdb.fpc_version;
- Log in to FortiPortal using the user name
spuser
and the passwordtest123
:
https://10.220.64.120/fpc/login
The left pane is common for all of the pages (Dashboard, Customers, Devices, Admin, and Audit). -
Next, you need to set the portal database size available on the portal database server. Go to Admin > Settings to specify the FPC Data Store Size.
For example, 1024 GB.
The mail settings must also be configured during the first-time configuration.
- Next, upload the license file. Go to Admin > System Info and select Upload License.
- After the license is uploaded, check that the license status is valid and the number of devices allowed is correct.
The individual portal VM does not have serial numbers.
Updating the SSL certificate file
If you are setting up a demo server, you can skip this procedure.
You must upload the license first. |
Use the following steps to import an SSL certificate for the FortiPortal VM.
From the Admin portal, select Admin > System Info to display information about the SSL certificate.
System Info page
The Certificate Information panel displays the certificate file name and private key file name.
From this panel, you can select and upload a new certificate and private key for the FortiPortal (using the PKCS#8 format).
Do not use certificate import and export commands from the portal VMs because they apply to the administration interface and not the FortiPortal application. The certificate signing request must be done on an external host and the signed certificate imported. For example: openssl genrsa -des3 -out server.key 1024 cp server.key server.key.org openssl rsa -in server.key.org -out server.key openssl req -new -key server.key -out server.csr openssl pkcs8 -topk8 -nocrypt -in server.key -out portal.key openssl x509 -req -days 365 -in server.csr -signkey portal.key -out server.crt |
After these steps are done, you need to upload the certificate file (*.crt
file) and portal.key
file from the FortiPortal UI (as instructed in the administration guide).
After uploading the certificate file, restart your portal VM.
FortiManager configuration
You need to configure FortiManager to work with FortiPortal.
-
The ADOM mode must be enabled for FortiManager to work with FortiPortal. If needed, enable ADOMs and the advanced adom-mode on FortiManager so that you can add VDOMs on the same physical device to different ADOMs.
config system global
set adom-status enable
set adom-mode advanced
y
end
- Create a portal user with read-and-write permission:
config system admin user
edit fpc
set profileid Super_User
set adom all_adoms
set policy-package all_policy_packages
set password fortinet
set rpc-permit read-write
next
end
-
The workspace mode must be enabled for FortiManager to work with FortiPortal.
config system global
set workspace-mode normal
end
- Add your FortiManager device using the JSON port. You must poll FortiManager to see the device list. For more information about adding FortiManagers to the portal, see FortiManager devices.
FortiAnalyzer configuration
You need to configure FortiAnalyzer to work with FortiPortal.
- The ADOM mode must be enabled for FortiAnalyzer to work with FortiPortal. You must enable the interface permission
webservice
on FortiAnalyzer for the portal-facing interface. - You must allow remote procedure calls. Create an admin user for portal:
config system admin user
edit <user_name>
set rpc-permit read-write
end
To add a FortiAnalyzer, see FortiAnalyzer devices. |