Version:

Version:

Version:


Table of Contents

Download PDF
Copy Link

Migrating from FortiSIEM 5.3.0, 5.3.1, or 5.3.2

WARNING: FortiSIEM 5.3.3 and 5.4.0 cannot be upgraded to FortiSIEM 6.1.0. You must upgrade to FortiSIEM 6.1.1.

This section describes how upgrade from FortiSIEM 5.3.0, 5.3.1, or 5.3.2 to FortiSIEM 6.1.0. FortiSIEM performs migration in-place, via a bootloader. There is no need to create a new image or copy disks. The bootloader shell contains the new version of FortiSIEM.

Pre-Migration Checklist

To perform the migration, the following prerequisites must be met

  1. Ensure that your system can connect to the network. You will be asked to provide a DNS Server and a host that can be resolved by the DNS Server and responds to ping. The host can either be an internal host or a public domain host like google.com.
  2. Make sure you are running FortiSIEM 5.3.0, 5.3.1, or 5.3.2.
  3. Take a SnapShot of the running FortiSIEM instance.
  4. Delete the Worker from Super GUI.
  5. Stop/Shutdown the Worker.
  6. Make sure the root directory (/) has at least 1 GB of available space.
  7. Right-click the FortiSIEM image in and launch the Virtual Manager.
  8. Add three extra hard disks and apply the changes:
    • Hd5/100G/VirtIO
    • Hd6/50G/VirtIO
    • Hd7/25G/VirtIO

  9. Start the images to make sure that you have added the three disk correctly before continuing with the next steps.

    note icon

    You can find detailed information about installing FortiSIEM and configuring disks in Fresh Installation.

  10. Review the list of Datastores and click Apply
  11. In the Virtual Manager, right-click the FortiSIEM VM and select Run.
  12. In the Virtual Manager, click Open.
  13. Log in to the console as user root, with password ProspectHills.
  14. In the console, run fdisk -l, for example:

    # fdisk -l

    note icon

    Note the list of the partition tables, the disk names, and their approximate sizes. You will need this information for a later step.

  15. Mount the ~50GB disk to the /images directory. In the console, enter these commands and options:
    1. Enter # fdisk /dev/<your_50GB_disk> Press Return.
    2. Enter n to add a new partition. Press Return.
    3. Enter p to choose primary partition. Press Return.
    4. Enter 1 to choose partition number. Press Return.
    5. Press Return to accept the default.
    6. Press Return to accept the default.
    7. Enter w to write the table to disk and exit. Press Return.
    8. Enter the mkfs.ext4 /dev/sdf1 command (where sdf1 is the 50GB disk) to make a file system.
    9. Enter the mkdir -p /images command to create an images directory.
    10. Enter mount /dev/sdf1 /images to mount the 50GB disk to the /images directory.

      Or using the UUID if the disk name changed, for example

      blkid /dev/sdf1 /dev/sdf1: UUID="d4a5b82f-6e73-456b-ab08-d6e6d845d1aa" TYPE="ext4"

      mount -U d4a5b82f-6e73-456b-ab08-d6e6d845d1aa /images

  16. Enter the df -h command to get the file system disk space usage.

    The following screen shot illustrates Steps 13 and 14.

  17. Download the 6.1.0 FortiSIEM image file, 6.1.0/HW/FSM_Full_All_RAW_HW-6.1.0_build0112.zip, from the support site and copy it to the /images directory.
  18. Use unzip to extract the file.

    # unzip FSM_Full_All_RAW_HW-6.1.0_build0112.zip

    Note: The image size is about 5.5GB after extracting.

  19. Create a soft link to the image folder, for example:

    # ln -sf /images/FortiSIEM-6.1.0.0112.img /images/latest

  20. Enter the ll command to ensure latest link is defined, for example:

    # ll

 

Migrate All-in-one Installation

Download the Bootloader

Install and configure the FortiSIEM bootloader to start migration. Follow these steps:

  1. Download the bootloader FSM_Bootloader_6.1.0_Build0112.zip from the support site and copy it to the /images directory.
  2. Unzip the .zip file, for example:

    # unzip FSM_Bootloader_6.1.0_Build0112.zip

     

Prepare the Bootloader

Follow these steps to run the prepare_bootloader script:

  1. Go to the bootloader directory, for example:

    # cd /images/FSM_Bootloader_6.1.0_build0112

  2. Run the prepare_bootloader script to install and configure the bootloader. This script installs, configures, and reboots the system. The script may take a few minutes to complete.

    # sh prepare_bootloader

  3. The script will open the FortiSIEM bootloader shell.

    Note: you might have to reboot the system manually if auto-reboot does not work.

  4. Go to the console view in your hypervisor.
  5. In the FortiSIEM bootloader shell, choose FortiSIEM Boot Loader. Press Return.

Load the FortiSIEM 6.1.0 Image

Follow these steps to load the FortiSIEM image:

  1. Log in to the bootloader shell as user root with password ProspectHills.

  2. Create and mount the /images directory:
    1. Create a /images directory if it is not already present, for example:

      # mkdir -p /images

    2. Mount the sdf1 (the 50GB disk) to the /images directory, for example:

      # mount /dev/sdf1 /images

      Use # fdisk -l to find the image drive, which should be the 50GB disk.

      Or using the UUID if the disk name changed, for example:

      # blkid /dev/sdf1 /dev/sdf1: UUID="d4a5b82f-6e73-456b-ab08-d6e6d845d1aa" TYPE="ext4"

      # mount -U d4a5b82f-6e73-456b-ab08-d6e6d845d1aa /images

    3. Change to the /images directory, for example:

      # cd /images

    4. Run the ll command to check disk usage.

      # ll

      These steps are illustrated in the following screen shot.

  3. Run the load_image script to swipe the old image with the new image, for example:
    1. Change to the root directory and check the contents, for example:

      # cd /

      # ll

    2. Run the load_image script, for example:

      # sh load_image

      When the script completes, press Return.

    3. Press Return again to end the load_image script.
    4. Run the fdisk -l command to check that the disks have been configured, for example:

      # fdisk -l

  4. In the Virtual Manager, power off the VM after load_image completes.
  5. Important: At this stage, the Bus type for all of the seven hard disks are VirtIO . You must make the following changes:
    1. Identify the 25GB disk which is the boot disk. (Note that it is not in any particular order).
    2. Select the 25GB boot disk as the Boot Options. In this case, it is VirtIO Disk2.
    3. Make sure the Enable boot menu is selected.
    4. Click Apply to save the result.

  6. Power on the image and move to the next step for the migration.

Migrate to FortiSIEM 6.1.0

Follow these steps to complete the migration process:

  1. Log in to the bootloader shell as user root with password ProspectHills. You will immediately be asked to change your password.
  2. Create and mount the /images directory:
    1. Change directory to root, for example:

      # cd /

    2. Create the /images directory, for example:

      # mkdir -p /images

    3. Mount the sdf1 (the 50GB disk) to /images, for example:

      # mount /dev/sdf1 /images

      Or using the UUID if the disk name changed, for example:

      # mount -U d4a5b82f-6e73-456b-ab08-d6e6d845d1aa /images

  3. Run the configFSM.sh command to configure the migration via a GUI, for example:

    # configFSM.sh

  4. In the first screen of the GUI select 1 Yes to set a timezone. Press Next.

  5. Select a region for the timezone. In this example, US is selected. Press Next.

  6. Select a timezone in the selected region. In this example, Pacific is selected. Press Next.

  7. Select a target to configure. In this example, the Supervisor is selected. Press Next.

  8. Select the 6 migrate_6_1_0 Operation option. Press Next.

  9. Test network connectivity by entering a host name that can be resolved by your DNS Server (entered in the previous step) and can respond to a ping. The host can either be an internal host or a public domain host like google.com. Press Next.

  10. Press the Run command to complete migration, for example:

  11. The options for the configureFSM.py script are described in the table here.

  12. The script will take some minutes to run. When it is finished, migration is complete.
  13. To ensure phMonitor is running, execute the phstatus command, for example:

    # phstatus

Migrate Cluster Installation

This section provides instructions on how to migrate Supervisor, Workers, and Collectors separately in a cluster environment,

Delete Workers

  1. Login to the Supervisor.
  2. Go to Admin > License > Nodes and delete the Workers one-by-one.
  3. Go to the Admin > Cloud Health page and make sure that the Workers are not present.

    Note that the Collectors will buffer events while the Workers are down.

  4. Shutdown the Workers.

    SSH to the Workers one-by-one and shutdown the Workers.

 

Migrate Supervisor

Follow the steps in Migrate All-in-one Installation to migrate the supervisor node. Note: FortiSIEM 6.1.0 does not support Worker or Collector migration.

Install New Worker(s)

Follow the steps in Cluster Installation > Install Workers to install new Workers. You can either keep the same IP address or change the address.

Register Workers

Follow the steps in Cluster Installation > Register Workers to register the newly created 6.1.0 Workers to the 6.1.0 Supervisor. The 6.1.0 FortiSIEM Cluster is now ready.

Set Up Collector-to-Worker Communication

  1. Go to Admin > Systems > Settings.
  2. Add the Workers to the Event Worker or Query Worker as appropriate.
  3. Click Save.

Working with Pre-6.1.0 Collectors

Pre-6.1.0 Collectors and agents will work with 6.1.0 Supervisor and Workers. You can install 6.1.0 collectors at your convenience.

Install 6.1.0 Collectors

FortiSIEM does not support Collector migration to 6.1.0. You can install new 6.1.0 Collectors and register them to 6.1.0 Supervisor in a specific way so that existing jobs assigned to Collectors and Windows agent associations are not lost. Follow these steps:

  1. Copy the http hashed password file (/etc/httpd/accounts/passwds) from the old Collector.
  2. Disconnect the pre-6.1.0 Collector.
  3. Install the 6.1.0 Collector with the old IP address by the following the steps in Cluster Installation > Install Collectors.
  4. Copy the saved http hashed password file (/etc/httpd/accounts/passwds) from the old Collector to the 6.1.0 Collector.

    This step is needed for Agents to work seamlessly with 6.1.0 Collectors. The reason for this step is that when the Agent registers, a password for Agent-to-Collector communication is created and the hashed version is stored in the Collector. During 6.1.0 migration, this password is lost.

Register 6.1.0 Collectors

Follow the steps in Cluster Installation > Register Collectors, with the following difference: in the phProvisionCollector command, use the --update option instead of --add. Other than this, use the exactly the same parameters that were used to register the pre-6.1.0 Collector. Specifically, use this form of the

phProvisionCollector command to register a 6.1.0 Collector and keep the old associations:

# /opt/phoenix/bin/phProvisionCollector --update <user> '<password>' <Super IP or Host> <Organization> <CollectorName>

The password should be enclosed in single quotes to ensure that any non-alphanumeric characters are escaped.

 

Re-install new Windows Agents with the old InstallSettings.xml file. Both the migrated and the new agents will work. The new Linux Agent and migrated Linux Agent will also work.

Migrating from FortiSIEM 5.3.0, 5.3.1, or 5.3.2

WARNING: FortiSIEM 5.3.3 and 5.4.0 cannot be upgraded to FortiSIEM 6.1.0. You must upgrade to FortiSIEM 6.1.1.

This section describes how upgrade from FortiSIEM 5.3.0, 5.3.1, or 5.3.2 to FortiSIEM 6.1.0. FortiSIEM performs migration in-place, via a bootloader. There is no need to create a new image or copy disks. The bootloader shell contains the new version of FortiSIEM.

Pre-Migration Checklist

To perform the migration, the following prerequisites must be met

  1. Ensure that your system can connect to the network. You will be asked to provide a DNS Server and a host that can be resolved by the DNS Server and responds to ping. The host can either be an internal host or a public domain host like google.com.
  2. Make sure you are running FortiSIEM 5.3.0, 5.3.1, or 5.3.2.
  3. Take a SnapShot of the running FortiSIEM instance.
  4. Delete the Worker from Super GUI.
  5. Stop/Shutdown the Worker.
  6. Make sure the root directory (/) has at least 1 GB of available space.
  7. Right-click the FortiSIEM image in and launch the Virtual Manager.
  8. Add three extra hard disks and apply the changes:
    • Hd5/100G/VirtIO
    • Hd6/50G/VirtIO
    • Hd7/25G/VirtIO

  9. Start the images to make sure that you have added the three disk correctly before continuing with the next steps.

    note icon

    You can find detailed information about installing FortiSIEM and configuring disks in Fresh Installation.

  10. Review the list of Datastores and click Apply
  11. In the Virtual Manager, right-click the FortiSIEM VM and select Run.
  12. In the Virtual Manager, click Open.
  13. Log in to the console as user root, with password ProspectHills.
  14. In the console, run fdisk -l, for example:

    # fdisk -l

    note icon

    Note the list of the partition tables, the disk names, and their approximate sizes. You will need this information for a later step.

  15. Mount the ~50GB disk to the /images directory. In the console, enter these commands and options:
    1. Enter # fdisk /dev/<your_50GB_disk> Press Return.
    2. Enter n to add a new partition. Press Return.
    3. Enter p to choose primary partition. Press Return.
    4. Enter 1 to choose partition number. Press Return.
    5. Press Return to accept the default.
    6. Press Return to accept the default.
    7. Enter w to write the table to disk and exit. Press Return.
    8. Enter the mkfs.ext4 /dev/sdf1 command (where sdf1 is the 50GB disk) to make a file system.
    9. Enter the mkdir -p /images command to create an images directory.
    10. Enter mount /dev/sdf1 /images to mount the 50GB disk to the /images directory.

      Or using the UUID if the disk name changed, for example

      blkid /dev/sdf1 /dev/sdf1: UUID="d4a5b82f-6e73-456b-ab08-d6e6d845d1aa" TYPE="ext4"

      mount -U d4a5b82f-6e73-456b-ab08-d6e6d845d1aa /images

  16. Enter the df -h command to get the file system disk space usage.

    The following screen shot illustrates Steps 13 and 14.

  17. Download the 6.1.0 FortiSIEM image file, 6.1.0/HW/FSM_Full_All_RAW_HW-6.1.0_build0112.zip, from the support site and copy it to the /images directory.
  18. Use unzip to extract the file.

    # unzip FSM_Full_All_RAW_HW-6.1.0_build0112.zip

    Note: The image size is about 5.5GB after extracting.

  19. Create a soft link to the image folder, for example:

    # ln -sf /images/FortiSIEM-6.1.0.0112.img /images/latest

  20. Enter the ll command to ensure latest link is defined, for example:

    # ll

 

Migrate All-in-one Installation

Download the Bootloader

Install and configure the FortiSIEM bootloader to start migration. Follow these steps:

  1. Download the bootloader FSM_Bootloader_6.1.0_Build0112.zip from the support site and copy it to the /images directory.
  2. Unzip the .zip file, for example:

    # unzip FSM_Bootloader_6.1.0_Build0112.zip

     

Prepare the Bootloader

Follow these steps to run the prepare_bootloader script:

  1. Go to the bootloader directory, for example:

    # cd /images/FSM_Bootloader_6.1.0_build0112

  2. Run the prepare_bootloader script to install and configure the bootloader. This script installs, configures, and reboots the system. The script may take a few minutes to complete.

    # sh prepare_bootloader

  3. The script will open the FortiSIEM bootloader shell.

    Note: you might have to reboot the system manually if auto-reboot does not work.

  4. Go to the console view in your hypervisor.
  5. In the FortiSIEM bootloader shell, choose FortiSIEM Boot Loader. Press Return.

Load the FortiSIEM 6.1.0 Image

Follow these steps to load the FortiSIEM image:

  1. Log in to the bootloader shell as user root with password ProspectHills.

  2. Create and mount the /images directory:
    1. Create a /images directory if it is not already present, for example:

      # mkdir -p /images

    2. Mount the sdf1 (the 50GB disk) to the /images directory, for example:

      # mount /dev/sdf1 /images

      Use # fdisk -l to find the image drive, which should be the 50GB disk.

      Or using the UUID if the disk name changed, for example:

      # blkid /dev/sdf1 /dev/sdf1: UUID="d4a5b82f-6e73-456b-ab08-d6e6d845d1aa" TYPE="ext4"

      # mount -U d4a5b82f-6e73-456b-ab08-d6e6d845d1aa /images

    3. Change to the /images directory, for example:

      # cd /images

    4. Run the ll command to check disk usage.

      # ll

      These steps are illustrated in the following screen shot.

  3. Run the load_image script to swipe the old image with the new image, for example:
    1. Change to the root directory and check the contents, for example:

      # cd /

      # ll

    2. Run the load_image script, for example:

      # sh load_image

      When the script completes, press Return.

    3. Press Return again to end the load_image script.
    4. Run the fdisk -l command to check that the disks have been configured, for example:

      # fdisk -l

  4. In the Virtual Manager, power off the VM after load_image completes.
  5. Important: At this stage, the Bus type for all of the seven hard disks are VirtIO . You must make the following changes:
    1. Identify the 25GB disk which is the boot disk. (Note that it is not in any particular order).
    2. Select the 25GB boot disk as the Boot Options. In this case, it is VirtIO Disk2.
    3. Make sure the Enable boot menu is selected.
    4. Click Apply to save the result.

  6. Power on the image and move to the next step for the migration.

Migrate to FortiSIEM 6.1.0

Follow these steps to complete the migration process:

  1. Log in to the bootloader shell as user root with password ProspectHills. You will immediately be asked to change your password.
  2. Create and mount the /images directory:
    1. Change directory to root, for example:

      # cd /

    2. Create the /images directory, for example:

      # mkdir -p /images

    3. Mount the sdf1 (the 50GB disk) to /images, for example:

      # mount /dev/sdf1 /images

      Or using the UUID if the disk name changed, for example:

      # mount -U d4a5b82f-6e73-456b-ab08-d6e6d845d1aa /images

  3. Run the configFSM.sh command to configure the migration via a GUI, for example:

    # configFSM.sh

  4. In the first screen of the GUI select 1 Yes to set a timezone. Press Next.

  5. Select a region for the timezone. In this example, US is selected. Press Next.

  6. Select a timezone in the selected region. In this example, Pacific is selected. Press Next.

  7. Select a target to configure. In this example, the Supervisor is selected. Press Next.

  8. Select the 6 migrate_6_1_0 Operation option. Press Next.

  9. Test network connectivity by entering a host name that can be resolved by your DNS Server (entered in the previous step) and can respond to a ping. The host can either be an internal host or a public domain host like google.com. Press Next.

  10. Press the Run command to complete migration, for example:

  11. The options for the configureFSM.py script are described in the table here.

  12. The script will take some minutes to run. When it is finished, migration is complete.
  13. To ensure phMonitor is running, execute the phstatus command, for example:

    # phstatus

Migrate Cluster Installation

This section provides instructions on how to migrate Supervisor, Workers, and Collectors separately in a cluster environment,

Delete Workers

  1. Login to the Supervisor.
  2. Go to Admin > License > Nodes and delete the Workers one-by-one.
  3. Go to the Admin > Cloud Health page and make sure that the Workers are not present.

    Note that the Collectors will buffer events while the Workers are down.

  4. Shutdown the Workers.

    SSH to the Workers one-by-one and shutdown the Workers.

 

Migrate Supervisor

Follow the steps in Migrate All-in-one Installation to migrate the supervisor node. Note: FortiSIEM 6.1.0 does not support Worker or Collector migration.

Install New Worker(s)

Follow the steps in Cluster Installation > Install Workers to install new Workers. You can either keep the same IP address or change the address.

Register Workers

Follow the steps in Cluster Installation > Register Workers to register the newly created 6.1.0 Workers to the 6.1.0 Supervisor. The 6.1.0 FortiSIEM Cluster is now ready.

Set Up Collector-to-Worker Communication

  1. Go to Admin > Systems > Settings.
  2. Add the Workers to the Event Worker or Query Worker as appropriate.
  3. Click Save.

Working with Pre-6.1.0 Collectors

Pre-6.1.0 Collectors and agents will work with 6.1.0 Supervisor and Workers. You can install 6.1.0 collectors at your convenience.

Install 6.1.0 Collectors

FortiSIEM does not support Collector migration to 6.1.0. You can install new 6.1.0 Collectors and register them to 6.1.0 Supervisor in a specific way so that existing jobs assigned to Collectors and Windows agent associations are not lost. Follow these steps:

  1. Copy the http hashed password file (/etc/httpd/accounts/passwds) from the old Collector.
  2. Disconnect the pre-6.1.0 Collector.
  3. Install the 6.1.0 Collector with the old IP address by the following the steps in Cluster Installation > Install Collectors.
  4. Copy the saved http hashed password file (/etc/httpd/accounts/passwds) from the old Collector to the 6.1.0 Collector.

    This step is needed for Agents to work seamlessly with 6.1.0 Collectors. The reason for this step is that when the Agent registers, a password for Agent-to-Collector communication is created and the hashed version is stored in the Collector. During 6.1.0 migration, this password is lost.

Register 6.1.0 Collectors

Follow the steps in Cluster Installation > Register Collectors, with the following difference: in the phProvisionCollector command, use the --update option instead of --add. Other than this, use the exactly the same parameters that were used to register the pre-6.1.0 Collector. Specifically, use this form of the

phProvisionCollector command to register a 6.1.0 Collector and keep the old associations:

# /opt/phoenix/bin/phProvisionCollector --update <user> '<password>' <Super IP or Host> <Organization> <CollectorName>

The password should be enclosed in single quotes to ensure that any non-alphanumeric characters are escaped.

 

Re-install new Windows Agents with the old InstallSettings.xml file. Both the migrated and the new agents will work. The new Linux Agent and migrated Linux Agent will also work.