Version:

Version:

Version:

Version:


Table of Contents

Deployment Guide

Download PDF
Copy Link

Deploying FortiSOAR using offline repositories

This chapter describes the steps that you need to follow to deploy FortiSOAR using offline repositories.

Prerequisites

  • Virtual machine with CentOS 7.0.0 or RHEL 7.0.0 with minimal install option.
  • Access to repo.fortisoar.fortinet.com.
  • Minimum disk size: 500 GB.
  • Ensure that the SSL certificates that you are using for the offline repository are authorized by a Certificate Authority (CA). If however, you are using custom certificates such as open-source certificates, then you must ensure that you add these SSL certificates to the truststore of FortiSOAR and offline repository using the following command:
    cp <SSL_certificate>.crt /etc/pki/ca-trust/source/anchors/
    update-ca-trust extract

Setting up the Offline Repository

  1. To ensure that your ssh session does not timeout, run the screen command:
    [root@localhost ~]# screen –S repo
  2. Download setup-fsr-offline-yum-repo.bin:
    wget --no-check-certificate
    https://repo.fortisoar.fortinet.com/7.2.1/setup-fsr-offline-yum-repo.bin
  3. Run the setup-fsr-offline-yum-repo.bin file as follows, where the release_version is FortiSOAR version that you want to synchronize:
    [root@localhost ~]# sh /root/setup-fsr-offline-yum-repo.bin --release_version <release_version>
    For example, to synchronize FortiSOAR version 7.2.1 use the following command:
    [root@localhost ~]# sh /root/setup-fsr-offline-yum-repo.bin --release_version 7.2.1
    Note: This script file creates a user whose ID and password are set to yum. This ID is used to assign ownership to the content in the '/repos' directory.
  4. Check the default server certificate and server private key in the /etc/httpd/conf.d/ssl.conf file, and if required they should be replaced.
    # Section Server Certificate
    SSLCertificateFile "/<path_to_cert>/<ssl_Certificate>.crt"
    # Section Server Private Key
    SSLCertificateKeyFile "/<path_to_cert>/<ssl_Certificate>.key"
    Checking default server certificate in httpd.conf
    After you have updated the certificates, restart the 'httpd' service:
    [root@localhost ~]# systemctl restart httpd
  5. The setup-fsr-offline-yum-repo.bin script file synchronizes the repo. Therefore, if you want to resynchronize the repo, you must rerun the script. If you do not want to rerun the script manually, you can set up a cron job to perform this task. Use the following script to set up a cron job that will run daily at 00:00 hrs and synchronize the offline repo with the prod repo:
    #!/bin/sh
    #write out current crontab
    crontab -l > mycron
    #echo new cron into cron file
    echo "0 0 * * * sh /root/setup-fsr-offline-yum-repo.bin --release_version 7.2.1" >> mycron
    #install new cron file
    crontab mycron
    rm mycron

    Note: You can change the time of running the cron job as per your convenience.

Deploying FortiSOAR using the Offline Repository

  1. Ensure that the offline repository host is accessible from the FortiSOAR appliance and ensure that your ssh session does not timeout, run the screen command:
    [root@localhost ~]# screen –S repo
  2. From version 7.0.2 onwards, if you are using your private repository to install or upgrade FortiSOAR, then use the following command to export the "custom_yum_url" variable before running the fresh install or upgrade script:
    export custom_yum_url=<"custom_yum_url_name">
    For example, export custom_yum_url="offline-repo.fortisoar.in"
  3. Download the installer for FortiSOAR 7.2.1 using the following command:
    [root@localhost ~]# wget https://<offline repo>/7.2.1/install-fortisoar-7.2.1.bin
  4. To install FortiSOAR 7.2.1, run the following command as a root user:
    [root@localhost ~]# sh install-fortisoar-7.2.1.bin
    If you have not deployed an SSL certificate on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain CentOS, to ignore the SSL check while installing FortiSOAR:
    [root@localhost ~]# sh install-fortisoar-7.2.1.bin ignore-ssl-check
  5. Login as the 'csadmin' user to the FortiSOAR CLI and continue to configure FortiSOAR or Secure Message Exchange (SME) and add your FortiSOAR license. For more information, see the Deploying FortiSOAR chapter.
    Note: You can add self-signed CA certificates in OS as a trusted certificate using the steps mentioned in the Adding self-signed CA certificates in Centos as trusted certificates topic in the Additional Configurations chapter.

Upgrading FortiSOAR using the Offline Repository

  1. Ensure that the offline repository host is accessible from the FortiSOAR appliance and ensure that your ssh session does not timeout, run the screen command:
    [root@localhost ~]# screen –S repo
  2. From version 7.0.2 onward, if you are using your private repository to install or upgrade FortiSOAR, then use the following command to export the "custom_yum_url" variable before running the fresh install or upgrade script:
    export custom_yum_url=<"custom_yum_url_name">
  3. Download the upgrade installer for FortiSOAR 7.2.1 using the following command:
    [root@localhost ~]# wget https://<offline repo>/7.2.1/upgrade-fortisoar-7.2.1.bin
  4. To upgrade to FortiSOAR 7.2.1, run the following command as a root user:
    [root@localhost ~]# sh upgrade-fortisoar-7.2.1.bin
    If you have not deployed an SSL certificate on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain CentOS, to ignore the SSL check while upgrading FortiSOAR:
    [root@localhost ~]# sh upgrade-fortisoar-7.2.1.bin --ignore-ssl-check

Troubleshooting

Peer Certificate issue not recognized error

If you have not deployed an SSL certificate deployed on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain CentOS if you are installing version 7.2.1:
# sh install-fortisoar-7.2.1.bin ignore-ssl-check
If you are upgrading to version 7.2.1, then use the following command:
# sh upgrade-fortisoar-7.2.1.bin --ignore-ssl-check

This command ignores the SSL check while installing FortiSOAR. However, you can get the following error while installing FortiSOAR on plain CentOS:
"[Errno 14] curl#60 - "Peer's Certificate issuer is not recognized."

Resolution

Add the sslverify=false entry in the /etc/yum.conf file on the plain CentOS system, and then restart the installation.

Deploying FortiSOAR using offline repositories

This chapter describes the steps that you need to follow to deploy FortiSOAR using offline repositories.

Prerequisites

  • Virtual machine with CentOS 7.0.0 or RHEL 7.0.0 with minimal install option.
  • Access to repo.fortisoar.fortinet.com.
  • Minimum disk size: 500 GB.
  • Ensure that the SSL certificates that you are using for the offline repository are authorized by a Certificate Authority (CA). If however, you are using custom certificates such as open-source certificates, then you must ensure that you add these SSL certificates to the truststore of FortiSOAR and offline repository using the following command:
    cp <SSL_certificate>.crt /etc/pki/ca-trust/source/anchors/
    update-ca-trust extract

Setting up the Offline Repository

  1. To ensure that your ssh session does not timeout, run the screen command:
    [root@localhost ~]# screen –S repo
  2. Download setup-fsr-offline-yum-repo.bin:
    wget --no-check-certificate
    https://repo.fortisoar.fortinet.com/7.2.1/setup-fsr-offline-yum-repo.bin
  3. Run the setup-fsr-offline-yum-repo.bin file as follows, where the release_version is FortiSOAR version that you want to synchronize:
    [root@localhost ~]# sh /root/setup-fsr-offline-yum-repo.bin --release_version <release_version>
    For example, to synchronize FortiSOAR version 7.2.1 use the following command:
    [root@localhost ~]# sh /root/setup-fsr-offline-yum-repo.bin --release_version 7.2.1
    Note: This script file creates a user whose ID and password are set to yum. This ID is used to assign ownership to the content in the '/repos' directory.
  4. Check the default server certificate and server private key in the /etc/httpd/conf.d/ssl.conf file, and if required they should be replaced.
    # Section Server Certificate
    SSLCertificateFile "/<path_to_cert>/<ssl_Certificate>.crt"
    # Section Server Private Key
    SSLCertificateKeyFile "/<path_to_cert>/<ssl_Certificate>.key"
    Checking default server certificate in httpd.conf
    After you have updated the certificates, restart the 'httpd' service:
    [root@localhost ~]# systemctl restart httpd
  5. The setup-fsr-offline-yum-repo.bin script file synchronizes the repo. Therefore, if you want to resynchronize the repo, you must rerun the script. If you do not want to rerun the script manually, you can set up a cron job to perform this task. Use the following script to set up a cron job that will run daily at 00:00 hrs and synchronize the offline repo with the prod repo:
    #!/bin/sh
    #write out current crontab
    crontab -l > mycron
    #echo new cron into cron file
    echo "0 0 * * * sh /root/setup-fsr-offline-yum-repo.bin --release_version 7.2.1" >> mycron
    #install new cron file
    crontab mycron
    rm mycron

    Note: You can change the time of running the cron job as per your convenience.

Deploying FortiSOAR using the Offline Repository

  1. Ensure that the offline repository host is accessible from the FortiSOAR appliance and ensure that your ssh session does not timeout, run the screen command:
    [root@localhost ~]# screen –S repo
  2. From version 7.0.2 onwards, if you are using your private repository to install or upgrade FortiSOAR, then use the following command to export the "custom_yum_url" variable before running the fresh install or upgrade script:
    export custom_yum_url=<"custom_yum_url_name">
    For example, export custom_yum_url="offline-repo.fortisoar.in"
  3. Download the installer for FortiSOAR 7.2.1 using the following command:
    [root@localhost ~]# wget https://<offline repo>/7.2.1/install-fortisoar-7.2.1.bin
  4. To install FortiSOAR 7.2.1, run the following command as a root user:
    [root@localhost ~]# sh install-fortisoar-7.2.1.bin
    If you have not deployed an SSL certificate on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain CentOS, to ignore the SSL check while installing FortiSOAR:
    [root@localhost ~]# sh install-fortisoar-7.2.1.bin ignore-ssl-check
  5. Login as the 'csadmin' user to the FortiSOAR CLI and continue to configure FortiSOAR or Secure Message Exchange (SME) and add your FortiSOAR license. For more information, see the Deploying FortiSOAR chapter.
    Note: You can add self-signed CA certificates in OS as a trusted certificate using the steps mentioned in the Adding self-signed CA certificates in Centos as trusted certificates topic in the Additional Configurations chapter.

Upgrading FortiSOAR using the Offline Repository

  1. Ensure that the offline repository host is accessible from the FortiSOAR appliance and ensure that your ssh session does not timeout, run the screen command:
    [root@localhost ~]# screen –S repo
  2. From version 7.0.2 onward, if you are using your private repository to install or upgrade FortiSOAR, then use the following command to export the "custom_yum_url" variable before running the fresh install or upgrade script:
    export custom_yum_url=<"custom_yum_url_name">
  3. Download the upgrade installer for FortiSOAR 7.2.1 using the following command:
    [root@localhost ~]# wget https://<offline repo>/7.2.1/upgrade-fortisoar-7.2.1.bin
  4. To upgrade to FortiSOAR 7.2.1, run the following command as a root user:
    [root@localhost ~]# sh upgrade-fortisoar-7.2.1.bin
    If you have not deployed an SSL certificate on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain CentOS, to ignore the SSL check while upgrading FortiSOAR:
    [root@localhost ~]# sh upgrade-fortisoar-7.2.1.bin --ignore-ssl-check

Troubleshooting

Peer Certificate issue not recognized error

If you have not deployed an SSL certificate deployed on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain CentOS if you are installing version 7.2.1:
# sh install-fortisoar-7.2.1.bin ignore-ssl-check
If you are upgrading to version 7.2.1, then use the following command:
# sh upgrade-fortisoar-7.2.1.bin --ignore-ssl-check

This command ignores the SSL check while installing FortiSOAR. However, you can get the following error while installing FortiSOAR on plain CentOS:
"[Errno 14] curl#60 - "Peer's Certificate issuer is not recognized."

Resolution

Add the sslverify=false entry in the /etc/yum.conf file on the plain CentOS system, and then restart the installation.