Image Server Settings

This section allows you to set up the Supervisor as an Image Server for upgrading Collectors and Agents. This means that Collectors and Agents will download Upgrade image from Supervisor. This mechanism provides an easy way to upgrade a large number of Collectors and Agents from one place.

• Configuration for Upgrading Collectors
• Configuration for Upgrading Linux Agents
• Configuration for Upgrading Windows Agents
• Custom Image Server Endpoint

Configuration for Upgrading Collectors

Step 1: Download the Correct Collector Image from the Fortinet Support Site into your Workstation

As an example, Collector 6.4.0 image file name is FSM_Upgrade_All_6.4.0_build1412.zip and matches the hash in the support site to the locally computed hash. This ensures that the file has not been corrupted in transit.

Step 2: Upload the Image to the Supervisor Node

Note: In this step, you will upload the image to the Supervisor, which will then internally create a URL for the Collectors to download the image. It is critical to set the host name in the URL correctly so that a Collector can resolve the host name. Otherwise, the image download in Step 3 will fail.

There are two solutions.

Solution 1

By default, the Supervisor's host name in Admin > License > Nodes is used to create the URL. If the host name is a Fully Qualified domain name and is resolvable by the Collectors, then there is nothing to do. For example, a host name like c2-52-35-20-68.us-west-2.compute.amazonaws.com is resolvable to an external IP address. A host name like 2-52-35-20-68.us-west-2.compute is likely not resolvable. If the hostname is not resolvable, either create a DNS entry to allow the Collector to resolve the hostname, or add an entry to the Collector /etc/hosts file in the following format: <ip> <host name> For example: 10.0.1.21 2-52-35-20-68.us-west-2.compute

Solution 2

If there is a load balancer in front of the Supervisors, or you want to override the Supervisor host name in the default image download URL, then you can enter the appropriate host name or IP after going to Admin > Settings > Systems > Image Server > Custom Update and then clicking Save. If you have entered a host name here, make sure that it is a Fully Qualified domain name and is resolvable by Collectors. Do this step first before proceeding to the remaining of Step 2. Note that if you create an entry in Custom Update, then it applies to ALL Collectors and Agents. This means that every Collector and Agent will get the URL with the Custom Update entry.

1. Go to Admin > Settings > Systems > Image Server.
2. Under Collector, in the Version field, enter the version you downloaded in Step 1. The format is #.#.#. Example: 6.4.0.
3. Under Collector, click Select File and select the Collector upgrade image you downloaded in Step 1.
4. Under Collector, click Upload File to upload the Collector upgrade image to the Supervisor. This may take a while depending on the network connection between your workstation and Supervisor node. FortiSIEM will validate the image hash and upload the image to Supervisor if the hash matches.
   Note: If you do not want a FortiSIEM to perform a hash check, from the Hash Check drop-down, select Disabled.
   
5. Run the following SQL and make sure ImageSetup task is completed.
   

   # psql phoenixdb phoenix -c "select type, progress from ph_task where type = 'ImageSetup'"
       type | progress
   ------------+----------
    ImageSetup | 100
    ImageSetup | 100
    ImageSetup | 100
   (3 rows)

Step 3: Download the Image to the Collector

1. Go to Admin > Health > Collector Health.
2. From the Columns () drop-down, ensure Download Status is selected. If not, select it so the Download Status column is displayed.
3. Select the Collector(s) you wish to download the image to.
   Note: Starting with release 6.4.0, you can choose multiple Collectors for downloading images.
4. From the Action drop-down list, select Download Image.
5. Check that the Download Status column shows finished to confirm that the download has been completed for the selected Collectors.

Step 4: Upgrade the Collector

1. Go to Admin > Health > Collector Health.
2. From the Columns () drop-down, ensure Version is selected. If not, select it so the Version column is displayed.
3. Select the Collector(s) you wish to upgrade.
   Note: Starting with release 6.4.0, you can choose multiple Collectors for installing images.
4. From the Action drop-down list, select Install Image.
5. Check that the Version column shows the correct version number, in this example 6.4.0, to confirm that the Collector(s) have upgraded successfully.

Configuration for Upgrading Linux Agents

Step 1: Download the Correct Linux Agent Image from the Fortinet Support Site into your Workstation.

As an example, a Linux Agents 6.4.0 image file name is fortisiem-linux-agent-installer-6.4.0.1412.sh and matches the hash in the support site to the locally computed hash. This ensures that the file has not been corrupted in transit.

Step 2: Upload the Image to the Supervisor Node

Note: In this step, you will upload the image to the Supervisor, which will then internally create a URL for the Agents to download the image. It is critical to set the host name in the URL correctly, so that an Agent can resolve the host name. Otherwise, the image download in Step 3 will fail.

There are two solutions.

Solution 1

By default, the Supervisor host name in Admin > License > Nodes is used to create the URL. If the host name is a Fully Qualified domain name and is resolvable by the Agents, then there is nothing to do. For example, a host name like c2-52-35-20-68.us-west-2.compute.amazonaws.com is resolvable to an external IP address. A host name like 2-52-35-20-68.us-west-2.compute is likely not resolvable.

Solution 2

If there is a load balancer in front of the Supervisors, or you want to override the Supervisor host name in the default image download URL, then you can enter the appropriate host name or IP after navigating to Admin > Settings > Systems > Image Server > Custom Update, and then clicking Save. If you have entered a host name here, make sure that it is a Fully Qualified domain name and is resolvable by Agent. Do this step first before proceeding to the remaining of Step 2. Note that if you create an entry in Custom Update, then it applies to ALL Collectors and Agents. This means that every Collector and Agent will the get the URL with the Custom Update entry.

1. Go to Admin > Settings > Systems > Image Server.
2. Under Linux Agent, in the Version field, enter the version you downloaded in Step 1. The format is #.#.#. Example: 6.4.0.
3. Under Linux Agent, click Select File and select the Linux Agent upgrade image you downloaded in Step 1.
4. Under Linux Agent, click Upload File to upload the Linux Agent upgrade image to the Supervisor. This may take a while depending on the network connection between your workstation and Supervisor node. FortiSIEM will validate the image hash and upload the image to Supervisor if the hash matches.
   Note: If you do not want a FortiSIEM to perform a hash check, from the Hash Check drop-down, select Disabled.
   

Step 3: Download the Image to the Linux Agent

1. Go to Admin > Health > Agent Health.
2. From the Columns () drop-down, ensure Upgrade Status is selected. If not, select it so the Upgrade Status column is displayed.
3. Select the Linux Agent(s) you wish to download the image to.
   Note: Starting with release 6.4.0, you can choose multiple Linux Agents for downloading images.
4. From the Action drop-down list, select Download Image.
5. Check that the Upgrade Status column shows Download Succeeded to confirm that the download has been completed for the selected Linux Agents.

Step 4: Upgrade the Linux Agents

1. Go to Admin > Health > Agent Health.
2. From the Columns () drop-down, ensure Version is selected. If not, select it so the Version column is displayed.
3. Select the Linux Agent(s) you wish to upgrade.
   Note: Starting with release 6.4.0, you can choose multiple Linux Agents for installing images.
4. From the Action drop-down list, select Install Image.
5. Check that the Upgrade Status column shows Upgrade Succeeded to confirm that the Linux Agent(s) have upgraded successfully. Check that the Version column shows the correct version number, in this example 6.4.0, to confirm that the Linux Agent(s) have upgraded to the correct version.

Configuration for Upgrading Windows Agents

Step 1: Download the Correct Windows Agent Images from the Fortinet Support Site into your Workstation.

1. Download the image file into your desktop. It is a .zip file, e.g. FSMLogAgent-v4.2.1-build0225.zip.
2. Compute the MD5 checksum and make sure that locally, the computed checksum matches the checksum in the Support Site. This ensures that the file is not corrupted in transit.
3. Unzip the file. You will see that there are two files – AutoUpdate.exe and FSMLogAgent.exe. You will need to upload these files in Step 2.3 and Step 2.4 below.

Step 2: Upload the Image to the Supervisor Node

Note: In this step, you will upload the image to the Supervisor, which will then internally create a URL for the Agents to download the image. It is critical to set the host name in the URL correctly, so that an Agent can resolve the host name. Otherwise, the image download in Step 3 will fail.

There are two solutions.

Solution 1

By default, the Supervisor host name in Admin > License > Nodes is used to create the URL. If the host name is a Fully Qualified domain name and is resolvable by the Agents, then there is nothing to do. For example, a host name like c2-52-35-20-68.us-west-2.compute.amazonaws.com is resolvable to an external IP address. A host name like 2-52-35-20-68.us-west-2.compute is likely not resolvable.

Solution 2

If there is a load balancer in front of the Supervisors or you want to override the Supervisor host name in the default image download URL, then you can enter the appropriate host name or IP after going to Admin > Settings > Systems > Image Server > Custom Update, then clicking Save. If you have entered a host name here, make sure that it is a Fully Qualified domain name and is resolvable by Agent. Do this step first before proceeding to the remaining of Step 2. Note that if you create an entry in Custom Update, then it applies to ALL Collectors and Agents. This means that every Collector and Agent will the get the URL with the Custom Update entry.

1. Go to Admin > Settings > Systems > Image Server.
2. Under Windows Agent, in the Version field, enter the version you downloaded in Step 1. The format is #.#.#. Example: 4.2.1.
   Note: For Windows Agent, two files are required, the FSMLogAgent executable (FSMLogAgent.exe) and an AutoUpdate executable (AutoUpdate.exe, or AutoUpdate32.exe).
   
3. Under Windows Agent, click Select File and select one of the two Windows Agent upgrade image you downloaded in Step 1.
4. Under Windows Agent, click Select File and select the second Windows Agent upgrade image you downloaded in Step 1.
5. Under Windows Agent, click Upload File to upload the Windows Agent upgrade images to the Supervisor. This may take a while depending on the network connection between your workstation and Supervisor node. FortiSIEM will validate the image hash and upload the image to Supervisor if the hash matches.
   Note: If you do not want a FortiSIEM to perform a hash check, from the Hash Check drop-down, select Disabled.
   

Step 3: Download the Images to the Windows Agent

1. Go to Admin > Health > Agent Health.
2. From the Columns () drop-down, ensure Upgrade Status is selected. If not, select it so the Upgrade Status column is displayed.
3. Select the Windows Agent(s) you wish to download the image to.
   Note: Starting with release 6.4.0, you can choose multiple Windows Agents for downloading images.
4. From the Action drop-down list, select Download Image.
5. Check that the Upgrade Status column shows Download Succeeded to confirm that the download has been completed for the selected Windows Agents.

Step 4: Upgrade the Windows Agents

1. Go to Admin > Health > Agent Health.
2. From the Columns () drop-down, ensure Version is selected. If not, select it so the Version column is displayed.
3. Select the Windows Agent(s) you wish to upgrade.
   Note: Starting with release 6.4.0, you can choose multiple Windows Agents for installing images.
4. From the Action drop-down list, select Install Image.
5. Check that the Upgrade Status column shows Upgrade Succeeded to confirm that the Windows Agent(s) have upgraded successfully. Check that the Version column shows the correct version number, in this example 4.2.1, to confirm that the Windows Agent(s) have upgraded to the correct version.

Custom Image Server Endpoint

If Collectors or Agents reach Supervisor via a Load Balancer, then you will need to configure the IP or FQDN of the load balancer here. Make sure Collectors and Agents can reach the IP or FQDN entered here. Then App Server will generate the image download URL for Collectors and Agents, using this IP or FQDN entered here.

To define a custom image server endpoint:

1. Navigate to Admin > Settings > System > Image Server.
2. Under Custom Update, in the IP/Host Name field, enter the IP address or host name to use as the public download URL. Note: Make sure the Collector or Agent can either ping the new IP address or host name.
3. Click Save.

Only after doing the step:

1. Upload the secure image file. (Following the steps from the appropriate instructions: Upgrading Collectors, Upgrading Linux Agents, Upgrading Windows Agents.)
   Note: If you re-update to a new URL/host name, the secure image must be re-uploaded, otherwise downloading the image will fail because the previously uploaded image retains the old IP/Hostname.

2. Download Image file. (Following the steps from the appropriate instructions: Upgrading Collectors, Upgrading Linux Agents, Upgrading Windows Agents.)

3. Install Image. (Following the steps from the appropriate instructions: Upgrading Collectors, Upgrading Linux Agents, Upgrading Windows Agents.)