Fortinet black logo

Deployment Guide

Home FortiSOAR 7.3.0 Deployment Guide

Deploying FortiSOAR using offline repositories

7.3.0
7.5.0
7.4.3
7.4.2
7.4.1
7.4.0
7.3.1
7.3.0
7.2.2
7.2.1
7.2.0
7.0.2
7.0.1
7.0.0
6.4.4
6.4.3
6.4.1
6.4.0
6.0.0
Copy Link
Copy Doc ID d4d02999-4ead-11ed-9d74-fa163e15d75b:614383
Download PDF

Deploying FortiSOAR using offline repositories

This chapter describes the steps that you need to follow to deploy FortiSOAR using offline repositories.

Prerequisites

  • Virtual machine with RHEL 8.6 or Rocky Linux 8.6, with minimal install option.
  • Access to repo.fortisoar.fortinet.com.
  • Minimum disk size: 500 GB.

  • Ensure that the SSL certificates that you are using for the offline repository are authorized by a Certificate Authority (CA). If however, you are using custom certificates such as open-source certificates, then you must ensure that you add these SSL certificates to the truststore of FortiSOAR and offline repository using the following command:
    cp <SSL_certificate>.crt /etc/pki/ca-trust/source/anchors/
    update-ca-trust extract

Setting up the Offline Repository

In release 7.3.0, there is a change in the FortiSOAR-supported OS from CentOS to Rocky Linux version 8.6 or RHEL version 8.6. Therefore, you must either setup a new offline repository with either Rocky Linux version 8.6 or RHEL version 8.6, or upgrade your existing offline repository to either Rocky Linux version 8.6 or RHEL version 8.6. This is required for 'rsync' to work and ensure that the modular metadata of the repository is also synced.

  1. To ensure that your ssh session does not timeout, run the tmux command:
    [root@localhost ~]# tmux
  2. Download setup-fsr-offline-yum-repo.bin:
    wget --no-check-certificate
    https://repo.fortisoar.fortinet.com/7.3.0/setup-fsr-offline-yum-repo.bin
  3. Run the setup-fsr-offline-yum-repo.bin file as follows, where the release_version is FortiSOAR version that you want to synchronize:
    [root@localhost ~]# sh /root/setup-fsr-offline-yum-repo.bin --release_version <release_version>
    For example, to synchronize FortiSOAR version 7.3.0 use the following command:
    [root@localhost ~]# sh /root/setup-fsr-offline-yum-repo.bin --release_version 7.3.0
    Note: This script file creates a user whose ID and password are set to yum. This ID is used to assign ownership to the content in the '/repos' directory.
  4. Check the default server certificate and server private key in the /etc/httpd/conf.d/ssl.conf file, and if required they should be replaced.
    # Section Server Certificate
    SSLCertificateFile "/<path_to_cert>/<ssl_Certificate>.crt"
    # Section Server Private Key
    SSLCertificateKeyFile "/<path_to_cert>/<ssl_Certificate>.key"
    Checking default server certificate in httpd.conf
    After you have updated the certificates, restart the 'httpd' service:
    [root@localhost ~]# systemctl restart httpd
  5. The setup-fsr-offline-yum-repo.bin script file synchronizes the repo. Therefore, if you want to resynchronize the repo, you must rerun the script. If you do not want to rerun the script manually, you can set up a cron job to perform this task. Use the following script to set up a cron job that will run daily at 00:00 hrs and synchronize the offline repo with the prod repo:
    #!/bin/sh
    #write out current crontab
    crontab -l > mycron
    #echo new cron into cron file
    echo "0 0 * * * sh /root/setup-fsr-offline-yum-repo.bin --release_version 7.3.0" >> mycron
    #install new cron file
    crontab mycron
    rm mycron
    Note: You can change the time of running the cron job as per your convenience.

Deploying FortiSOAR using the Offline Repository

  1. Ensure that the offline repository host is accessible from the FortiSOAR appliance and ensure that your ssh session does not timeout, run the tmux command:
    [root@localhost ~]# tmux
  2. From version 7.0.2 onwards, if you are using your private repository to install or upgrade FortiSOAR, then use the following command to export the "custom_yum_url" variable before running the fresh install or upgrade script:
    export custom_yum_url=<"custom_yum_url_name">
    For example, export custom_yum_url="offline-repo.fortisoar.in"
  3. Download the installer for FortiSOAR 7.3.0 using the following command:
    [root@localhost ~]# wget https://<offline repo>/7.3.0/install-fortisoar-7.3.0.bin
  4. To install FortiSOAR 7.3.0, run the following command as a root user:
    [root@localhost ~]# sh install-fortisoar-7.3.0.bin
    If you have not deployed an SSL certificate on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on a plain Rocky Linux or RHEL system, to ignore the SSL check while installing FortiSOAR:
    [root@localhost ~]# sh install-fortisoar-7.3.0.bin ignore-ssl-check
  5. Login as the 'csadmin' user to the FortiSOAR CLI and continue to configure FortiSOAR or Secure Message Exchange (SME) and add your FortiSOAR license. For more information, see the Deploying FortiSOAR chapter.
    Note: You can add self-signed CA certificates in OS as a trusted certificate using the steps mentioned in the Adding self-signed CA certificates in Rocky Linux or RHEL as trusted certificates topic in the Additional Configurations chapter.

Upgrading FortiSOAR using the Offline Repository

  1. Ensure that the offline repository host is accessible from the FortiSOAR appliance and ensure that your ssh session does not timeout, run the tmux command:
    [root@localhost ~]# tmux
  2. From version 7.0.2 onward, if you are using your private repository to install or upgrade FortiSOAR, then use the following command to export the "custom_yum_url" variable before running the fresh install or upgrade script:
    export custom_yum_url=<"custom_yum_url_name">
  3. Download the upgrade installer for FortiSOAR 7.3.0 using the following command:
    [root@localhost ~]# wget https://<offline repo>/7.3.0/fortisoar-inplace-upgrade-7.3.0.bin
  4. To upgrade to FortiSOAR 7.3.0, run the following command as a root user:
    [root@localhost ~]# sh fortisoar-inplace-upgrade-7.3.0.bin
    If you have not deployed an SSL certificate on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain Rocky Linux or RHEL system, to ignore the SSL check while upgrading FortiSOAR:
    [root@localhost ~]# sh fortisoar-inplace-upgrade-7.3.0.bin --ignore-ssl-check

Installing a FSR agent using an offline repo, where the certificate on your offline repo is self-trusted

To install a FSR agent using an offline repo, where the certificate on your offline repo is self-trusted, you need to follow some steps in addition to the steps mentioned in the Installing a FSR agent topic in the Deploying FortiSOAR chapter. If you are installing a FSR agent using an offline repo, where the Certificate Authority is known to the FSR agent VM, you can follow the steps (no additional steps needed) mentioned in the Installing a FSR agent topic in the Deploying FortiSOAR chapter.

To install a FSR agent using an offline repo, where the certificate on your offline repo is self-trusted, do the following:

  1. Before running the FSR Agent installer (<agent-name>-install.bin), edit the /etc/yum.conf file, and add sslverify=false, and then save the yum.conf file.
  2. Install the FSR Agent using the FSR Agent installer as mentioned in the Installing a FSR agent topic in the Deploying FortiSOAR chapter.
  3. Once the FSR Agent installer process is completed, edit the vi /opt/cyops-integrations/.env/pip.conf file and add trusted-host = <Offline repo FQDN>, and then and save the pip.conf file.
    Sample of the pip.conf file:
    [global]
    trusted-host = repo.fortisoar.fortinet.com
    extra-index-url= https://repo.fortisoar.fortinet.com/prod/connectors/deps/simple/
  4. Run the following command to install connector dependencies:
    To find out the connector requirements (dependencies) and install the requirements:
    for requirements in $(find /opt/cyops/configs/integrations/connectors/ -name requirements.txt); do sudo -u fortisoar /opt/cyops-integrations/.env/bin/pip install -r $requirements; done

Troubleshooting

Peer Certificate issue not recognized error

If you have not deployed an SSL certificate deployed on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain Rocky Linux or RHEL system if you are installing version 7.3.0:
# sh install-fortisoar-7.3.0.bin ignore-ssl-check
If you are upgrading to version 7.3.0, then use the following command:
# sh upgrade-fortisoar-7.3.0.bin --ignore-ssl-check

This command ignores the SSL check while installing FortiSOAR. However, you can get the following error while installing FortiSOAR on a plain Rocky Linux or RHEL system:
"[Errno 14] curl#60 - "Peer's Certificate issuer is not recognized."

Resolution

Add the sslverify=false entry in the /etc/yum.conf file on the plain Rocky Linux or RHEL system, and then restart the installation.

Previous
Next

Deploying FortiSOAR using offline repositories

This chapter describes the steps that you need to follow to deploy FortiSOAR using offline repositories.

Prerequisites

  • Virtual machine with RHEL 8.6 or Rocky Linux 8.6, with minimal install option.
  • Access to repo.fortisoar.fortinet.com.
  • Minimum disk size: 500 GB.

  • Ensure that the SSL certificates that you are using for the offline repository are authorized by a Certificate Authority (CA). If however, you are using custom certificates such as open-source certificates, then you must ensure that you add these SSL certificates to the truststore of FortiSOAR and offline repository using the following command:
    cp <SSL_certificate>.crt /etc/pki/ca-trust/source/anchors/
    update-ca-trust extract

Setting up the Offline Repository

In release 7.3.0, there is a change in the FortiSOAR-supported OS from CentOS to Rocky Linux version 8.6 or RHEL version 8.6. Therefore, you must either setup a new offline repository with either Rocky Linux version 8.6 or RHEL version 8.6, or upgrade your existing offline repository to either Rocky Linux version 8.6 or RHEL version 8.6. This is required for 'rsync' to work and ensure that the modular metadata of the repository is also synced.

  1. To ensure that your ssh session does not timeout, run the tmux command:
    [root@localhost ~]# tmux
  2. Download setup-fsr-offline-yum-repo.bin:
    wget --no-check-certificate
    https://repo.fortisoar.fortinet.com/7.3.0/setup-fsr-offline-yum-repo.bin
  3. Run the setup-fsr-offline-yum-repo.bin file as follows, where the release_version is FortiSOAR version that you want to synchronize:
    [root@localhost ~]# sh /root/setup-fsr-offline-yum-repo.bin --release_version <release_version>
    For example, to synchronize FortiSOAR version 7.3.0 use the following command:
    [root@localhost ~]# sh /root/setup-fsr-offline-yum-repo.bin --release_version 7.3.0
    Note: This script file creates a user whose ID and password are set to yum. This ID is used to assign ownership to the content in the '/repos' directory.
  4. Check the default server certificate and server private key in the /etc/httpd/conf.d/ssl.conf file, and if required they should be replaced.
    # Section Server Certificate
    SSLCertificateFile "/<path_to_cert>/<ssl_Certificate>.crt"
    # Section Server Private Key
    SSLCertificateKeyFile "/<path_to_cert>/<ssl_Certificate>.key"
    Checking default server certificate in httpd.conf
    After you have updated the certificates, restart the 'httpd' service:
    [root@localhost ~]# systemctl restart httpd
  5. The setup-fsr-offline-yum-repo.bin script file synchronizes the repo. Therefore, if you want to resynchronize the repo, you must rerun the script. If you do not want to rerun the script manually, you can set up a cron job to perform this task. Use the following script to set up a cron job that will run daily at 00:00 hrs and synchronize the offline repo with the prod repo:
    #!/bin/sh
    #write out current crontab
    crontab -l > mycron
    #echo new cron into cron file
    echo "0 0 * * * sh /root/setup-fsr-offline-yum-repo.bin --release_version 7.3.0" >> mycron
    #install new cron file
    crontab mycron
    rm mycron
    Note: You can change the time of running the cron job as per your convenience.

Deploying FortiSOAR using the Offline Repository

  1. Ensure that the offline repository host is accessible from the FortiSOAR appliance and ensure that your ssh session does not timeout, run the tmux command:
    [root@localhost ~]# tmux
  2. From version 7.0.2 onwards, if you are using your private repository to install or upgrade FortiSOAR, then use the following command to export the "custom_yum_url" variable before running the fresh install or upgrade script:
    export custom_yum_url=<"custom_yum_url_name">
    For example, export custom_yum_url="offline-repo.fortisoar.in"
  3. Download the installer for FortiSOAR 7.3.0 using the following command:
    [root@localhost ~]# wget https://<offline repo>/7.3.0/install-fortisoar-7.3.0.bin
  4. To install FortiSOAR 7.3.0, run the following command as a root user:
    [root@localhost ~]# sh install-fortisoar-7.3.0.bin
    If you have not deployed an SSL certificate on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on a plain Rocky Linux or RHEL system, to ignore the SSL check while installing FortiSOAR:
    [root@localhost ~]# sh install-fortisoar-7.3.0.bin ignore-ssl-check
  5. Login as the 'csadmin' user to the FortiSOAR CLI and continue to configure FortiSOAR or Secure Message Exchange (SME) and add your FortiSOAR license. For more information, see the Deploying FortiSOAR chapter.
    Note: You can add self-signed CA certificates in OS as a trusted certificate using the steps mentioned in the Adding self-signed CA certificates in Rocky Linux or RHEL as trusted certificates topic in the Additional Configurations chapter.

Upgrading FortiSOAR using the Offline Repository

  1. Ensure that the offline repository host is accessible from the FortiSOAR appliance and ensure that your ssh session does not timeout, run the tmux command:
    [root@localhost ~]# tmux
  2. From version 7.0.2 onward, if you are using your private repository to install or upgrade FortiSOAR, then use the following command to export the "custom_yum_url" variable before running the fresh install or upgrade script:
    export custom_yum_url=<"custom_yum_url_name">
  3. Download the upgrade installer for FortiSOAR 7.3.0 using the following command:
    [root@localhost ~]# wget https://<offline repo>/7.3.0/fortisoar-inplace-upgrade-7.3.0.bin
  4. To upgrade to FortiSOAR 7.3.0, run the following command as a root user:
    [root@localhost ~]# sh fortisoar-inplace-upgrade-7.3.0.bin
    If you have not deployed an SSL certificate on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain Rocky Linux or RHEL system, to ignore the SSL check while upgrading FortiSOAR:
    [root@localhost ~]# sh fortisoar-inplace-upgrade-7.3.0.bin --ignore-ssl-check

Installing a FSR agent using an offline repo, where the certificate on your offline repo is self-trusted

To install a FSR agent using an offline repo, where the certificate on your offline repo is self-trusted, you need to follow some steps in addition to the steps mentioned in the Installing a FSR agent topic in the Deploying FortiSOAR chapter. If you are installing a FSR agent using an offline repo, where the Certificate Authority is known to the FSR agent VM, you can follow the steps (no additional steps needed) mentioned in the Installing a FSR agent topic in the Deploying FortiSOAR chapter.

To install a FSR agent using an offline repo, where the certificate on your offline repo is self-trusted, do the following:

  1. Before running the FSR Agent installer (<agent-name>-install.bin), edit the /etc/yum.conf file, and add sslverify=false, and then save the yum.conf file.
  2. Install the FSR Agent using the FSR Agent installer as mentioned in the Installing a FSR agent topic in the Deploying FortiSOAR chapter.
  3. Once the FSR Agent installer process is completed, edit the vi /opt/cyops-integrations/.env/pip.conf file and add trusted-host = <Offline repo FQDN>, and then and save the pip.conf file.
    Sample of the pip.conf file:
    [global]
    trusted-host = repo.fortisoar.fortinet.com
    extra-index-url= https://repo.fortisoar.fortinet.com/prod/connectors/deps/simple/
  4. Run the following command to install connector dependencies:
    To find out the connector requirements (dependencies) and install the requirements:
    for requirements in $(find /opt/cyops/configs/integrations/connectors/ -name requirements.txt); do sudo -u fortisoar /opt/cyops-integrations/.env/bin/pip install -r $requirements; done

Troubleshooting

Peer Certificate issue not recognized error

If you have not deployed an SSL certificate deployed on your offline repo or you have a self-signed certificate deployed on your offline repo, then run the following command on plain Rocky Linux or RHEL system if you are installing version 7.3.0:
# sh install-fortisoar-7.3.0.bin ignore-ssl-check
If you are upgrading to version 7.3.0, then use the following command:
# sh upgrade-fortisoar-7.3.0.bin --ignore-ssl-check

This command ignores the SSL check while installing FortiSOAR. However, you can get the following error while installing FortiSOAR on a plain Rocky Linux or RHEL system:
"[Errno 14] curl#60 - "Peer's Certificate issuer is not recognized."

Resolution

Add the sslverify=false entry in the /etc/yum.conf file on the plain Rocky Linux or RHEL system, and then restart the installation.

Previous
Next