Upgrading to FortiSIEM 6.1.1
If you are running FortiSIEM 6.x then use these instructions to upgrade to the latest FortiSIEM 6.x version.
Pre-Upgrade Steps
If you are running FortiSIEM 6.1.0, then you will need a simple step before you proceed to upgrade. This involves copying a file into a specific location on the Supervisor node. Please complete this step before you proceed to upgrade to the latest FortiSIEM version.
- Carefully consider the known issues, if any, in the Release Notes.
- Download the file
FSM_Upgrade_Script_Patch_6.1.1_build0118.zip
from the Fortinet Support website. - Login to the Supervisor as
root
. - Extract the
upgrade.py
script. - Copy it to
/usr/local/syslib/
. - Continue with the upgrade instructions below.
Upgrade Single Node Deployment
These instructions cover the upgrade process for the FortiSIEM deployment consisting of a single Supervisor node.
- Download the upgrade image
FSM_Upgrade_All_6.1.1_build0118.zip
from Fortinet Support website. - Copy the file to Supervisor:
- Login as
root
. - Run
mkdir -p /opt/upgrade
. - Run
cd /opt/upgrade
. - Copy
FSM_Upgrade_All_6.1.1_build0118.zip
to/opt/upgrade
.
- Login as
- To avoid issues with SSH connection timeouts, disconnects etc.:
- Run the upgrade using the following command:
screen -S upgrade
- To connect the screen after failure, run:
run screen –r
- Run the upgrade using the following command:
- Upgrade by running
configFSM.sh
:- Setup Timezone with Country and Region and click Next.
- Select Supervisor and click Next.
- Select Upgrade operation and click Next.
- Enter the version you want to upgrade to and click Next.
- Once FortiSIEM finds the matching upgrade package, click OK.
- Enter a host name (
myhost.com
as an example) that can be resolved from the Supervisor, then click Next. Note: Internet connectivity is the same as network connectivity. - Click Run.
- Login to the Supervisor and make sure the upgrade succeeded.
- In the GUI, go to Admin > Health > Cloud Health to make sure it is running the upgraded version and that all processes are up and running.
- Login via SSH and run
phstatus
to make sure that all processes are up and running.
Upgrade Cluster Deployment
These instructions cover the upgrade process for FortiSIEM cluster deployment consisting the Supervisor, Workers and Collectors.
Overview
It is important to be aware of these steps while upgrading the FortiSIEM cluster. This is a general overview only; detailed steps will follow.
- Shut down all Workers. Collectors can be up and running.
- Upgrade Supervisor first (while all Workers are shutdown).
- After Supervisor is up and running, upgrade Workers one by one.
- Upgrade Collectors.
Step #1 prevents the accumulation of Report files while the Supervisor is not available during upgrade. If these steps are not followed, the Supervisor may not be able to come up after the upgrade because of excessive unprocessed report file accumulation.
Note: Both the Supervisor and the Worker must be on the same FortiSIEM version, or else various software modules may not work properly. However, Collectors can be in an older version (one version older) - they will work, however they may not have the latest discovery and performance monitoring features in the Supervisor/Worker versions. So FortiSIEM recommends that you also upgrade Collectors within a short period of time. If you have Collectors in your deployment, make sure you have configured an image server to use as a repository for the Collector.
Detailed Steps - Local Disk or NFS Storage
- Shutdown all Worker nodes.
- Upgrade Supervisor using the previous step. Make sure the Supervisor is running the version you have upgraded to and that all processes are up and running.
- After upgrading the Supervisor, you can upgrade Workers one by one, the same way as the Supervisor. In this case, choose Worker.
- After you have upgraded all of the Workers, login to the Supervisor. Go to Admin > Health > Cloud health and make sure that all Workers are running the version you have upgraded to and that all processes are up and running. Note: Supervisor and Workers must be on the same version.
- Upgrade Collectors running 6.1.0 or later.
- Login to the Supervisor via SSH as
root
. - Setup upgrade by running
phSetupCollectorUpgrade.sh /opt/upgrade/FSM_Upgrade_All_6.1.1_build0118.zip <superIP>
.The command will copy the upgrade files to the right location and prepare collector download: - Login to the FortiSIEM GUI.
- Go to the ADMIN > Health > Collector Health page.
- Select a Collector, then choose Actions > Download Image, then wait for completion.
- Select a Collector, then choose Actions > Install Image, then wait for completion.
- Collector will upgrade, reboot and re-connect to the Supervisor. Check Collector Health to make sure it is running normally.
- Login to the Supervisor via SSH as
- For pre-6.1.0 Collectors, FortiSIEM does not support Collector migration to 6.1.0 for VM based collectors. You will need to install new 6.1.1 Collectors and register them to 6.1.1 Supervisor in a specific way so that existing jobs assigned to Collectors and Windows agent associations are not lost. To do this follow these steps:
- Preparation steps:
- Copy the http hashed password file
/etc/httpd/accounts/passwds
from the old Collector. - Disconnect the pre-6.1.0 Collector.
- Install the 6.1 Collector with the old IP address by the following the steps in Cluster Installation > Install Collectors.
- Copy the saved http hashed password file
/etc/httpd/accounts/passwds
from the old Collector to the 6.1.0 Collector. This step is needed for Agents to work seamlessly with 6.1.0 Collectors. The reason for this step is that when the Agent registers, a password for Agent-to-Collector communication is created and the hashed version is stored in the Collector. During 6.1.0 migration, this password is lost.
- Copy the http hashed password file
- Register Collectors steps:
- Follow the steps in Cluster Installation > Register Collectors, with the following difference: in the
phProvisionCollector
command, use--update
option instead of--add
. Other than this, use the same parameters that were used to register the pre-6.1.0 Collector. Specifically, use thephProvisionCollector
command to register a 6.1.0 Collector and keep the old associations:# /opt/phoenix/bin/phProvisionCollector --update <user> <password> <Super IP or Host> <Organization> <CollectorName>
. Then, re-install new Windows Agents with the oldInstallSettings.xml
file. Both the migrated and the new agents will work. The new Linux Agent and migrated Linux Agent will also work.
- Follow the steps in Cluster Installation > Register Collectors, with the following difference: in the
- Preparation steps:
- Follow steps in the 500F Collector Configuration Guide to upgrade 500F hardware based Collectors to 6.1.1.
Detailed steps – Elasticsearch Storage
For Elasticsearch, 6.1.0 Workers cannot be upgraded to 6.1.1. You must delete the Workers from the Supervisor, upgrade the Supervisor, and then add back the Workers.
- Delete the Workers as follows:
- Login to Supervisor.
- Go to Admin > License > Nodes and delete Workers one by one.
- Go to Admin > Health > Cloud health and make sure Workers do not appear.
- Go to Admin > Event Worker and delete the Workers.
- Shutdown the Workers.
- Upgrade the Supervisor as in the Single node install. Then go to Admin > Storage > Online > Elasticsearch and click Test and Save. This important step pushes the latest event attribute definitions to Elasticsearch.
- Install fresh Worker nodes based on your platform. See the appropriate Installation and Migration Guide for your platform here.
- Add back the Workers to the Supervisor as follows:
- Login to Supervisor.
- Go to Admin > License > Nodes and add Workers one by one.
- Go to Admin > Health > Cloud health and make sure Workers appear.
- Go to Admin > Event Worker and add the Workers.
- At this point, both Super and Worker must be running 6.1.0. Collectors must be sending events. Verify this from Admin > Health > Cloud health, Admin > Health > Collector health, and by running some reports.
- Upgrade Collectors running 6.1.0 or later.
- Login to the Supervisor via SSH as
root
. - Setup upgrade by running
phSetupCollectorUpgrade.sh /opt/upgrade/FSM_Upgrade_All_6.1.1_build0118.zip <superIP>
.The command will copy the upgrade files to the right location and prepare collector download: - Login to the FortiSIEM GUI.
- Go to the ADMIN > Health > Collector Health page.
- Select a Collector, then choose Actions > Download Image, then wait for completion.
- Select a Collector, then choose Actions > Install Image, then wait for completion.
- Collector will upgrade, reboot and re-connect to the Supervisor. Check Collector Health to make sure it is running normally.
- Login to the Supervisor via SSH as
- For pre-6.1.0 Collectors, FortiSIEM does not support Collector migration to 6.1.0 for VM based collectors. You will need to install new 6.1.1 Collectors and register them to 6.1.1 Supervisor in a specific way so that existing jobs assigned to Collectors and Windows agent associations are not lost. To do this follow these steps:
- Preparation steps:
- Copy the http hashed password file
/etc/httpd/accounts/passwds
from the old Collector. - Disconnect the pre-6.1.0 Collector.
- Install the 6.1 Collector with the old IP address by the following the steps in Cluster Installation > Install Collectors.
- Copy the saved http hashed password file
/etc/httpd/accounts/passwds
from the old Collector to the 6.1.0 Collector. This step is needed for Agents to work seamlessly with 6.1.0 Collectors. The reason for this step is that when the Agent registers, a password for Agent-to-Collector communication is created and the hashed version is stored in the Collector. During 6.1.0 migration, this password is lost.
- Copy the http hashed password file
- Register Collectors steps:
- Follow the steps in Cluster Installation > Register Collectors, with the following difference: in the
phProvisionCollector
command, use--update option instead of --add
. Other than this, use the same parameters that were used to register the pre-6.1.0 Collector. Specifically, use thephProvisionCollector
command to register a 6.1.0 Collector and keep the old associations:# /opt/phoenix/bin/phProvisionCollector --update <user> <password> <Super IP or Host> <Organization> <CollectorName>
. Then, re-install new Windows Agents with the oldInstallSettings.xml
file. Both the migrated and the new agents will work. The new Linux Agent and migrated Linux Agent will also work.
- Follow the steps in Cluster Installation > Register Collectors, with the following difference: in the
- Preparation steps:
- Follow the steps in the 500F Collector Configuration Guide to upgrade 500F hardware based Collectors to 6.1.1.
Upgrade via Proxy
During upgrade, Super/Worker and Hardware appliances FSM-2000F and 3500F must be able to communicate with CentOS OS repositories (os-pkgs-cdn.fortisiem.fortinet.com
and os-pkgs.fortisiem.fortinet.com
) hosted by Fortinet, to get the latest OS packages. Follow these steps to set up this communication via proxy, before initiating the upgrade.
- SSH to the node.
- Edit
/etc/yum.conf
as follows:- If your proxy does not require authentication, then add a line like this:
proxy=http://<proxy-ip-or-hostname>:<proxy-port>
- If your proxy requires authentication, then add
proxy_username=
andproxy_password=
entries as well. For example, for squid proxy:proxy_username=<user>
proxy_password=<pwd>
- If your proxy does not require authentication, then add a line like this:
- Test that you can use the proxy to successfully communicate with the two sites:
os-pkgs-cdn.fortisiem.fortinet.com
andos-pkgs.fortisiem.fortinet.com
. - Begin the upgrade.