Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Offline Installation and Upgrade Guide

    Home FortiSIEM 7.2.3 Offline Installation and Upgrade Guide
    7.2.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0

    Offline Install and Upgrade

    Offline Install and Upgrade

    This document describes the steps needed to install and upgrade FortiSIEM in a closed environment without internet access. In some cases, FortiSIEM communicates with a repository to download the latest updates. This can be eliminated by setting up a local repository.

    Fresh Installation

    There are two options for fresh installation, FIPS disabled, or FIPS enabled.

    FIPS Disabled Installation

    With FIPS disabled, a fresh installation does not require internet access and can be performed in a closed environment. Run the following command:
    # configFSM.sh
    and select 1 install_without_fips.

    FIPS Enabled Installation

    A FIPS enabled fresh installation requires internet access to Fortinet's RockyLinux repository. This can be re-routed to an offline repository by taking the following steps.

    Note: For hardware appliance users, make sure to skip step 2.

    1. Complete the Local RockyLinux Repository Mirror Installation.

    2. Deploy your FortiSIEM VA onto your hypervisor.

    3. Log into the FortiSIEM local console through your hypervisor.
      Default login:

      User = root

      Password = ProspectHills

    4. Immediately change the root password.

    5. Modify the Yum Repository Files to use the local repository by running the following commands.

      # cd /etc/yum.repos.d
# sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' *.repo
# sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com.*//g' *.repo
# sed -i 's/enabled=1/enabled=1\nsslverify=false/g' *.repo
# dnf clean all

    6. Use the appropriate Installation Guide from 7.2 Installation Guides to continue.
      You will need to run the following command, and then select 2 install_with_fips.
      # configFSM.sh

    5.3.x or 5.4.0 to 6.1.x Migration

    FortiSIEM Migration does not require internet access and can be performed in a closed environment. However, if you want to enable FIPS after migrating to 6.1.x, then internet access is required. Follow the steps below to enable FIPS without requiring Internet access.

    Enabling FIPS After Migration

    Take the following steps to enable FIPS after migration.

    1. Complete the 6.1.x Upgrade and below Local CentOS Repository Mirror Installation.

    2. Log into FortiSIEM via SSH.

      # ssh root@<FortISIEM Super/Worker/Collector>

    3. Modify the Yum Repository Files to use the Local Repository by running the following commands.

      # cd /etc/yum.repos.d

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/centos8/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/centos\/85/g' *.repo

      # sed -i 's/https\:\/\/os-pkgs-c8.fortisiem.fortinet.com.*//g' *.repo

      # sed -i 's/enabled=1/enabled=1\nsslverify=false/g' *.repo

      # dnf clean all

    4. Run the following command and select 3 enable_fips.
      # configFSM.sh

    7.2.3 Upgrade

    The 7.2.3 upgrade is comprised of two parts, the supervisor/worker upgrade and collector upgrade.

    Pre-requisite:

    Upgrading with a FortiSIEM build earlier than 6.4.0 requires a CentOS 8.5 repository. This is required for migration, as Rocky Linux scripts will reach out to the CentOS repository to pick up any remaining packages to be updated to the latest, prior to transitioning to Rocky Linux.

    Supervisor/Worker Upgrade

    Take the following steps to prepare an offline upgrade from 6.3.3 or earlier 6.x to 7.2.3 for your supervisor and worker(s). If upgrading from FortiSIEM 6.4.0, start with step 1, otherwise continue with the following instructions.

    Note: Upgrading with a FortiSIEM build 6.x build earlier than 6.4.0 requires a CentOS 8.5 repository. Please refer to the 6.3.3 Offline Upgrade Guide - Local CentOS Repository Mirror Installation for information on how to configure a CentOS 8.5 repository.

    PDF of guide also available from the following page: https://docs.fortinet.com/document/fortisiem/6.3.3/offline-upgrade-guide/131018/offline-install-and-upgrade

    If upgrading to 7.2.3 from a FortiSIEM build earlier than 6.4.0, please run the following commands in order to redirect the current yum.repos.d to an offline CentOS 8.5 repository before proceeding with step 1:

    caution icon

    <REPOSITORY MIRROR IP> is a place holder and should be replaced by the address of your locally configured offline repository.

    For example: 192.168.1.100

    # cd /etc/yum.repos.d/

    # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/centos85/baseurl=https\:\/\/<REPOSITORY MIRROR IP> \/repos\/centos\/85/g' *.repo

    # sed -i 's/https\:\/\/os-pkgs-c8.fortisiem.fortinet.com.*//g' *.repo

    # sed -i 's/enabled=1/enabled=1\nsslverify=false/g' *.repo

    1. Upload the FSM_Upgrade_All_7.2.3.zip onto the 6.x Supervisor/Worker under the /tmp/ folder.

    2. Log in and extract the upgrade package using 7za by running the following commands.

      Note: unzip has been replaced by 7za in FortiSIEM 7.1.0 and later releases to avert any unzip security vulnerabilities.

      # ssh root@<Super/Worker>

      # mkdir -p /opt/upgrade/

      # mv /tmp/FSM_Upgrade_All_7.2.3.zip /opt/upgrade/

      # 7za x FSM_Upgrade_All_7.2.3.zip

    3. Update upgrade script upgrade.sh:

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' upgrade.sh

      # sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com\/rockylinux8/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' upgrade.sh

      # sed -i 's/\$CURL/\$CURL\ \-k/g' upgrade.sh

    4. Update the migration script migrate_centos_to_rocky.sh:

      # cd /opt/upgrade/FSM_Upgrade_All_7.2.3_build0256/install/files/

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/clickhouse/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/clickhouse/g' migrate_centos_to_rocky.sh

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/confluent/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/confluent/g' migrate_centos_to_rocky.sh

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' migrate_centos_to_rocky.sh

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/postgres/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/postgres/g' migrate_centos_to_rocky.sh

      # sed -i 's/https\:\/\/os-pkgs-# r8.fortisiem.fortinet.com\/rockylinux8/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' migrate_centos_to_rocky.sh

      # sed -i 's/curl \-o \/etc\/pki\/rpm\-gpg\/RPM\-GPG\-KEY\-PGDG /curl \-k \-o \/etc\/pki\/rpm\-gpg\/RPM\-GPG\-KEY\-PGDG /g' migrate_centos_to_rocky.sh

      # sed -i 's/curl \-o \/etc\/pki\/rpm\-gpg\/RPM\-GPG\-KEY\-rockyofficial /curl \-k \-o \/etc\/pki\/rpm\-gpg\/RPM\-GPG\-KEY\-rockyofficial /g' migrate_centos_to_ rocky.sh

      # sed -i 's/curl \-o /curl \-k \-o /g' migrate_centos_to_rocky.sh

    5. Edit the migrate_centos_to_rocky.sh script and go to line 697. You can use vi.

      # vi migrate_centos_to_rocky.sh

    6. Add the following on the line right above “# Distrosync”

      sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' /etc/yum.repos.d/Rocky*.repo

      sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com.*//g' /etc/yum.repos.d/Rocky*.repo

      sed -i 's/enabled=1/enabled=1\nsslverify=false/g' /etc/yum.repos.d/Rocky*.repo

      sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/clickhouse/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/clickhouse/g' /tmp/repos/clickhouse.repo

    7. Modify the necessary repository files by running the following set of commands.

      Update the Repos Files

      # cd /opt/upgrade/FSM_Upgrade_All_7.2.3/install/files/repos/

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/clickhouse/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/clickhouse/g' clickhouse.repo

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/clickhouse/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/clickhouse/g' clickhouse-utils.repo

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' *.repo

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/confluent/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/confluent/g' *.repo

      # sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com.*//g' *.repo

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' Rocky-BaseOS.repo

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/postgres/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/postgres/g' pgdg-redhat-all.repo

      # sed -i 's/enabled=1/enabled=1\nsslverify=false/g' *.repo

      Update PSQL DB Repo

      # cd /opt/upgrade/FSM_Upgrade_All_7.2.3/install/roles/upgrade-db-server/files

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/postgres/baseurl=https\:\/\/\:\/\/<REPOSITORY MIRROR IP>\/repos\/postgres/g' *.repo

      # sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com.*//g' *.repo

      # sed -i 's/enabled=1/enabled=1\nsslverify=false/g' *.repo

      # cd /opt/upgrade/FSM_Upgrade_All_7.2.3/install/roles/upgrade-db-server/tasks/

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\//https\:\/\/<REPOSITORY MIRROR IP>\/repos\//g' main.yml

      # sed -i 's/curl \-o /curl \-k \-o /g' main.yml

      Update Files that Pick Up the Keys for PSQL, RockyLinux, Confluent

      # cd /opt/upgrade/FSM_Upgrade_All_7.2.3/install/roles/upgrade/tasks/

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\//https\:\/\/<REPOSITORY MIRROR IP>\/repos\//g' main.yml

      # sed -i 's/curl \-o /curl \-k \-o /g' main.yml

      Update Clickhouse and Zookeeper Package Files

      # cd /opt/upgrade/FSM_Upgrade_All_7.2.3/install/group_vars/all

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\//\-k\ https\:\/\/<REPOSITORY MIRROR IP>\/repos\//g' setup-zookeeper.yml.j2

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\//\-k\ https\:\/\/<REPOSITORY MIRROR IP>\/repos\//g' setup-clickhouse.yml.j2

      Perform Clean Up
      # dnf clean all

      Prepare yum.conf to Ignore SSL Verification

      # echo sslverify=false >> /etc/yum.conf

      Validate all Updates Performed Against FortiSIEM Upgrade Package

      # cd /opt/upgrade/<FSM UPGRADE PACKAGE>/

      # grep -R ‘os-pkgs’

      When migrate_centos_to_rocky.sh has been modified as part of the offline upgrade step, the following output will confirm if the upgrade package is correctly modified:

      # grep -R ‘os-pkgs’

      install/files/migrate_centos_to_rocky.sh:sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' /etc/yum.repos.d/Rocky*.repo

      install/files/migrate_centos_to_rocky.sh:sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com.*//g' /etc/yum.repos.d/Rocky*.repo

      install/files/migrate_centos_to_rocky.sh:sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/clickhouse/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/clickhouse/g' /tmp/repos/clickhouse.repo

    8. Use the Upgrade Guide located in 7.2 Reference Manuals to continue with your upgrade for the supervisor and worker(s).

    Collector Upgrade

    For FortiSIEM version 7.2.3, the collector offline upgrade is unsupported at this time. If an offline upgrade is required for the collector, the recommended approach is to re-deploy a new collector on 7.2.3, and update the entry. Please reference Known Issues in the 7.2.3 Release Notes from the FortiSIEM Documentation Library for any possible additional information.

    Link for 7.2.3 Collector Deployment Guide: https://docs.fortinet.com/document/fortisiem/7.2.3/esx-installation-guide/131018/fresh-installation#Install_Collectors

    Link for 7.2.3 Collector Registration: https://docs.fortinet.com/document/fortisiem/7.2.3/esx-installation-guide/131018/fresh-installation#Register_Collectors

    Configuring Existing FSM on RockyLinux Install to use Local Repository Mirror

    Sometimes you may want to run a "yum update" on an existing FortiSIEM installation to get the latest patches. Follow these steps to avoid internet access during this step.

    Note: This configuration is needed to run Yum updates without needing to go to the internet.

    1. Log into all FortiSIEM Supervisor/Worker(s)/Collector(s) that will pull from the new repository by running the following commands.

      # ssh root@<Super/Worker/Collector IP>

      # cd /etc/yum.repos.d

    2. Modify necessary repository files by running the following commands.

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' *.repo
      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/clickhouse/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/clickhouse/g' clickhouse.repo

      If Confluent exists in /etc/yum/repos.d/:

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/confluent/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/confluent/g' confluent.repo
      # sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com.*//g' *.repo
      # sed -i 's/enabled=1/enabled=1\nsslverify=false/g' *.repo
      # dnf clean all

    3. Connect and update from the local repository mirror by running the following command.

      # dnf update -y

      or

      # yum update -y 

      Rocky Linux 8 - AppStream    48 MB/s |  12 MB     00:00                                                                   
Rocky Linux 8 - BaseOS       74 MB/s |  11 MB     00:00                                                                   
Rocky Linux 8 - Extras       288 kB/s |  14 kB     00:00                                                                  
Rocky Linux 8 - PowerTools     39 MB/s | 2.9 MB     00:00                                                                 
ClickHouse - Stable Repository      3.9 MB/s | 165 kB     00:00                                                           
ClickHouse Utils Repository       33 kB/s | 1.1 kB     00:00                                                              
Confluent repository                  888 kB/s |  41 kB     00:00                                                         
Confluent Clients repository          996 kB/s |  38 kB     00:00                                                         
ELRepo.org Community Enterprise Linux Repository - el8  6.6 MB/s | 244 kB     00:00                                       
Extra Packages for Enterprise Linux 8 - x86_64     116 MB/s |  26 MB     00:00                                            
Extra Packages for Enterprise Linux 8 - x86_64    11 MB/s | 733 kB     00:00                                              PostgreSQL common RPMs for RHEL/CentOS 8 - x86_64 22 MB/s | 1.4 MB     00:00                                              
PostgreSQL 13 for RHEL/CentOS 8 - x86_64   11 MB/s | 964 kB     00:00                                                     
Dependencies resolved.
Nothing to do.
Complete!

    Local RockyLinux 8 Repository Mirror Installation

    Follow these steps to setup a local RockyLinux repository mirror in your internal network. FortiSIEM will only communicate with this local RockyLinux repository mirror whenever needed, thereby avoiding internet access.

    You will be going through these general steps:

    1. Deploying the base VM to state and setup access to the repository
    2. Replicating the remote repository into your new internal mirror
    3. Testing the internal mirror for accessibility
    4. A walk through for all the FSM nodes in order to reach the internal mirror

    Instructions are broken down into the following sections.

    Repository Mirror Deployment and Apache Staging

    This server is required to have internet access and be able to resolve [os-pkgs-cdn.fortisiem.fortinet.com] or [os-pkgs-r8.fortisiem.fortinet.com] in order to prepare the repository mirror. Once the Repository Mirror is completed, the internet connection can then be cut off from this repository mirror until the next time the mirror needs to be updated.

    When the above conditions are met, take the following steps:

    1. Download the 7.2.3.0256 FortiSIEM image and create a VM on your preferred hypervisor.
    2. Add an 400GB disk to the FortiSIEM image that was deployed by taking the following steps:
      Note: Instructions to add a disk is based off of vSphere 6.7. Your hypervisor may differ in instructions, but the concept is the same.
      1. Right click the FortiSIEM VM > Editing Settings.
      2. In the pop-up, click "Add New Device".
      3. Find "Hard Disk" and select it.
      4. Configure it for 400GB.
      5. Click "OK" to save the configuration.
      6. Boot the FortiSIEM image.

    Configuring the Network Adapter

    To complete the configuration, take the following steps:

    1. Log into the FortiSIEM console through your hypervisor.
      Default login:
      User = root
      Password = ProspectHills
    2. Immediately change the root password.
    3. Enter the IP address configuration utility by running the following command:
      # nmtui-edit eth0
    4. Go to IPv4 CONFIGURATION, toggle Automatic, and select Manual from the menu.
    5. Toggle Show to expand the configuration.
    6. In the Addresses field, add an IP address/netmask (CIDR).
      Example: 192.168.1.1/24
      Note: Use the tool at this URL to convert netmask to CIDR.
      https://www.xarg.org/tools/subnet-calculator/
    7. In the Gateway field, enter the Gateway IP address.
      Example: 192.168.1.254
    8. In the DNS Servers field, toggle Add, and select IP of DNS.
      Example: 1.1.1.1
    9. In the DNS Servers field, Toggle Add, and add the IP of the second DNS.
      Example: 1.0.0.1
    10. Toggle the Automatically connect setting to enable.
    11. Toggle the Available to all users setting to enable.
    12. Toggle to OK.


    13. Restart the network adapter.
      # ifdown eth0
      # ifup eth0
    14. Check if the IP address is assigned to the network adapter.
      # ifconfig eth0
      The IP address will be assigned to eth0.
    15. Ping an external address to verify network connectivity.
      # ping <ip address>
      or
      # ping google.com

    Installing the Yum-Utils Package

    Take the following steps to install the yum-utils package.

    1. Clean the current respository from the VM.
      # dnf clean all
    2. Install the yum-utils package.
      # dnf install yum-utils -y

    Preparing the Disk for the Local Repository Mirror

    Take the following steps to prepare your disk for the local repository mirror.

    1. Look for the 400 GB disk created when the ova was deployed.

      # lsblk
      NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
      sda           8:0    0   25G  0 disk
      ├─sda1        8:1    0    1G  0 part /boot
      └─sda2        8:2    0   24G  0 part
      ├─cl-swap 253:0    0  2.5G  0 lvm  [SWAP]
      └─cl-root 253:1    0 21.5G  0 lvm  /
      sdb           8:16   0   400G  0 disk 			<< New disk

    2. Format the disk using xfs file system.

      # mkfs.xfs /dev/sdb

    3. Create a new mount point for the new disk.

      # mkdir /repos

    4. Mount the disk.

      # mount -t xfs /dev/sdb /repos

      # chmod 755 /repos

    5. Edit /etc/fstab and add the mount entry permanently.

      # vi /etc/fstab 

      /dev/sdb /repos                   xfs     defaults        0 0

    6. Test /etc/fstab to verify configuration.

      # mount -a

    Configuring Apache to Publish the Local Repository Mirror

    Take the following steps to configure Apache to publish the local repository mirror.

    1. Create the link to the repository path.

      # cd /var/www/html/

      # ln -sf /repos repos

      # ls -l /var/www/html/

      result: lrwxrwxrwx. 1 root root 6 Mar 26 16:18 repos -> /repos

    2. Restart Apache.

      # systemctl restart httpd

    Verifying Remote Connectivity to the Local Repository Mirror

    Take the following step to verify remote connectivity with the repository mirror.

    1. From the local network workstation's browser, go to: https://<Repository Mirror IP Address>/

    Syncing the Local Repository Mirror

    All 7.2.3 upgrade related mirrors are configured under /etc/yum.repos.d/. The FortiSIEM 7.2.3 image contains all the current necessary repo files. Take the following steps to sync the local repository mirror.

    1. Sync the FSM Mirror to the repository mirror.

      # mkdir -p /repos/rockylinux8/gpg-keys

      # cd /repos/rockylinux8/gpg-keys

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/RPM-GPG-KEY-EPEL-8

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/RPM-GPG-KEY-PGDG

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/RPM-GPG-KEY-elrepo.org

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/RPM-GPG-KEY-rockyofficial

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/RPM-GPG-KEY-rockytesting

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/CLICKHOUSE-KEY.GPG

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/RPM-GPG-KEY-FortiSIEM-rocky

      # cd /repos/rockylinux8


      Note: Creating and Syncing repo structure

      A - Create an alternate path for baseos for 7.2.0 repository and sync that mirror first

      # mkdir -p /repos/rockylinux8/2023-09-08/

      # cd /repos/rockylinux8/2023-09-08/

      # reposync --repoid=baseos --download-metadata –downloadcomps

      # cd /repos/rockylinux8/

      # mkdir -p /repos/rockylinux8/2023-11-13/


      Note: After reposync, the path will look like:

      # ls -la /repos/rockylinux8/2023-09-08/

      drwxr-xr-x. 3 root root 20 Oct 25 14:46 .

      drwxrwxr-x. 18 root root 267 Oct 25 19:12 ..

      drwxr-xr-x. 4 root root 73 Oct 25 14:43 baseos


      B - Rename the Rocky-BaseOS.repo and sync the main baseos path

      # cd /repos/rockylinux8

      # mv /etc/yum.repos.d/Rocky-BaseOS.repo /etc/yum.repos.d/Rocky-BaseOS.repo.alt

      # mv /etc/yum.repos.d/Rocky-BaseOS.repo.rpmnew /etc/yum.repos.d/Rocky-BaseOS.repo

      # reposync --repoid=baseos --download-metadata --downloadcomps


      Note: after reposync, the path will look like:

      # ls -la /repos/rockylinux8/

      drwxrwxr-x. 18 root root 267 Oct 25 19:12 .

      drwxrwxr-x. 6 root root 77 Oct 25 16:16 ..

      drwxr-xr-x. 3 root root 20 Oct 25 14:46 2023-09-08

      drwxr-xr-x. 4 root root 73 Oct 25 14:17 baseos

      C- Continue syncing RockyLinux 8 repositories

      # reposync --repoid=appstream --download-metadata --downloadcomps

      # reposync --repoid=elrepo --download-metadata --downloadcomps

      # reposync --repoid=elrepo-testing --download-metadata --downloadcomps

      # reposync --repoid=epel-modular --download-metadata --downloadcomps

      # reposync --repoid=epel --download-metadata --downloadcomps

      # reposync --repoid=extras --download-metadata --downloadcomps

      # reposync --repoid=plus --download-metadata --downloadcomps

      # reposync --repoid=powertools --download-metadata –downloadcomps

      # cd /repos/rockylinux8/2023-11-13/

      # reposync --repoid=epel --download-metadata --downloadcomps

      Note: After reposync, the path will look like:

      # ls -la /repos/rockylinux8 

      total 220
drwxrwxr-x. 19 root root  4096 May 23 00:07 .
drwxrwxr-x.  6 root root    76 May 28 14:17 ..
drwxr-xr-x.  3 root root    20 May 23 00:04 2023-09-08
drwxr-xr-x.  3 root root    18 May 23 07:37 2023-11-13
drwxr-xr-x.  4 root root    55 May 28 08:51 appstream
drwxr-xr-x.  4 root root    73 May 23 07:53 baseos
drwxr-xr-x.  3 root root  4096 Sep 12  2023 clickhouse
drwxr-xr-x.  4 root root    34 May 28 08:51 elrepo
drwxr-xr-x.  4 root root    52 May 28 08:54 elrepo-testing
drwxr-xr-x.  4 root root    75 May 28 08:55 epel
drwxr-xr-x.  4 root root    58 May 28 08:55 epel-modular
drwxr-xr-x.  4 root root    56 May 28 09:47 extras
drwxrwxr-x.  2 root root   212 May 28 12:12 gpg-keys
drwxr-xr-x.  3 root root 77824 May 28 09:47 pgdg13
drwxr-xr-x.  3 root root 77824 May 28 09:46 pgdg-common
drwxr-xr-x.  4 root root    38 May 28 09:47 plus
drwxr-xr-x.  4 root root    55 May 28 09:47 powertools
drwxr-xr-x.  2 root root  4096 Feb 10  2022 repodata
drwxr-xr-x.  2 root root    88 May 29  2023 zookeeper


      D- Zookeeper has a single file and will not utilize reposync

      # mkdir –p /repos/rockylinux8/zookeeper

      # cd /repos/rockylinux8/zookeeper

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/zookeeper/apache-zookeeper-3.7.0-bin.tar.gz

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/zookeeper/apache-zookeeper-3.8.1-bin.tar.gz


      E- Creating and Syncing Clickhouse repo structure

      # mkdir -p /repos/clickhouse/gpg-keys/

      # mkdir -p /repos/clickhouse/2023-11-27/gpg-keys/

      # cd /repos/clickhouse/gpg-keys/

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/clickhouse/gpg-keys/repomd.xml.key

      # cd /repos/clickhouse/2023-11-27/gpg-keys/

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/clickhouse/2023-11-27/gpg-keys/repomd.xml.key

      # cd /repos/clickhouse/2023-11-27/

      # reposync --repoid=clickhouse-stable --download-metadata –downloadcomps

      # cd clickhouse-stable/repodata

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/clickhouse/2023-08/clickhouse-stable/repodata/repomd.xml.asc

      # cd /repos/clickhouse/

      # reposync --repoid=clickhouse-utils --download-metadata --downloadcomps

      Note: After syncing clickhouse-utils, the path will look like:

      # ls -la /repos/clickhouse/

      drwxr-xr-x. 4 root root 47 May 22 23:44 2023-11-27

      drwxr-xr-x. 4 root root 38 May 22 23:46 clickhouse-utils

      drwxr-xr-x. 2 root root 28 May 22 23:46 gpg-keys

      F- Creating and Syncing Confluent repo structure

      # mkdir -p /repos/confluent/gpg-keys

      # cd /repos/confluent/gpg-keys

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/confluent/gpg-keys/confluent-archive.key

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/confluent/gpg-keys/confluent-clients-archive.key

      # cd /repos/confluent/

      # reposync --repoid=Confluent --download-metadata --downloadcomps

      # reposync --repoid=Confluent-Clients --download-metadata --downloadcomps

      Note: After syncing Confluent and Confluent-Clients, the path will look like:

      # ls -la

      total 16 

      drwxr-xr-x. 5 root root 64 Oct 25 15:19 . 
      drwxrwxr-x. 6 root root 77 Oct 25 16:16 .. 
drwxr-xr-x. 3 root root 4096 Oct 25 15:19 Confluent
drwxr-xr-x. 3 root root 8192 Oct 25 15:22 Confluent-Clients 
drwxr-xr-x. 2 root root 72 Sep 13 12:22 gpg-keys

      G- Creating and Syncing Postgres repo structure

      # mkdir -p /repos/postgres/gpg-keys

      # mkdir -p /repos/postgres/misc

      # cd /repos/postgres/gpg-keys

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/postgres/gpg-keys/PGDG-RPM-GPG-KEY-RHEL

      # cd /repos/postgres/misc

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/postgres/misc/pgdg-redhat-all.repo

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/postgres/misc/switch-pgdg-repo-and-upgrade-to-pg13.14.sh

      # cd /repos/postgres/

      # reposync --repoid=pgdg13 --download-metadata --downloadcomps

      # reposync --repoid=pgdg-common --download-metadata --downloadcomps

      # reposync --repoid=pgdg-rhel8-extras --download-metadata --downloadcomps

      Note: After syncing Confluent and Confluent-Clients, the path will look like:

      # ls -la /repos/postgres
total 180
drwxr-xr-x. 7 root root    92 May 28 14:43 .
drwxrwxr-x. 6 root root    76 May 28 14:17 ..
drwxr-xr-x. 2 root root    35 May 28 14:17 gpg-keys
drwxr-xr-x. 2 root root    84 May 28 14:20 misc
drwxr-xr-x. 3 root root 81920 May 28 14:43 pgdg13
drwxr-xr-x. 3 root root 45056 May 28 14:28 pgdg-common
drwxr-xr-x. 3 root root  8192 May 28 14:44 pgdg-rhel8-extras

      Note: Your repos directory will look like the following:

      # ls -la /repos/ 
total 4
drwxrwxr-x. 5 root root 60 Nov 1 02:33 . 
dr-xr-xr-x. 20 root root 4096 Apr 5 2023 .. 
drwxr-xr-x. 8 root root 123 Oct 25 17:08 clickhouse 
drwxr-xr-x. 5 root root 64 Oct 25 15:19 confluent 
drwxrwxr-x. 18 root root 267 Oct 25 19:12 rockylinux8
drwxr-xr-x.  7 root root   92 May 28 14:43 postgres

    2. Modify Permissions and Restart Apache on the repository mirror.

      # chmod -R 755 /repos

      # systemctl restart httpd

    3. Check repository mirror.

      Locally, run the following command:

      # curl -k https://localhost/repos/rockylinux8/

      # curl -k https://localhost/repos/clickhouse/

      # curl -k https://localhost/repos/confluent/

      # curl -k https://localhost/repos/postgres/


      Remotely:

      Open a browser, and go to:

      https://<Repository Mirror IP>/repos/rockylinux8/

      https://<Repository Mirror IP>/repos/clickhouse/

      https://<Repository Mirror IP>/repos/confluent/

      https://<Repository Mirror IP>/repos/postgres/

    Previous
    Next

    Offline Install and Upgrade

    Offline Install and Upgrade

    This document describes the steps needed to install and upgrade FortiSIEM in a closed environment without internet access. In some cases, FortiSIEM communicates with a repository to download the latest updates. This can be eliminated by setting up a local repository.

    Fresh Installation

    There are two options for fresh installation, FIPS disabled, or FIPS enabled.

    FIPS Disabled Installation

    With FIPS disabled, a fresh installation does not require internet access and can be performed in a closed environment. Run the following command:
    # configFSM.sh
    and select 1 install_without_fips.

    FIPS Enabled Installation

    A FIPS enabled fresh installation requires internet access to Fortinet's RockyLinux repository. This can be re-routed to an offline repository by taking the following steps.

    Note: For hardware appliance users, make sure to skip step 2.

    1. Complete the Local RockyLinux Repository Mirror Installation.

    2. Deploy your FortiSIEM VA onto your hypervisor.

    3. Log into the FortiSIEM local console through your hypervisor.
      Default login:

      User = root

      Password = ProspectHills

    4. Immediately change the root password.

    5. Modify the Yum Repository Files to use the local repository by running the following commands.

      # cd /etc/yum.repos.d
# sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' *.repo
# sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com.*//g' *.repo
# sed -i 's/enabled=1/enabled=1\nsslverify=false/g' *.repo
# dnf clean all

    6. Use the appropriate Installation Guide from 7.2 Installation Guides to continue.
      You will need to run the following command, and then select 2 install_with_fips.
      # configFSM.sh

    5.3.x or 5.4.0 to 6.1.x Migration

    FortiSIEM Migration does not require internet access and can be performed in a closed environment. However, if you want to enable FIPS after migrating to 6.1.x, then internet access is required. Follow the steps below to enable FIPS without requiring Internet access.

    Enabling FIPS After Migration

    Take the following steps to enable FIPS after migration.

    1. Complete the 6.1.x Upgrade and below Local CentOS Repository Mirror Installation.

    2. Log into FortiSIEM via SSH.

      # ssh root@<FortISIEM Super/Worker/Collector>

    3. Modify the Yum Repository Files to use the Local Repository by running the following commands.

      # cd /etc/yum.repos.d

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/centos8/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/centos\/85/g' *.repo

      # sed -i 's/https\:\/\/os-pkgs-c8.fortisiem.fortinet.com.*//g' *.repo

      # sed -i 's/enabled=1/enabled=1\nsslverify=false/g' *.repo

      # dnf clean all

    4. Run the following command and select 3 enable_fips.
      # configFSM.sh

    7.2.3 Upgrade

    The 7.2.3 upgrade is comprised of two parts, the supervisor/worker upgrade and collector upgrade.

    Pre-requisite:

    Upgrading with a FortiSIEM build earlier than 6.4.0 requires a CentOS 8.5 repository. This is required for migration, as Rocky Linux scripts will reach out to the CentOS repository to pick up any remaining packages to be updated to the latest, prior to transitioning to Rocky Linux.

    Supervisor/Worker Upgrade

    Take the following steps to prepare an offline upgrade from 6.3.3 or earlier 6.x to 7.2.3 for your supervisor and worker(s). If upgrading from FortiSIEM 6.4.0, start with step 1, otherwise continue with the following instructions.

    Note: Upgrading with a FortiSIEM build 6.x build earlier than 6.4.0 requires a CentOS 8.5 repository. Please refer to the 6.3.3 Offline Upgrade Guide - Local CentOS Repository Mirror Installation for information on how to configure a CentOS 8.5 repository.

    PDF of guide also available from the following page: https://docs.fortinet.com/document/fortisiem/6.3.3/offline-upgrade-guide/131018/offline-install-and-upgrade

    If upgrading to 7.2.3 from a FortiSIEM build earlier than 6.4.0, please run the following commands in order to redirect the current yum.repos.d to an offline CentOS 8.5 repository before proceeding with step 1:

    caution icon

    <REPOSITORY MIRROR IP> is a place holder and should be replaced by the address of your locally configured offline repository.

    For example: 192.168.1.100

    # cd /etc/yum.repos.d/

    # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/centos85/baseurl=https\:\/\/<REPOSITORY MIRROR IP> \/repos\/centos\/85/g' *.repo

    # sed -i 's/https\:\/\/os-pkgs-c8.fortisiem.fortinet.com.*//g' *.repo

    # sed -i 's/enabled=1/enabled=1\nsslverify=false/g' *.repo

    1. Upload the FSM_Upgrade_All_7.2.3.zip onto the 6.x Supervisor/Worker under the /tmp/ folder.

    2. Log in and extract the upgrade package using 7za by running the following commands.

      Note: unzip has been replaced by 7za in FortiSIEM 7.1.0 and later releases to avert any unzip security vulnerabilities.

      # ssh root@<Super/Worker>

      # mkdir -p /opt/upgrade/

      # mv /tmp/FSM_Upgrade_All_7.2.3.zip /opt/upgrade/

      # 7za x FSM_Upgrade_All_7.2.3.zip

    3. Update upgrade script upgrade.sh:

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' upgrade.sh

      # sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com\/rockylinux8/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' upgrade.sh

      # sed -i 's/\$CURL/\$CURL\ \-k/g' upgrade.sh

    4. Update the migration script migrate_centos_to_rocky.sh:

      # cd /opt/upgrade/FSM_Upgrade_All_7.2.3_build0256/install/files/

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/clickhouse/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/clickhouse/g' migrate_centos_to_rocky.sh

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/confluent/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/confluent/g' migrate_centos_to_rocky.sh

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' migrate_centos_to_rocky.sh

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/postgres/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/postgres/g' migrate_centos_to_rocky.sh

      # sed -i 's/https\:\/\/os-pkgs-# r8.fortisiem.fortinet.com\/rockylinux8/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' migrate_centos_to_rocky.sh

      # sed -i 's/curl \-o \/etc\/pki\/rpm\-gpg\/RPM\-GPG\-KEY\-PGDG /curl \-k \-o \/etc\/pki\/rpm\-gpg\/RPM\-GPG\-KEY\-PGDG /g' migrate_centos_to_rocky.sh

      # sed -i 's/curl \-o \/etc\/pki\/rpm\-gpg\/RPM\-GPG\-KEY\-rockyofficial /curl \-k \-o \/etc\/pki\/rpm\-gpg\/RPM\-GPG\-KEY\-rockyofficial /g' migrate_centos_to_ rocky.sh

      # sed -i 's/curl \-o /curl \-k \-o /g' migrate_centos_to_rocky.sh

    5. Edit the migrate_centos_to_rocky.sh script and go to line 697. You can use vi.

      # vi migrate_centos_to_rocky.sh

    6. Add the following on the line right above “# Distrosync”

      sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' /etc/yum.repos.d/Rocky*.repo

      sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com.*//g' /etc/yum.repos.d/Rocky*.repo

      sed -i 's/enabled=1/enabled=1\nsslverify=false/g' /etc/yum.repos.d/Rocky*.repo

      sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/clickhouse/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/clickhouse/g' /tmp/repos/clickhouse.repo

    7. Modify the necessary repository files by running the following set of commands.

      Update the Repos Files

      # cd /opt/upgrade/FSM_Upgrade_All_7.2.3/install/files/repos/

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/clickhouse/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/clickhouse/g' clickhouse.repo

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/clickhouse/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/clickhouse/g' clickhouse-utils.repo

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' *.repo

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/confluent/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/confluent/g' *.repo

      # sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com.*//g' *.repo

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' Rocky-BaseOS.repo

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/postgres/https\:\/\/<REPOSITORY MIRROR IP>\/repos\/postgres/g' pgdg-redhat-all.repo

      # sed -i 's/enabled=1/enabled=1\nsslverify=false/g' *.repo

      Update PSQL DB Repo

      # cd /opt/upgrade/FSM_Upgrade_All_7.2.3/install/roles/upgrade-db-server/files

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/postgres/baseurl=https\:\/\/\:\/\/<REPOSITORY MIRROR IP>\/repos\/postgres/g' *.repo

      # sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com.*//g' *.repo

      # sed -i 's/enabled=1/enabled=1\nsslverify=false/g' *.repo

      # cd /opt/upgrade/FSM_Upgrade_All_7.2.3/install/roles/upgrade-db-server/tasks/

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\//https\:\/\/<REPOSITORY MIRROR IP>\/repos\//g' main.yml

      # sed -i 's/curl \-o /curl \-k \-o /g' main.yml

      Update Files that Pick Up the Keys for PSQL, RockyLinux, Confluent

      # cd /opt/upgrade/FSM_Upgrade_All_7.2.3/install/roles/upgrade/tasks/

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\//https\:\/\/<REPOSITORY MIRROR IP>\/repos\//g' main.yml

      # sed -i 's/curl \-o /curl \-k \-o /g' main.yml

      Update Clickhouse and Zookeeper Package Files

      # cd /opt/upgrade/FSM_Upgrade_All_7.2.3/install/group_vars/all

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\//\-k\ https\:\/\/<REPOSITORY MIRROR IP>\/repos\//g' setup-zookeeper.yml.j2

      # sed -i 's/https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\//\-k\ https\:\/\/<REPOSITORY MIRROR IP>\/repos\//g' setup-clickhouse.yml.j2

      Perform Clean Up
      # dnf clean all

      Prepare yum.conf to Ignore SSL Verification

      # echo sslverify=false >> /etc/yum.conf

      Validate all Updates Performed Against FortiSIEM Upgrade Package

      # cd /opt/upgrade/<FSM UPGRADE PACKAGE>/

      # grep -R ‘os-pkgs’

      When migrate_centos_to_rocky.sh has been modified as part of the offline upgrade step, the following output will confirm if the upgrade package is correctly modified:

      # grep -R ‘os-pkgs’

      install/files/migrate_centos_to_rocky.sh:sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' /etc/yum.repos.d/Rocky*.repo

      install/files/migrate_centos_to_rocky.sh:sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com.*//g' /etc/yum.repos.d/Rocky*.repo

      install/files/migrate_centos_to_rocky.sh:sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/clickhouse/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/clickhouse/g' /tmp/repos/clickhouse.repo

    8. Use the Upgrade Guide located in 7.2 Reference Manuals to continue with your upgrade for the supervisor and worker(s).

    Collector Upgrade

    For FortiSIEM version 7.2.3, the collector offline upgrade is unsupported at this time. If an offline upgrade is required for the collector, the recommended approach is to re-deploy a new collector on 7.2.3, and update the entry. Please reference Known Issues in the 7.2.3 Release Notes from the FortiSIEM Documentation Library for any possible additional information.

    Link for 7.2.3 Collector Deployment Guide: https://docs.fortinet.com/document/fortisiem/7.2.3/esx-installation-guide/131018/fresh-installation#Install_Collectors

    Link for 7.2.3 Collector Registration: https://docs.fortinet.com/document/fortisiem/7.2.3/esx-installation-guide/131018/fresh-installation#Register_Collectors

    Configuring Existing FSM on RockyLinux Install to use Local Repository Mirror

    Sometimes you may want to run a "yum update" on an existing FortiSIEM installation to get the latest patches. Follow these steps to avoid internet access during this step.

    Note: This configuration is needed to run Yum updates without needing to go to the internet.

    1. Log into all FortiSIEM Supervisor/Worker(s)/Collector(s) that will pull from the new repository by running the following commands.

      # ssh root@<Super/Worker/Collector IP>

      # cd /etc/yum.repos.d

    2. Modify necessary repository files by running the following commands.

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/rockylinux8/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/rockylinux8/g' *.repo
      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/clickhouse/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/clickhouse/g' clickhouse.repo

      If Confluent exists in /etc/yum/repos.d/:

      # sed -i 's/baseurl=https\:\/\/os-pkgs-cdn.fortisiem.fortinet.com\/confluent/baseurl=https\:\/\/<REPOSITORY MIRROR IP>\/repos\/confluent/g' confluent.repo
      # sed -i 's/https\:\/\/os-pkgs-r8.fortisiem.fortinet.com.*//g' *.repo
      # sed -i 's/enabled=1/enabled=1\nsslverify=false/g' *.repo
      # dnf clean all

    3. Connect and update from the local repository mirror by running the following command.

      # dnf update -y

      or

      # yum update -y 

      Rocky Linux 8 - AppStream    48 MB/s |  12 MB     00:00                                                                   
Rocky Linux 8 - BaseOS       74 MB/s |  11 MB     00:00                                                                   
Rocky Linux 8 - Extras       288 kB/s |  14 kB     00:00                                                                  
Rocky Linux 8 - PowerTools     39 MB/s | 2.9 MB     00:00                                                                 
ClickHouse - Stable Repository      3.9 MB/s | 165 kB     00:00                                                           
ClickHouse Utils Repository       33 kB/s | 1.1 kB     00:00                                                              
Confluent repository                  888 kB/s |  41 kB     00:00                                                         
Confluent Clients repository          996 kB/s |  38 kB     00:00                                                         
ELRepo.org Community Enterprise Linux Repository - el8  6.6 MB/s | 244 kB     00:00                                       
Extra Packages for Enterprise Linux 8 - x86_64     116 MB/s |  26 MB     00:00                                            
Extra Packages for Enterprise Linux 8 - x86_64    11 MB/s | 733 kB     00:00                                              PostgreSQL common RPMs for RHEL/CentOS 8 - x86_64 22 MB/s | 1.4 MB     00:00                                              
PostgreSQL 13 for RHEL/CentOS 8 - x86_64   11 MB/s | 964 kB     00:00                                                     
Dependencies resolved.
Nothing to do.
Complete!

    Local RockyLinux 8 Repository Mirror Installation

    Follow these steps to setup a local RockyLinux repository mirror in your internal network. FortiSIEM will only communicate with this local RockyLinux repository mirror whenever needed, thereby avoiding internet access.

    You will be going through these general steps:

    1. Deploying the base VM to state and setup access to the repository
    2. Replicating the remote repository into your new internal mirror
    3. Testing the internal mirror for accessibility
    4. A walk through for all the FSM nodes in order to reach the internal mirror

    Instructions are broken down into the following sections.

    Repository Mirror Deployment and Apache Staging

    This server is required to have internet access and be able to resolve [os-pkgs-cdn.fortisiem.fortinet.com] or [os-pkgs-r8.fortisiem.fortinet.com] in order to prepare the repository mirror. Once the Repository Mirror is completed, the internet connection can then be cut off from this repository mirror until the next time the mirror needs to be updated.

    When the above conditions are met, take the following steps:

    1. Download the 7.2.3.0256 FortiSIEM image and create a VM on your preferred hypervisor.
    2. Add an 400GB disk to the FortiSIEM image that was deployed by taking the following steps:
      Note: Instructions to add a disk is based off of vSphere 6.7. Your hypervisor may differ in instructions, but the concept is the same.
      1. Right click the FortiSIEM VM > Editing Settings.
      2. In the pop-up, click "Add New Device".
      3. Find "Hard Disk" and select it.
      4. Configure it for 400GB.
      5. Click "OK" to save the configuration.
      6. Boot the FortiSIEM image.

    Configuring the Network Adapter

    To complete the configuration, take the following steps:

    1. Log into the FortiSIEM console through your hypervisor.
      Default login:
      User = root
      Password = ProspectHills
    2. Immediately change the root password.
    3. Enter the IP address configuration utility by running the following command:
      # nmtui-edit eth0
    4. Go to IPv4 CONFIGURATION, toggle Automatic, and select Manual from the menu.
    5. Toggle Show to expand the configuration.
    6. In the Addresses field, add an IP address/netmask (CIDR).
      Example: 192.168.1.1/24
      Note: Use the tool at this URL to convert netmask to CIDR.
      https://www.xarg.org/tools/subnet-calculator/
    7. In the Gateway field, enter the Gateway IP address.
      Example: 192.168.1.254
    8. In the DNS Servers field, toggle Add, and select IP of DNS.
      Example: 1.1.1.1
    9. In the DNS Servers field, Toggle Add, and add the IP of the second DNS.
      Example: 1.0.0.1
    10. Toggle the Automatically connect setting to enable.
    11. Toggle the Available to all users setting to enable.
    12. Toggle to OK.


    13. Restart the network adapter.
      # ifdown eth0
      # ifup eth0
    14. Check if the IP address is assigned to the network adapter.
      # ifconfig eth0
      The IP address will be assigned to eth0.
    15. Ping an external address to verify network connectivity.
      # ping <ip address>
      or
      # ping google.com

    Installing the Yum-Utils Package

    Take the following steps to install the yum-utils package.

    1. Clean the current respository from the VM.
      # dnf clean all
    2. Install the yum-utils package.
      # dnf install yum-utils -y

    Preparing the Disk for the Local Repository Mirror

    Take the following steps to prepare your disk for the local repository mirror.

    1. Look for the 400 GB disk created when the ova was deployed.

      # lsblk
      NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
      sda           8:0    0   25G  0 disk
      ├─sda1        8:1    0    1G  0 part /boot
      └─sda2        8:2    0   24G  0 part
      ├─cl-swap 253:0    0  2.5G  0 lvm  [SWAP]
      └─cl-root 253:1    0 21.5G  0 lvm  /
      sdb           8:16   0   400G  0 disk 			<< New disk

    2. Format the disk using xfs file system.

      # mkfs.xfs /dev/sdb

    3. Create a new mount point for the new disk.

      # mkdir /repos

    4. Mount the disk.

      # mount -t xfs /dev/sdb /repos

      # chmod 755 /repos

    5. Edit /etc/fstab and add the mount entry permanently.

      # vi /etc/fstab 

      /dev/sdb /repos                   xfs     defaults        0 0

    6. Test /etc/fstab to verify configuration.

      # mount -a

    Configuring Apache to Publish the Local Repository Mirror

    Take the following steps to configure Apache to publish the local repository mirror.

    1. Create the link to the repository path.

      # cd /var/www/html/

      # ln -sf /repos repos

      # ls -l /var/www/html/

      result: lrwxrwxrwx. 1 root root 6 Mar 26 16:18 repos -> /repos

    2. Restart Apache.

      # systemctl restart httpd

    Verifying Remote Connectivity to the Local Repository Mirror

    Take the following step to verify remote connectivity with the repository mirror.

    1. From the local network workstation's browser, go to: https://<Repository Mirror IP Address>/

    Syncing the Local Repository Mirror

    All 7.2.3 upgrade related mirrors are configured under /etc/yum.repos.d/. The FortiSIEM 7.2.3 image contains all the current necessary repo files. Take the following steps to sync the local repository mirror.

    1. Sync the FSM Mirror to the repository mirror.

      # mkdir -p /repos/rockylinux8/gpg-keys

      # cd /repos/rockylinux8/gpg-keys

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/RPM-GPG-KEY-EPEL-8

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/RPM-GPG-KEY-PGDG

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/RPM-GPG-KEY-elrepo.org

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/RPM-GPG-KEY-rockyofficial

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/RPM-GPG-KEY-rockytesting

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/CLICKHOUSE-KEY.GPG

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/gpg-keys/RPM-GPG-KEY-FortiSIEM-rocky

      # cd /repos/rockylinux8


      Note: Creating and Syncing repo structure

      A - Create an alternate path for baseos for 7.2.0 repository and sync that mirror first

      # mkdir -p /repos/rockylinux8/2023-09-08/

      # cd /repos/rockylinux8/2023-09-08/

      # reposync --repoid=baseos --download-metadata –downloadcomps

      # cd /repos/rockylinux8/

      # mkdir -p /repos/rockylinux8/2023-11-13/


      Note: After reposync, the path will look like:

      # ls -la /repos/rockylinux8/2023-09-08/

      drwxr-xr-x. 3 root root 20 Oct 25 14:46 .

      drwxrwxr-x. 18 root root 267 Oct 25 19:12 ..

      drwxr-xr-x. 4 root root 73 Oct 25 14:43 baseos


      B - Rename the Rocky-BaseOS.repo and sync the main baseos path

      # cd /repos/rockylinux8

      # mv /etc/yum.repos.d/Rocky-BaseOS.repo /etc/yum.repos.d/Rocky-BaseOS.repo.alt

      # mv /etc/yum.repos.d/Rocky-BaseOS.repo.rpmnew /etc/yum.repos.d/Rocky-BaseOS.repo

      # reposync --repoid=baseos --download-metadata --downloadcomps


      Note: after reposync, the path will look like:

      # ls -la /repos/rockylinux8/

      drwxrwxr-x. 18 root root 267 Oct 25 19:12 .

      drwxrwxr-x. 6 root root 77 Oct 25 16:16 ..

      drwxr-xr-x. 3 root root 20 Oct 25 14:46 2023-09-08

      drwxr-xr-x. 4 root root 73 Oct 25 14:17 baseos

      C- Continue syncing RockyLinux 8 repositories

      # reposync --repoid=appstream --download-metadata --downloadcomps

      # reposync --repoid=elrepo --download-metadata --downloadcomps

      # reposync --repoid=elrepo-testing --download-metadata --downloadcomps

      # reposync --repoid=epel-modular --download-metadata --downloadcomps

      # reposync --repoid=epel --download-metadata --downloadcomps

      # reposync --repoid=extras --download-metadata --downloadcomps

      # reposync --repoid=plus --download-metadata --downloadcomps

      # reposync --repoid=powertools --download-metadata –downloadcomps

      # cd /repos/rockylinux8/2023-11-13/

      # reposync --repoid=epel --download-metadata --downloadcomps

      Note: After reposync, the path will look like:

      # ls -la /repos/rockylinux8 

      total 220
drwxrwxr-x. 19 root root  4096 May 23 00:07 .
drwxrwxr-x.  6 root root    76 May 28 14:17 ..
drwxr-xr-x.  3 root root    20 May 23 00:04 2023-09-08
drwxr-xr-x.  3 root root    18 May 23 07:37 2023-11-13
drwxr-xr-x.  4 root root    55 May 28 08:51 appstream
drwxr-xr-x.  4 root root    73 May 23 07:53 baseos
drwxr-xr-x.  3 root root  4096 Sep 12  2023 clickhouse
drwxr-xr-x.  4 root root    34 May 28 08:51 elrepo
drwxr-xr-x.  4 root root    52 May 28 08:54 elrepo-testing
drwxr-xr-x.  4 root root    75 May 28 08:55 epel
drwxr-xr-x.  4 root root    58 May 28 08:55 epel-modular
drwxr-xr-x.  4 root root    56 May 28 09:47 extras
drwxrwxr-x.  2 root root   212 May 28 12:12 gpg-keys
drwxr-xr-x.  3 root root 77824 May 28 09:47 pgdg13
drwxr-xr-x.  3 root root 77824 May 28 09:46 pgdg-common
drwxr-xr-x.  4 root root    38 May 28 09:47 plus
drwxr-xr-x.  4 root root    55 May 28 09:47 powertools
drwxr-xr-x.  2 root root  4096 Feb 10  2022 repodata
drwxr-xr-x.  2 root root    88 May 29  2023 zookeeper


      D- Zookeeper has a single file and will not utilize reposync

      # mkdir –p /repos/rockylinux8/zookeeper

      # cd /repos/rockylinux8/zookeeper

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/zookeeper/apache-zookeeper-3.7.0-bin.tar.gz

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/rockylinux8/zookeeper/apache-zookeeper-3.8.1-bin.tar.gz


      E- Creating and Syncing Clickhouse repo structure

      # mkdir -p /repos/clickhouse/gpg-keys/

      # mkdir -p /repos/clickhouse/2023-11-27/gpg-keys/

      # cd /repos/clickhouse/gpg-keys/

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/clickhouse/gpg-keys/repomd.xml.key

      # cd /repos/clickhouse/2023-11-27/gpg-keys/

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/clickhouse/2023-11-27/gpg-keys/repomd.xml.key

      # cd /repos/clickhouse/2023-11-27/

      # reposync --repoid=clickhouse-stable --download-metadata –downloadcomps

      # cd clickhouse-stable/repodata

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/clickhouse/2023-08/clickhouse-stable/repodata/repomd.xml.asc

      # cd /repos/clickhouse/

      # reposync --repoid=clickhouse-utils --download-metadata --downloadcomps

      Note: After syncing clickhouse-utils, the path will look like:

      # ls -la /repos/clickhouse/

      drwxr-xr-x. 4 root root 47 May 22 23:44 2023-11-27

      drwxr-xr-x. 4 root root 38 May 22 23:46 clickhouse-utils

      drwxr-xr-x. 2 root root 28 May 22 23:46 gpg-keys

      F- Creating and Syncing Confluent repo structure

      # mkdir -p /repos/confluent/gpg-keys

      # cd /repos/confluent/gpg-keys

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/confluent/gpg-keys/confluent-archive.key

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/confluent/gpg-keys/confluent-clients-archive.key

      # cd /repos/confluent/

      # reposync --repoid=Confluent --download-metadata --downloadcomps

      # reposync --repoid=Confluent-Clients --download-metadata --downloadcomps

      Note: After syncing Confluent and Confluent-Clients, the path will look like:

      # ls -la

      total 16 

      drwxr-xr-x. 5 root root 64 Oct 25 15:19 . 
      drwxrwxr-x. 6 root root 77 Oct 25 16:16 .. 
drwxr-xr-x. 3 root root 4096 Oct 25 15:19 Confluent
drwxr-xr-x. 3 root root 8192 Oct 25 15:22 Confluent-Clients 
drwxr-xr-x. 2 root root 72 Sep 13 12:22 gpg-keys

      G- Creating and Syncing Postgres repo structure

      # mkdir -p /repos/postgres/gpg-keys

      # mkdir -p /repos/postgres/misc

      # cd /repos/postgres/gpg-keys

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/postgres/gpg-keys/PGDG-RPM-GPG-KEY-RHEL

      # cd /repos/postgres/misc

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/postgres/misc/pgdg-redhat-all.repo

      # wget https://os-pkgs-cdn.fortisiem.fortinet.com/postgres/misc/switch-pgdg-repo-and-upgrade-to-pg13.14.sh

      # cd /repos/postgres/

      # reposync --repoid=pgdg13 --download-metadata --downloadcomps

      # reposync --repoid=pgdg-common --download-metadata --downloadcomps

      # reposync --repoid=pgdg-rhel8-extras --download-metadata --downloadcomps

      Note: After syncing Confluent and Confluent-Clients, the path will look like:

      # ls -la /repos/postgres
total 180
drwxr-xr-x. 7 root root    92 May 28 14:43 .
drwxrwxr-x. 6 root root    76 May 28 14:17 ..
drwxr-xr-x. 2 root root    35 May 28 14:17 gpg-keys
drwxr-xr-x. 2 root root    84 May 28 14:20 misc
drwxr-xr-x. 3 root root 81920 May 28 14:43 pgdg13
drwxr-xr-x. 3 root root 45056 May 28 14:28 pgdg-common
drwxr-xr-x. 3 root root  8192 May 28 14:44 pgdg-rhel8-extras

      Note: Your repos directory will look like the following:

      # ls -la /repos/ 
total 4
drwxrwxr-x. 5 root root 60 Nov 1 02:33 . 
dr-xr-xr-x. 20 root root 4096 Apr 5 2023 .. 
drwxr-xr-x. 8 root root 123 Oct 25 17:08 clickhouse 
drwxr-xr-x. 5 root root 64 Oct 25 15:19 confluent 
drwxrwxr-x. 18 root root 267 Oct 25 19:12 rockylinux8
drwxr-xr-x.  7 root root   92 May 28 14:43 postgres

    2. Modify Permissions and Restart Apache on the repository mirror.

      # chmod -R 755 /repos

      # systemctl restart httpd

    3. Check repository mirror.

      Locally, run the following command:

      # curl -k https://localhost/repos/rockylinux8/

      # curl -k https://localhost/repos/clickhouse/

      # curl -k https://localhost/repos/confluent/

      # curl -k https://localhost/repos/postgres/


      Remotely:

      Open a browser, and go to:

      https://<Repository Mirror IP>/repos/rockylinux8/

      https://<Repository Mirror IP>/repos/clickhouse/

      https://<Repository Mirror IP>/repos/confluent/

      https://<Repository Mirror IP>/repos/postgres/

    Previous
    Next