Fortinet black logo

Deployment Guide

Deploying FortiSOAR on a Docker platform

Copy Link
Copy Doc ID d4d02999-4ead-11ed-9d74-fa163e15d75b:391103
Download PDF

Deploying FortiSOAR on a Docker platform

You can deploy FortiSOAR on Docker platforms such as VMware ESX or AWS. This allows you to easily provision FortiSOAR into your microservice's architecture and use it as cloud-native and DevOp-enabled.

FortiSOAR also has a management extension (MEA) (Docker image) that is built with FortiAnalyzer and FortiManager. To learn more about the FortiAnalyzer MEA, see the FortiAnalyzer documentation; to learn more about the FortiManager MEA, see the FortiManager documentation.

The following topics introduce how to deploy the FortiSOAR image on Docker.

Planning

Prerequisites

To deploy the FortiSOAR image on Docker, you must have already installed Docker in your environment. If not, refer to the Docker official website for Docker installation instructions: https://docs.docker.com/.
To check whether Docker has been successfully installed, run docker version.

For resource requirement specifications, see the Deploying FortiSOAR chapter.

System Requirements

Supported Hypervisors

  • Docker Engine CE 18.09.1 or higher versions, and the equivalent Docker Engine EE versions.
Note

For best performance in hypervisor deployments, install FortiSOAR on a “bare metal” (Type 1) hypervisor. Hypervisors that are installed as applications on top of a general-purpose operating system (Windows, Mac OS X, or Linux) host have fewer computing resources available due to the host OS’s own overhead.

To ensure high performance, it is recommended to deploy FortiSOAR on machine types with a minimum of 8 vCPUs and a memory size larger than 32 GB.

Downloading the FortiSOAR Docker image

You can download the required FortiSOAR Docker image from the support portal.

To download the FortiSOAR Docker image, do the following:

  1. Log on to support.fortinet.com.
  2. Click Support > Firmware Download.
  3. On the Fortinet Firmware Images And Software Releases page, from the Select Product drop-down list, select FortiSOAR.
    The page contains information about released versions of FortiSOAR images, and contains two tabs: Release Notes and Downloads.
    To view the Release Notes for a particular version, click the version and build number link, which opens the FortiSOAR Document Library, from where you can view or download the release notes for that particular version.
  4. To download the Docker image, do the following:
    1. Click the Download tab.
    2. Navigate through the directory structure to open the page containing the required images. For example, to download a Docker image for version 7.3.0, click v7.00 > 7.3 > 7.3.0 and locate the required Docker image. For example, fortisoar-docker-7.3.0-<build_number>.tar.gz
    3. Download the Docker image by clicking the HTTPS link.
      An HTTPS connection is used to download the Docker image.
    4. Click the Checksum link for the image that you have downloaded.
      The image file name and checksum code are displayed in the Get Checksum Code dialog box.
    5. Confirm that the checksum of the downloaded image file matches the checksum provided on the download site.

Deploying the FortiSOAR Docker image

  1. Load the downloaded Docker image using the following command:
    docker load -i <image-path>
  2. Download the FortiSOAR Docker installer from https://repo.fortisoar.fortinet.com/7.3.0/install-fortisoar-docker-7.3.0.bin
  3. Extract the default fortisoar.env file using the following command:
    ./install-fortisoar-docker-7.3.0.bin --export-default-env
    NOTE: This command exports the fortisoar.env file to the current directory.
  4. Update the fortisoar.env file as per your environment. For more information, see Understanding the fortisoar.env file topic.
  5. Once you have updated the fortisoar.env file, run the following command:
    ./install-fortisoar-docker-7.3.0.bin --env-file fortisoar.env
    NOTE: The fortisoar.env file is an important configuration file. Therefore, it is recommended that you take a backup of this file for future reference.
  6. To connect to FortiSOAR Docker using SSH, use the following CLI:
    docker exec -it <FSR container id or name> bash

Understanding the fortisoar.env file

The FortiSOAR Docker installer uses the fortisoar.env file for information for FortiSOAR container configuration. You can use the FortiSOAR installer to export the default configuration using the following command:
./install-fortisoar-docker-7.3.0.bin --export-default-env

Sample fortisoar.env file:

# cat fortisoar.env
#
# Do not use space before or after of =
# You can retrieve the image id by executing the 'docker images' command
# IMAGE_ID=1xxxxxxxxxx PROJECT_NAME=fortisoar HOSTNAME_DOCKER_HOST=docker-host.myorg.mydomain HOSTNAME_CONTAINER=fsr-container.myorg.mydomain PORT_UI=443 PORT_SME=5671 # RAM in GB RAM=32 CPUS=8 IP_REPO=10.1xx.2xx.1xx HOSTNAME_REPO=fortisoar-offline.myorgdomain IPV6=false #

Configurable parameters of the fortisoar.env file:

  • IMAGE_ID: The image ID of your FortiSOAR Docker image. You can find the image ID using docker images.
  • PROJECT_NAME: The identifier for your FortiSOAR container resources. The FortiSOAR installer creates the container name as '<PROJECT_NAME>_fortisoar_1', and names all the required volumes as '<PROJECT_NAME>_fortisoar_*'.
  • HOSTNAME_DOCKER_HOST: The DNS of the Docker host, which is added by default to the self-signed certificate SAN list.
  • HOSTNAME_CONTAINER: The DNS of the Docker host, which is added by default to the self-signed certificate SAN list.
    NOTE: The value of this parameter is set as the default hostname of the Docker.
  • PORT_UI: The host port of the Docker used to access the FortiSOAR UI. The traffic on this Docker host port is forwarded by the Docker to the container port 443. For example, if you set the PORT_UI as 5443 (default), then you can access FortiSOAR at https://<HOSTNAME_DOCKER_HOST>:5443/.
  • PORT_SME: By default, the FortiSOAR Docker image enables the embedded SME. The PORT_SME is the host port of the Docker to access the TCP port of the embedded SME. The traffic on this Docker host port is forwarded by Docker to the container port 5671.
  • RAM: The value of the RAM (in GB) of the FortiSOAR container.
  • CPUS: The number of CPUs for the FortiSOAR container.
  • IP_REPO: Only applicable if you are using offline repository for FortiSOAR. This parameter refers to IP address of the offline repository. The /etc/hosts file of the container contains the following entry:
    <IP_REPO> repo.fortisoar.fortinet.com
  • HOSTNAME_REPO: Only applicable if you are using offline repository for FortiSOAR. This parameter refers to hostname of the offline repository. For offline repository, you must update the CA bundle/chain of the offline repository certificate in the container using the following steps:
    # docker cp <offline-repo-certificate-CA-bundle> <FortiSOAR-container-name>:/etc/pki/ca-trust/source/anchors/
    # docker exec -ti <FortiSOAR-container-name> bash -c "update-ca-trust force-enable"
    # docker exec -ti <FortiSOAR-container-name> bash -c "update-ca-trust extract"
  • IPV6: This parameter determines whether or not IPv6 should be enabled for the docker. Specify true to enable IPv6 after you have ensured that the docker runtime is able to assign IPv6 to the FortiSOAR container.

Running the FortiSOAR Docker

Prerequisites

If your Docker runtime uses SELinux, ensure you enable the 'setsebool' parameter before starting the FortiSOAR Docker as follows:
setsebool -P container_manage_cgroup 1

Mode of running the FortiSOAR Docker

The FortiSOAR Docker runs in the 'non-privileged' mode. The following default privileges are assigned to the FortiSOAR, which are also applied, by default, to your FortiSOAR instance:

  • SYS_ADMIN: Required for bind mounting /tmp on /var/tmp and for various systemd services.
  • SYS_RAWIO: Required for running ‘dmidecode’ and for various systemd services.
  • SYS_TIME: Required for running 'ntpd'.
  • SYS_PTRACE: Required for running 'systemd-journal'.

Operations that are unsupported on the FortiSOAR Docker

  • High availability is not supported on the Docker for FortiSOAR. Therefore, it is recommended that you do not run the 'csadm ha' commands on the Docker for FortiSOAR.

Frequently Asked Questions

How to clean up the FortiSOAR container?

To clean up the FortiSOAR container, run the following commands:

docker stop <container id>

docker rm <container id>

docker volume prune

What happens if users re-installs the FortiSOAR container without removing its volumes?

If users re-installs the FortiSOAR container without removing its volumes, then the FortiSOAR container is restored from its last saved state.

How to resolve the issue of Elasticsearch-based recommendations not working on a FortiSOAR instance on a Docker platform?

By default, Elasticsearch-based recommendations do not work on a FortiSOAR Docker instance due to size limitations. To know more about Elasticsearch-based recommendations, see the Recommendation Engine topic in the Application Editor chapter of the "Administration Guide".

To use Elasticsearch-based recommendations, you must increase the memory allocated to Elasticsearch to 4 GB, using the following steps:

  1. Update the value of the following parameters in the /etc/elasticsearch/jvm.options.d/fsr.options file to 4 GB:
    -Xms4g
    -Xmx4g
  2. Restart the Elasticsearch service using the following command:
    systemctl restart elasticsearch
  3. Reindex Elasticsearch data using the following command:
    sudo -u nginx php /opt/cyops-api/bin/console app:elastic:create --sync=true
    Now, you should be able to view Elasticsearch-based recommendations on your FortiSOAR Docker instance.

Deploying FortiSOAR on a Docker platform

You can deploy FortiSOAR on Docker platforms such as VMware ESX or AWS. This allows you to easily provision FortiSOAR into your microservice's architecture and use it as cloud-native and DevOp-enabled.

FortiSOAR also has a management extension (MEA) (Docker image) that is built with FortiAnalyzer and FortiManager. To learn more about the FortiAnalyzer MEA, see the FortiAnalyzer documentation; to learn more about the FortiManager MEA, see the FortiManager documentation.

The following topics introduce how to deploy the FortiSOAR image on Docker.

Planning

Prerequisites

To deploy the FortiSOAR image on Docker, you must have already installed Docker in your environment. If not, refer to the Docker official website for Docker installation instructions: https://docs.docker.com/.
To check whether Docker has been successfully installed, run docker version.

For resource requirement specifications, see the Deploying FortiSOAR chapter.

System Requirements

Supported Hypervisors

  • Docker Engine CE 18.09.1 or higher versions, and the equivalent Docker Engine EE versions.
Note

For best performance in hypervisor deployments, install FortiSOAR on a “bare metal” (Type 1) hypervisor. Hypervisors that are installed as applications on top of a general-purpose operating system (Windows, Mac OS X, or Linux) host have fewer computing resources available due to the host OS’s own overhead.

To ensure high performance, it is recommended to deploy FortiSOAR on machine types with a minimum of 8 vCPUs and a memory size larger than 32 GB.

Downloading the FortiSOAR Docker image

You can download the required FortiSOAR Docker image from the support portal.

To download the FortiSOAR Docker image, do the following:

  1. Log on to support.fortinet.com.
  2. Click Support > Firmware Download.
  3. On the Fortinet Firmware Images And Software Releases page, from the Select Product drop-down list, select FortiSOAR.
    The page contains information about released versions of FortiSOAR images, and contains two tabs: Release Notes and Downloads.
    To view the Release Notes for a particular version, click the version and build number link, which opens the FortiSOAR Document Library, from where you can view or download the release notes for that particular version.
  4. To download the Docker image, do the following:
    1. Click the Download tab.
    2. Navigate through the directory structure to open the page containing the required images. For example, to download a Docker image for version 7.3.0, click v7.00 > 7.3 > 7.3.0 and locate the required Docker image. For example, fortisoar-docker-7.3.0-<build_number>.tar.gz
    3. Download the Docker image by clicking the HTTPS link.
      An HTTPS connection is used to download the Docker image.
    4. Click the Checksum link for the image that you have downloaded.
      The image file name and checksum code are displayed in the Get Checksum Code dialog box.
    5. Confirm that the checksum of the downloaded image file matches the checksum provided on the download site.

Deploying the FortiSOAR Docker image

  1. Load the downloaded Docker image using the following command:
    docker load -i <image-path>
  2. Download the FortiSOAR Docker installer from https://repo.fortisoar.fortinet.com/7.3.0/install-fortisoar-docker-7.3.0.bin
  3. Extract the default fortisoar.env file using the following command:
    ./install-fortisoar-docker-7.3.0.bin --export-default-env
    NOTE: This command exports the fortisoar.env file to the current directory.
  4. Update the fortisoar.env file as per your environment. For more information, see Understanding the fortisoar.env file topic.
  5. Once you have updated the fortisoar.env file, run the following command:
    ./install-fortisoar-docker-7.3.0.bin --env-file fortisoar.env
    NOTE: The fortisoar.env file is an important configuration file. Therefore, it is recommended that you take a backup of this file for future reference.
  6. To connect to FortiSOAR Docker using SSH, use the following CLI:
    docker exec -it <FSR container id or name> bash

Understanding the fortisoar.env file

The FortiSOAR Docker installer uses the fortisoar.env file for information for FortiSOAR container configuration. You can use the FortiSOAR installer to export the default configuration using the following command:
./install-fortisoar-docker-7.3.0.bin --export-default-env

Sample fortisoar.env file:

# cat fortisoar.env
#
# Do not use space before or after of =
# You can retrieve the image id by executing the 'docker images' command
# IMAGE_ID=1xxxxxxxxxx PROJECT_NAME=fortisoar HOSTNAME_DOCKER_HOST=docker-host.myorg.mydomain HOSTNAME_CONTAINER=fsr-container.myorg.mydomain PORT_UI=443 PORT_SME=5671 # RAM in GB RAM=32 CPUS=8 IP_REPO=10.1xx.2xx.1xx HOSTNAME_REPO=fortisoar-offline.myorgdomain IPV6=false #

Configurable parameters of the fortisoar.env file:

  • IMAGE_ID: The image ID of your FortiSOAR Docker image. You can find the image ID using docker images.
  • PROJECT_NAME: The identifier for your FortiSOAR container resources. The FortiSOAR installer creates the container name as '<PROJECT_NAME>_fortisoar_1', and names all the required volumes as '<PROJECT_NAME>_fortisoar_*'.
  • HOSTNAME_DOCKER_HOST: The DNS of the Docker host, which is added by default to the self-signed certificate SAN list.
  • HOSTNAME_CONTAINER: The DNS of the Docker host, which is added by default to the self-signed certificate SAN list.
    NOTE: The value of this parameter is set as the default hostname of the Docker.
  • PORT_UI: The host port of the Docker used to access the FortiSOAR UI. The traffic on this Docker host port is forwarded by the Docker to the container port 443. For example, if you set the PORT_UI as 5443 (default), then you can access FortiSOAR at https://<HOSTNAME_DOCKER_HOST>:5443/.
  • PORT_SME: By default, the FortiSOAR Docker image enables the embedded SME. The PORT_SME is the host port of the Docker to access the TCP port of the embedded SME. The traffic on this Docker host port is forwarded by Docker to the container port 5671.
  • RAM: The value of the RAM (in GB) of the FortiSOAR container.
  • CPUS: The number of CPUs for the FortiSOAR container.
  • IP_REPO: Only applicable if you are using offline repository for FortiSOAR. This parameter refers to IP address of the offline repository. The /etc/hosts file of the container contains the following entry:
    <IP_REPO> repo.fortisoar.fortinet.com
  • HOSTNAME_REPO: Only applicable if you are using offline repository for FortiSOAR. This parameter refers to hostname of the offline repository. For offline repository, you must update the CA bundle/chain of the offline repository certificate in the container using the following steps:
    # docker cp <offline-repo-certificate-CA-bundle> <FortiSOAR-container-name>:/etc/pki/ca-trust/source/anchors/
    # docker exec -ti <FortiSOAR-container-name> bash -c "update-ca-trust force-enable"
    # docker exec -ti <FortiSOAR-container-name> bash -c "update-ca-trust extract"
  • IPV6: This parameter determines whether or not IPv6 should be enabled for the docker. Specify true to enable IPv6 after you have ensured that the docker runtime is able to assign IPv6 to the FortiSOAR container.

Running the FortiSOAR Docker

Prerequisites

If your Docker runtime uses SELinux, ensure you enable the 'setsebool' parameter before starting the FortiSOAR Docker as follows:
setsebool -P container_manage_cgroup 1

Mode of running the FortiSOAR Docker

The FortiSOAR Docker runs in the 'non-privileged' mode. The following default privileges are assigned to the FortiSOAR, which are also applied, by default, to your FortiSOAR instance:

  • SYS_ADMIN: Required for bind mounting /tmp on /var/tmp and for various systemd services.
  • SYS_RAWIO: Required for running ‘dmidecode’ and for various systemd services.
  • SYS_TIME: Required for running 'ntpd'.
  • SYS_PTRACE: Required for running 'systemd-journal'.

Operations that are unsupported on the FortiSOAR Docker

  • High availability is not supported on the Docker for FortiSOAR. Therefore, it is recommended that you do not run the 'csadm ha' commands on the Docker for FortiSOAR.

Frequently Asked Questions

How to clean up the FortiSOAR container?

To clean up the FortiSOAR container, run the following commands:

docker stop <container id>

docker rm <container id>

docker volume prune

What happens if users re-installs the FortiSOAR container without removing its volumes?

If users re-installs the FortiSOAR container without removing its volumes, then the FortiSOAR container is restored from its last saved state.

How to resolve the issue of Elasticsearch-based recommendations not working on a FortiSOAR instance on a Docker platform?

By default, Elasticsearch-based recommendations do not work on a FortiSOAR Docker instance due to size limitations. To know more about Elasticsearch-based recommendations, see the Recommendation Engine topic in the Application Editor chapter of the "Administration Guide".

To use Elasticsearch-based recommendations, you must increase the memory allocated to Elasticsearch to 4 GB, using the following steps:

  1. Update the value of the following parameters in the /etc/elasticsearch/jvm.options.d/fsr.options file to 4 GB:
    -Xms4g
    -Xmx4g
  2. Restart the Elasticsearch service using the following command:
    systemctl restart elasticsearch
  3. Reindex Elasticsearch data using the following command:
    sudo -u nginx php /opt/cyops-api/bin/console app:elastic:create --sync=true
    Now, you should be able to view Elasticsearch-based recommendations on your FortiSOAR Docker instance.