Fortinet black logo

Migrating from FortiSIEM 5.3.x or 5.4.x

Migrating from FortiSIEM 5.3.x or 5.4.x

This section describes how upgrade the 2000F appliance from FortiSIEM 5.3.x or 5.4.x to FortiSIEM 6.1.0. FortiSIEM performs migration in-place, via a bootloader. There is no need to create a new image or copy disks. The bootloader shell contains the new version of FortiSIEM.

Pre-Migration Checklist

To perform the migration, the following prerequisites must be met:

  1. Make sure your system can connect to the Internet.
  2. A keyboard and monitor must be plugged into the appliance and accessible for the upgrade.
  3. Make sure you are running a 5.3.x or 5.4.x version of FortiSIEM. If you are not running one of these versions, then first upgrade to one of these versions and then apply the procedures below.
  4. Delete the Worker from the Super GUI.
  5. Stop/Shutdown the Worker.
  6. Make sure the /data directory (/) has at least 25+ GB of available space to store the new image.
  7. Log in to your FSM as root and run the following commands:

    # mkdir -p /data/images

    # ln -s /data/images /images

    or if using NFS or Elasticsearch storage:

    # mkdir -p /svn/images

    # ln -s /svn/images /images

  8. Go to the /images directory. Download the 6.1.0 hardware image from the support site, then unzip it. For example:

    # unzip FSM_Full_All_RAW_HARDWARE_6.1.0_build0112.zip

    Note: The image size is about 25GB after extracting.

  9. Create a soft link to images, for example:

    # ln -sf /images/FortiSIEM-RAW-Hardware-6.1.0.0112.img /images/latest

  10. Enter the ll command to ensure latest link is defined, for example:

    # ll

Migrate All-in-One Installation

Download the Bootloader

Install and configure the FortiSIEM bootloader to start migration. Follow these steps:

  1. Download the bootloader FSM_Bootloader_6.1.0_build0112.zip from the support site and copy it to the /images directory.
  2. Unzip the file, for example:

    # unzip FSM_Bootloader_6.1.0_build0112.zip

Prepare the Bootloader

Follow these steps to run the prepare_bootloader script:

  1. Go to the bootloader directory, for example:

    # cd /images/FSM_Bootloader_6.1.0_build0112

  2. Run the prepare_bootloader script to install and configure the bootloader. This script installs, configures, and reboots the system. The script may take from a few minutes to over an hour to complete.

    # sh prepare_bootloader

  3. The script will open the FortiSIEM bootloader shell.

    Note: you might have to reboot the system manually if auto-reboot does not work.

  4. In the FortiSIEM bootloader shell, use the keyboard and monitor to choose FortiSIEM Boot Loader. Press Return.

Load the FortiSIEM 6.1.0 Image

Follow these steps to load the FortiSIEM image:

  1. Log in to the bootloader shell as user root with password ProspectHills.

  2. Create and mount the /data directory:
    1. Create a /data directory, for example:

      # mkdir -p /data

      or if using NFS or Elasticsearch storage:

      # mkdir -p /svn

    2. Mount the sdf1 (the 50GB disk) to the /data directory, for example:

      # mount /dev/mapper/FSIEM2000F-phx_data /data

      or if using NFS or Elasticsearch storage:

      # mount/dev/mapper/FSIEM2000F-phx_svn /svn

    3. Create a symbolic link to images from data:

      # ln -sf /data/images /images

      or if using NFS or Elasticsearch storage:

      # ln -sf /svn/images /images

    4. Change to the /images directory, for example:

      # cd /images

    5. Run the ll command to check disk usage.

      # ll

      These steps are illustrated in the following screen shot.

  3. Run the load_image script to swipe the old image with the new image, for example:
    1. Change to the root directory and check the contents, for example:

      # cd /

      # ll

    2. Run the load_image script, for example:

      # sh load_image

    3. Press Return again when the load_image script finishes.
    4. Reboot your system manually if it does not do so automatically.

Migrate to FortiSIEM 6.1.0

Follow these steps to complete the migration process:

  1. Log in to the bootloader shell as user root with password ProspectHills. You will immediately be asked to change your password.
  2. Create and mount the /images directory from /data:
    1. Change directory to root, for example:

      # cd /

    2. Create the /data directory, for example:

      # mkdir -p /data

      or if using NFS or Elasticsearch storage:

      # mkdir -p /svn

    3. Mount the data directory and symlink it to /images, for example:

      # mount /dev/mapper/FSIEM2000F-phx_data /data

      # ln -s /data/images /images

      or if using NFS storage:

      # mount /dev/mapper/FSIEM2000F-phx_svn /svn

      # ln -s /svn/images /images

  3. Run the configFSM.sh command to configure the migration via a GUI, for example:

    # configFSM.sh

  4. In the first screen of the GUI select 1 Yes to set a timezone. Press Next.

  5. Select a region for the timezone. In this example, US is selected. Press Next.

  6. Select a timezone in the selected region. In this example, Pacific is selected. Press Next.

  7. Select a target to configure. In this example, the Supervisor is selected. Press Next.

  8. Select option 6 migrate_6_1_1.

  9. Test network connectivity by entering a host name that can be resolved by your DNS Server (entered in the previous step) and responds to ping. The host can either be an internal host or a public domain host like google.com. In order for the migration to complete, the system still needs https connectivity to FortiSIEM OS update servers: os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-c8.fortisiem.fortinet.com. Press Next.

  10. Press the Run command to complete migration, for example:

    The options for the command are described in the following table:

    OptionDescription
    -rThe FortiSIEM component being configured
    -zThe time zone being configured
    -iIPv4-formatted address
    -mAddress of the subnet mask
    -gAddress of the gateway server used
    --hostHost name
    -fFQDN address: fully-qualified domain name
    -tThe IP type. The values can be either 4 (for ipv4) or 6 (for v6) Note: the 6 value is not currently supported.
    --dns1, --dns2Addresses of DNS server 1 and DNS server 2.
    -oInstallation option.
    -zTime zone. Possible values are US/Pacific, Asia/Shanghai, Europe/London, or Africa/Tunis
    --testpinghostThe host used to test connectivity.
  11. The script will take some minutes to run. When it is finished, migration is complete.
  12. Log in to your system again as user root with your new password.
  13. To ensure phMonitor is running, execute the phstatus command, for example:

    # phstatus

Migrate Cluster Installation

This section provides instructions on how to migrate Supervisor, Workers, and Collectors separately in a cluster environment,

Delete Workers

  1. Login to the Supervisor.
  2. Go to Admin > License > Nodes and delete the Workers one-by-one.
  3. Go to the Admin > Cloud Health page and make sure that the Workers are not present.

    Note that the Collectors will buffer events while the Workers are down.

  4. Shutdown the Workers.

    SSH to the Workers one-by-one and shutdown the Workers.

Migrate Supervisor

Follow the steps in Migrate All-in-one Installation to migrate the supervisor node. Note: FortiSIEM 6.1.0 does not support Worker or Collector migration.

Install New Worker(s)

Follow the steps in Installing Workers to install new Workers. You can either keep the same IP address or change the address.

Register Workers

Follow the steps in Registering Workers to register the newly created 6.1.0 Workers to the 6.1.0 Supervisor. The 6.1.0 FortiSIEM Cluster is now ready.

Set Up Collector-to-Worker Communication

  1. Go to Admin > Systems > Settings.
  2. Add the Workers to the Event Worker or Query Worker as appropriate.
  3. Click Save.

Working with Pre-6.1.0 Collectors

Pre-6.1.0 Collectors and agents will work with 6.1.0 Supervisor and Workers. You can install 6.1.0 collectors at your convenience.

Install 6.1.0 Collectors

FortiSIEM does not support Collector migration to 6.1.0. You can install new 6.1.0 Collectors and register them to 6.1.0 Supervisor in a specific way so that existing jobs assigned to Collectors and Windows agent associations are not lost. Follow these steps:

  1. Copy the http hashed password file (/etc/httpd/accounts/passwds) from the old Collector.
  2. Disconnect the pre-6.1.0 Collector.
  3. Install the 6.1.0 Collector with the old IP address.
  4. Copy the saved http hashed password file (/etc/httpd/accounts/passwds) from the old Collector to the 6.1.0 Collector.

    This step is needed for Agents to work seamlessly with 6.1.0 Collectors. The reason for this step is that when the Agent registers, a password for Agent-to-Collector communication is created and the hashed version is stored in the Collector. During 6.1.0 migration, this password is lost.

Register 6.1.0 Collectors

To register collectors, use the --update option instead of --add in the phProvisionCollector command. Other than this, use the exactly the same parameters that were used to register the pre-6.1.0 Collector. Specifically, use this form of the

phProvisionCollector command to register a 6.1.0 Collector and keep the old associations:

# /opt/phoenix/bin/phProvisionCollector --update <user> '<password>' <Super IP or Host> <Organization> <CollectorName>

The password should be enclosed in single quotes to ensure that any non-alphanumeric characters are escaped.

Re-install new Windows Agents with the old InstallSettings.xml file. Both the migrated and the new agents will work. The new Linux Agent and migrated Linux Agent will also work.

Upgrading FortiSIEM

For upgrading FortiSIEM from 5.3.x or 5.4.0 to 6.1.0, refer to the section Upgrading a FortiSIEM Single Node Deployment in the Upgrade Guide.

Migrating from FortiSIEM 5.3.x or 5.4.x

This section describes how upgrade the 2000F appliance from FortiSIEM 5.3.x or 5.4.x to FortiSIEM 6.1.0. FortiSIEM performs migration in-place, via a bootloader. There is no need to create a new image or copy disks. The bootloader shell contains the new version of FortiSIEM.

Pre-Migration Checklist

To perform the migration, the following prerequisites must be met:

  1. Make sure your system can connect to the Internet.
  2. A keyboard and monitor must be plugged into the appliance and accessible for the upgrade.
  3. Make sure you are running a 5.3.x or 5.4.x version of FortiSIEM. If you are not running one of these versions, then first upgrade to one of these versions and then apply the procedures below.
  4. Delete the Worker from the Super GUI.
  5. Stop/Shutdown the Worker.
  6. Make sure the /data directory (/) has at least 25+ GB of available space to store the new image.
  7. Log in to your FSM as root and run the following commands:

    # mkdir -p /data/images

    # ln -s /data/images /images

    or if using NFS or Elasticsearch storage:

    # mkdir -p /svn/images

    # ln -s /svn/images /images

  8. Go to the /images directory. Download the 6.1.0 hardware image from the support site, then unzip it. For example:

    # unzip FSM_Full_All_RAW_HARDWARE_6.1.0_build0112.zip

    Note: The image size is about 25GB after extracting.

  9. Create a soft link to images, for example:

    # ln -sf /images/FortiSIEM-RAW-Hardware-6.1.0.0112.img /images/latest

  10. Enter the ll command to ensure latest link is defined, for example:

    # ll

Migrate All-in-One Installation

Download the Bootloader

Install and configure the FortiSIEM bootloader to start migration. Follow these steps:

  1. Download the bootloader FSM_Bootloader_6.1.0_build0112.zip from the support site and copy it to the /images directory.
  2. Unzip the file, for example:

    # unzip FSM_Bootloader_6.1.0_build0112.zip

Prepare the Bootloader

Follow these steps to run the prepare_bootloader script:

  1. Go to the bootloader directory, for example:

    # cd /images/FSM_Bootloader_6.1.0_build0112

  2. Run the prepare_bootloader script to install and configure the bootloader. This script installs, configures, and reboots the system. The script may take from a few minutes to over an hour to complete.

    # sh prepare_bootloader

  3. The script will open the FortiSIEM bootloader shell.

    Note: you might have to reboot the system manually if auto-reboot does not work.

  4. In the FortiSIEM bootloader shell, use the keyboard and monitor to choose FortiSIEM Boot Loader. Press Return.

Load the FortiSIEM 6.1.0 Image

Follow these steps to load the FortiSIEM image:

  1. Log in to the bootloader shell as user root with password ProspectHills.

  2. Create and mount the /data directory:
    1. Create a /data directory, for example:

      # mkdir -p /data

      or if using NFS or Elasticsearch storage:

      # mkdir -p /svn

    2. Mount the sdf1 (the 50GB disk) to the /data directory, for example:

      # mount /dev/mapper/FSIEM2000F-phx_data /data

      or if using NFS or Elasticsearch storage:

      # mount/dev/mapper/FSIEM2000F-phx_svn /svn

    3. Create a symbolic link to images from data:

      # ln -sf /data/images /images

      or if using NFS or Elasticsearch storage:

      # ln -sf /svn/images /images

    4. Change to the /images directory, for example:

      # cd /images

    5. Run the ll command to check disk usage.

      # ll

      These steps are illustrated in the following screen shot.

  3. Run the load_image script to swipe the old image with the new image, for example:
    1. Change to the root directory and check the contents, for example:

      # cd /

      # ll

    2. Run the load_image script, for example:

      # sh load_image

    3. Press Return again when the load_image script finishes.
    4. Reboot your system manually if it does not do so automatically.

Migrate to FortiSIEM 6.1.0

Follow these steps to complete the migration process:

  1. Log in to the bootloader shell as user root with password ProspectHills. You will immediately be asked to change your password.
  2. Create and mount the /images directory from /data:
    1. Change directory to root, for example:

      # cd /

    2. Create the /data directory, for example:

      # mkdir -p /data

      or if using NFS or Elasticsearch storage:

      # mkdir -p /svn

    3. Mount the data directory and symlink it to /images, for example:

      # mount /dev/mapper/FSIEM2000F-phx_data /data

      # ln -s /data/images /images

      or if using NFS storage:

      # mount /dev/mapper/FSIEM2000F-phx_svn /svn

      # ln -s /svn/images /images

  3. Run the configFSM.sh command to configure the migration via a GUI, for example:

    # configFSM.sh

  4. In the first screen of the GUI select 1 Yes to set a timezone. Press Next.

  5. Select a region for the timezone. In this example, US is selected. Press Next.

  6. Select a timezone in the selected region. In this example, Pacific is selected. Press Next.

  7. Select a target to configure. In this example, the Supervisor is selected. Press Next.

  8. Select option 6 migrate_6_1_1.

  9. Test network connectivity by entering a host name that can be resolved by your DNS Server (entered in the previous step) and responds to ping. The host can either be an internal host or a public domain host like google.com. In order for the migration to complete, the system still needs https connectivity to FortiSIEM OS update servers: os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-c8.fortisiem.fortinet.com. Press Next.

  10. Press the Run command to complete migration, for example:

    The options for the command are described in the following table:

    OptionDescription
    -rThe FortiSIEM component being configured
    -zThe time zone being configured
    -iIPv4-formatted address
    -mAddress of the subnet mask
    -gAddress of the gateway server used
    --hostHost name
    -fFQDN address: fully-qualified domain name
    -tThe IP type. The values can be either 4 (for ipv4) or 6 (for v6) Note: the 6 value is not currently supported.
    --dns1, --dns2Addresses of DNS server 1 and DNS server 2.
    -oInstallation option.
    -zTime zone. Possible values are US/Pacific, Asia/Shanghai, Europe/London, or Africa/Tunis
    --testpinghostThe host used to test connectivity.
  11. The script will take some minutes to run. When it is finished, migration is complete.
  12. Log in to your system again as user root with your new password.
  13. To ensure phMonitor is running, execute the phstatus command, for example:

    # phstatus

Migrate Cluster Installation

This section provides instructions on how to migrate Supervisor, Workers, and Collectors separately in a cluster environment,

Delete Workers

  1. Login to the Supervisor.
  2. Go to Admin > License > Nodes and delete the Workers one-by-one.
  3. Go to the Admin > Cloud Health page and make sure that the Workers are not present.

    Note that the Collectors will buffer events while the Workers are down.

  4. Shutdown the Workers.

    SSH to the Workers one-by-one and shutdown the Workers.

Migrate Supervisor

Follow the steps in Migrate All-in-one Installation to migrate the supervisor node. Note: FortiSIEM 6.1.0 does not support Worker or Collector migration.

Install New Worker(s)

Follow the steps in Installing Workers to install new Workers. You can either keep the same IP address or change the address.

Register Workers

Follow the steps in Registering Workers to register the newly created 6.1.0 Workers to the 6.1.0 Supervisor. The 6.1.0 FortiSIEM Cluster is now ready.

Set Up Collector-to-Worker Communication

  1. Go to Admin > Systems > Settings.
  2. Add the Workers to the Event Worker or Query Worker as appropriate.
  3. Click Save.

Working with Pre-6.1.0 Collectors

Pre-6.1.0 Collectors and agents will work with 6.1.0 Supervisor and Workers. You can install 6.1.0 collectors at your convenience.

Install 6.1.0 Collectors

FortiSIEM does not support Collector migration to 6.1.0. You can install new 6.1.0 Collectors and register them to 6.1.0 Supervisor in a specific way so that existing jobs assigned to Collectors and Windows agent associations are not lost. Follow these steps:

  1. Copy the http hashed password file (/etc/httpd/accounts/passwds) from the old Collector.
  2. Disconnect the pre-6.1.0 Collector.
  3. Install the 6.1.0 Collector with the old IP address.
  4. Copy the saved http hashed password file (/etc/httpd/accounts/passwds) from the old Collector to the 6.1.0 Collector.

    This step is needed for Agents to work seamlessly with 6.1.0 Collectors. The reason for this step is that when the Agent registers, a password for Agent-to-Collector communication is created and the hashed version is stored in the Collector. During 6.1.0 migration, this password is lost.

Register 6.1.0 Collectors

To register collectors, use the --update option instead of --add in the phProvisionCollector command. Other than this, use the exactly the same parameters that were used to register the pre-6.1.0 Collector. Specifically, use this form of the

phProvisionCollector command to register a 6.1.0 Collector and keep the old associations:

# /opt/phoenix/bin/phProvisionCollector --update <user> '<password>' <Super IP or Host> <Organization> <CollectorName>

The password should be enclosed in single quotes to ensure that any non-alphanumeric characters are escaped.

Re-install new Windows Agents with the old InstallSettings.xml file. Both the migrated and the new agents will work. The new Linux Agent and migrated Linux Agent will also work.

Upgrading FortiSIEM

For upgrading FortiSIEM from 5.3.x or 5.4.0 to 6.1.0, refer to the section Upgrading a FortiSIEM Single Node Deployment in the Upgrade Guide.