Deploying FortiSOAR using offline repositories
This chapter describes the steps that you need to follow to deploy FortiSOAR using offline repositories.
Prerequisites
- Virtual machine with CentOS 7.0.0 or RHEL 7.0.0 with minimal install option.
- Access to repo.fortisoar.fortinet.com.
- Minimum disk size: 500 GB.
-
Ensure that the SSL certificates that you are using for the offline repository are authorized by a Certificate Authority (CA). If however, you are using custom certificates such as open-source certificates, then you must ensure that you add these SSL certificates to the truststore of FortiSOAR and offline repository using the following command:
cp <SSL_certificate>.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
Setting up the Offline Repository
- To ensure that your ssh session does not timeout, run the
screen
command:[root@localhost ~]# screen –S repo
- Download
setup-fsr-offline-yum-repo.bin
:wget --no-check-certificate
https://repo.fortisoar.fortinet.com/7.2.2/setup-fsr-offline-yum-repo.bin
- Run the
setup-fsr-offline-yum-repo.bin
file as follows, where therelease_version
is FortiSOAR version that you want to synchronize:[root@localhost ~]# sh /root/setup-fsr-offline-yum-repo.bin --release_version <release_version>
For example, to synchronize FortiSOAR version 7.2.2 use the following command:[root@localhost ~]# sh /root/setup-fsr-offline-yum-repo.bin
--release_version 7.2.2
Note: This script file creates a user whose ID and password are set toyum
. This ID is used to assign ownership to the content in the '/repos
' directory. - Check the default server certificate and server private key in the
/etc/httpd/conf.d/ssl.conf
file, and if required they should be replaced.# Section Server Certificate
SSLCertificateFile "/<path_to_cert>/<ssl_Certificate>.crt"
# Section Server Private Key
SSLCertificateKeyFile "/<path_to_cert>/<ssl_Certificate>.key"
After you have updated the certificates, restart the 'httpd' service:[root@localhost ~]# systemctl restart httpd
- The
setup-fsr-offline-yum-repo.bin
script file synchronizes the repo. Therefore, if you want to resynchronize the repo, you must rerun the script. If you do not want to rerun the script manually, you can set up a cron job to perform this task. Use the following script to set up a cron job that will run daily at 00:00 hrs and synchronize the offline repo with the prod repo:#!/bin/sh
#write out current crontab
crontab -l > mycron
#echo new cron into cron file
echo "0 0 * * * sh /root/setup-fsr-offline-yum-repo.bin
--release_version 7.2.2
" >> mycron
#install new cron file
crontab mycron
rm mycron
Note: You can change the time of running the cron job as per your convenience.
Deploying FortiSOAR using the Offline Repository
- Ensure that the offline repository host is accessible from the FortiSOAR appliance and ensure that your ssh session does not timeout, run the
screen
command:[root@localhost ~]# screen –S repo
- From version 7.0.2 onwards, if you are using your private repository to install or upgrade FortiSOAR, then use the following command to export the "custom_yum_url" variable before running the fresh install or upgrade script:
export custom_yum_url=<"custom_yum_url_name">
For example,export custom_yum_url="offline-repo.fortisoar.in"
- Download the installer for FortiSOAR 7.2.2 using the following command:
[root@localhost ~]# wget https://<offline repo>/7.2.2/install-fortisoar-7.2.2.bin
- To install FortiSOAR 7.2.2, run the following command as a root user:
[root@localhost ~]# sh install-fortisoar-7.2.2.bin
If you have not deployed an SSL certificate on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain CentOS, to ignore the SSL check while installing FortiSOAR:[root@localhost ~]# sh install-fortisoar-7.2.2.bin ignore-ssl-check
- Login as the 'csadmin' user to the FortiSOAR CLI and continue to configure FortiSOAR or Secure Message Exchange (SME) and add your FortiSOAR license. For more information, see the Deploying FortiSOAR chapter.
Note: You can add self-signed CA certificates in OS as a trusted certificate using the steps mentioned in theAdding self-signed CA certificates in Centos as trusted certificates
topic in the Additional Configurations chapter.
Upgrading FortiSOAR using the Offline Repository
- Ensure that the offline repository host is accessible from the FortiSOAR appliance and ensure that your ssh session does not timeout, run the
screen
command:[root@localhost ~]# screen –S repo
- From version 7.0.2 onward, if you are using your private repository to install or upgrade FortiSOAR, then use the following command to export the "custom_yum_url" variable before running the fresh install or upgrade script:
export custom_yum_url=<"custom_yum_url_name">
- Download the upgrade installer for FortiSOAR 7.2.2 using the following command:
[root@localhost ~]# wget https://<offline repo>/7.2.2/upgrade-fortisoar-7.2.2.bin
- To upgrade to FortiSOAR 7.2.2, run the following command as a root user:
[root@localhost ~]# sh upgrade-fortisoar-7.2.2.bin
If you have not deployed an SSL certificate on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain CentOS, to ignore the SSL check while upgrading FortiSOAR:[root@localhost ~]# sh upgrade-fortisoar-7.2.2.bin --ignore-ssl-check
Troubleshooting
Peer Certificate issue not recognized error
If you have not deployed an SSL certificate deployed on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain CentOS if you are installing version 7.2.2:# sh install-fortisoar-7.2.2.bin ignore-ssl-check
If you are upgrading to version 7.2.2, then use the following command: # sh upgrade-fortisoar-7.2.2.bin --ignore-ssl-check
This command ignores the SSL check while installing FortiSOAR. However, you can get the following error while installing FortiSOAR on plain CentOS:"[Errno 14] curl#60 - "Peer's Certificate issuer is not recognized."
Resolution
Add the sslverify=false
entry in the /etc/yum.conf
file on the plain CentOS system, and then restart the installation.