Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

FortiSIEM Disaster Recovery Procedures

This document describes how to set up FortiSIEM on a Secondary (Disaster Recovery) site. If the Primary site goes down, then FortiSIEM on the secondary site can be activated.

Prerequisites

You must buy two licenses – one for the Primary Site and one for the Secondary site. The Licenses are linked to the UUID of the server on which the Supervisor runs, one for each site. Although the Secondary site is not active when the Primary site is operational, an additional license is needed to set up the FortiSIEM on the Secondary site.

Procedure

Step 1: Setup FortiSIEM on Primary site

Set up FortiSIEM on the Primary site following the regular instructions using Primary license. See the 'Licensing Guide' here.

Note: If you have chosen Workers for a scale-out FortiSIEM deployment, there are two choices:

  • Collectors to Workers directly (See Figure 1)
  • Collectors to a Load Balancer which then forwards to the Workers (See Figure 2)

Figure 1: Collector sending events directly to Workers


Figure 2: Collectors sending events to Workers via Load Balancer

Step 2: Setup Secondary FortiSIEM on Disaster Recovery site

  1. Install FortiSIEM Supervisor on the Secondary site using the Secondary license. Since this is a warm (standby) site, Workers are not required.
  2. The event storage mechanism should be identical on Secondary site. If you have chosen NFS, then allocate the same amount of space for the NFS Server.
  3. Download the Disaster Recovery scripts (DR.tar) from the Fortinet Support website https://support.fortinet.com. See "Downloading FortiSIEM Products" for more information on downloading products from the support website.
  4. Extract in /opt/phoenix on Supervisor node.

Step 3: Configure Primary FortiSIEM to sync to Secondary FortiSIEM

  1. Download the Disaster Recovery scripts (DR.tar) from the Fortinet Support website https://support.fortinet.com. See "Downloading FortiSIEM Products" for more information on downloading products from the support website.
  2. Extract in /opt/phoenix on Supervisor node.
  3. Run the Script /opt/phoenix/DR/FSM_DR.sh and answer the required questions.
    This script will setup a cron job that does the following:
    1. Copies CMDB and SVN from Primary to Secondary once every day.
    2. Copies phoenix_config.txt from Primary to Secondary once every day.
    3. Runs rsynch program to copy event database (/data) from Primary to Secondary once every hour.

Step 4: Run Disaster Recovery

On the Secondary FortiSIEM, do the following steps.

  1. SSH to the Supervisor and find the latest CMDB backup file in:
    /data/archive/cmdb/phoenixdb_<Date_Time>_primarySite
  2. Restore CMDB as follows:
    1. Run the command to stop the back-end processes:
      phtools --stop all
    2. Run the command to restore the latest primary CMDB:
      /opt/phoenix/deployment/db_restore.sh /data/archive/cmdb/(From Step #4 - 1)
  3. Delete Worker cache file by running:
    rm /data/cache/worker_mon_job.xml
  4. Run /opt/vmware/share/vami/vami_config_net to configure the network.
    The system will reboot once the configuration is complete.
  5. Change SVN password by running:
    /opt/phoenix/DR/phsetsvnpwd.sh
    1. Enter the Organization as 'Super'.
    2. Enter the full admin user name and password to reset SVN password.
  6. Add new Worker(s), if necessary.
  7. Modify Event Forwarding.
    If your setup is similar to:
    • Figure 1, change the Worker Upload settings to enable Collectors to send to the Secondary Workers.
    • Figure 2, configure the Load Balancer to send to the new Workers.
  8. Check the Cloud and Collector health and make sure all processes are running.

Step 5: Restore the Primary FortiSIEM

Recover the Primary FortiSIEM from Secondary FortiSIEM following the same procedure as in Steps - 3 and 4.

FortiSIEM Disaster Recovery Procedures

This document describes how to set up FortiSIEM on a Secondary (Disaster Recovery) site. If the Primary site goes down, then FortiSIEM on the secondary site can be activated.

Prerequisites

You must buy two licenses – one for the Primary Site and one for the Secondary site. The Licenses are linked to the UUID of the server on which the Supervisor runs, one for each site. Although the Secondary site is not active when the Primary site is operational, an additional license is needed to set up the FortiSIEM on the Secondary site.

Procedure

Step 1: Setup FortiSIEM on Primary site

Set up FortiSIEM on the Primary site following the regular instructions using Primary license. See the 'Licensing Guide' here.

Note: If you have chosen Workers for a scale-out FortiSIEM deployment, there are two choices:

  • Collectors to Workers directly (See Figure 1)
  • Collectors to a Load Balancer which then forwards to the Workers (See Figure 2)

Figure 1: Collector sending events directly to Workers


Figure 2: Collectors sending events to Workers via Load Balancer

Step 2: Setup Secondary FortiSIEM on Disaster Recovery site

  1. Install FortiSIEM Supervisor on the Secondary site using the Secondary license. Since this is a warm (standby) site, Workers are not required.
  2. The event storage mechanism should be identical on Secondary site. If you have chosen NFS, then allocate the same amount of space for the NFS Server.
  3. Download the Disaster Recovery scripts (DR.tar) from the Fortinet Support website https://support.fortinet.com. See "Downloading FortiSIEM Products" for more information on downloading products from the support website.
  4. Extract in /opt/phoenix on Supervisor node.

Step 3: Configure Primary FortiSIEM to sync to Secondary FortiSIEM

  1. Download the Disaster Recovery scripts (DR.tar) from the Fortinet Support website https://support.fortinet.com. See "Downloading FortiSIEM Products" for more information on downloading products from the support website.
  2. Extract in /opt/phoenix on Supervisor node.
  3. Run the Script /opt/phoenix/DR/FSM_DR.sh and answer the required questions.
    This script will setup a cron job that does the following:
    1. Copies CMDB and SVN from Primary to Secondary once every day.
    2. Copies phoenix_config.txt from Primary to Secondary once every day.
    3. Runs rsynch program to copy event database (/data) from Primary to Secondary once every hour.

Step 4: Run Disaster Recovery

On the Secondary FortiSIEM, do the following steps.

  1. SSH to the Supervisor and find the latest CMDB backup file in:
    /data/archive/cmdb/phoenixdb_<Date_Time>_primarySite
  2. Restore CMDB as follows:
    1. Run the command to stop the back-end processes:
      phtools --stop all
    2. Run the command to restore the latest primary CMDB:
      /opt/phoenix/deployment/db_restore.sh /data/archive/cmdb/(From Step #4 - 1)
  3. Delete Worker cache file by running:
    rm /data/cache/worker_mon_job.xml
  4. Run /opt/vmware/share/vami/vami_config_net to configure the network.
    The system will reboot once the configuration is complete.
  5. Change SVN password by running:
    /opt/phoenix/DR/phsetsvnpwd.sh
    1. Enter the Organization as 'Super'.
    2. Enter the full admin user name and password to reset SVN password.
  6. Add new Worker(s), if necessary.
  7. Modify Event Forwarding.
    If your setup is similar to:
    • Figure 1, change the Worker Upload settings to enable Collectors to send to the Secondary Workers.
    • Figure 2, configure the Load Balancer to send to the new Workers.
  8. Check the Cloud and Collector health and make sure all processes are running.

Step 5: Restore the Primary FortiSIEM

Recover the Primary FortiSIEM from Secondary FortiSIEM following the same procedure as in Steps - 3 and 4.