Deploying FortiSOAR™

This chapter covers the process of deploying FortiSOAR™, and the initial configuration required for FortiSOAR™. You can perform the initial configuration for FortiSOAR™ using the FortiSOAR Configuration Wizard.

The following image displays the high-level tasks for deploying FortiSOAR™:

High-level process for deploying FortiSOAR™

Planning

Virtual Machine (VM)

Minimum Specifications
  • 8 available vCPUs
  • 22 GB available RAM
  • 500 GB available disk space: Recommended to have high-performance storage, preferably SSDs.
  • 1 vNIC
  • 8 available vCPUs
  • 32 GB available RAM
  • 1 TB available disk space: Recommended to have high-performance storage, preferably SSDs.
  • 1 vNIC

Important: In case of an MSSP setup, contact your FortiSOAR™ Customer Success (CS) representative for sizing requirements.

Supported Hypervisors

  • VMware ESX 5.5 or higher
  • Amazon Web Services (AWS)

VM Inbound Networking

Enable the following ports for the VM within your VM network:

  • 22 Management (ssh)
  • 443 User Interface (https)

VM Outbound Networking

For FortiSOAR™ to correctly interact with your network, you must provide access between the FortiSOAR™ VM and the third-party products and services configured within your network.

To accomplish this, enable the following ports for SSH, SMTP, and HTTPs access:

  • 22 Management (ssh)
  • 25 Email SMTP relay server. This port can be different based on your environment.
  • 443 User Interface (https)

Note

Depending on the type of connectors used for Playbooks, you might require to open other ports or services.

Credentials

Credentials to access SSH management and the FortiSOAR™ User Interface are:

Username: csadmin

Password: changeme

From FortiSOAR™ 6.0.0 onwards, the UI password of the 'csadmin' user for AWS enterprise and AWS community is set to the "instance_id" of your instance.
To know the instance ID of your FortiSOAR™ AWS instance, you can SSH and run the cloud-init query instance_id command.

Important

You must change the default password once you initially log on to FortiSOAR™.

Requirements

The following requirements are optional, but it is highly recommended that Internet access is provided for a FortiSOAR™ upgrade and also for installing new out-of-the-box connectors.

Whitelist the following URLs in your Firewall or Proxy servers:

For upgrading FortiSOAR™: https://update.cybersponse.com.

For Connector Dependencies: https://pypi.python.org.

Importing the FortiSOAR™ Virtual Appliance

Use a vSphere Client or a viclient to import the Virtual Appliance into the ESX/ESXi server. See the VMware documentation for steps on how to import a Virtual Appliance.

Important

After you import the FortiSOAR™ Virtual Appliance and the FortiSOAR™ system boots up, the IP address of the system is displayed on the command prompt. You can share this IP address with users who require to configure FortiSOAR™ using the FortiSOAR Configuration Wizard .

Deploying the FortiSOAR™ Virtual Appliance

Before you begin the deployment process, ensure that your VM is configured as per the specifications outlined in the Planning section.

Deploying the FortiSOAR™ Virtual Appliance using vSphere or vCenter

Once you have ensured that you have met all the specifications, deploy the FortiSOAR™ Virtual Appliance using vSphere or vCenter. See the VMware documentation for steps on how to deploy a Virtual Appliance.

Deploying the FortiSOAR™ Virtual Appliance using AWS

Once you have ensured that you have met all the specifications, perform the following steps to deploy the FortiSOAR™ Virtual Appliance on Amazon Web Services (AWS):

  1. Log into your AWS account and upload the FortiSOAR™ Virtual Appliance to Amazon Web Services (AWS).
  2. From the Amazon EC2 console dashboard, choose Launch Instance, to launch the FortiSOAR™ instance.
  3. On the Choose an Amazon Machine Image (AMI) page, choose the AMI and start configuring the instance.

After you complete deploying your FortiSOAR™ and you connect the first time to your FortiSOAR™ VM, the EULA agreement page is displayed. You must accept the EULA to continue with your FortiSOAR™ configuration. If you do not accept the EULA, then the OS will halt, and you have to restart your FortiSOAR™ VM (power off-power on) and reconnect to the FortiSOAR™ VM and accept EULA to continue with your FortiSOAR™ configuration.

FortiSOAR Configuration Wizard

A configuration wizard runs automatically on the first ssh login by the csadmin user and performs the initial configuration steps that are required for FortiSOAR™. The wizard guides you through the configuration process with appropriate instructions so that you can efficiently perform the initial configuration required for FortiSOAR™. To begin running the configuration wizard, you must accept the Fortinet End User License Agreement.

The wizard performs the following configuration steps:

  1. Change hostname: (Optional) You can change the hostname for your FortiSOAR™ VM. The wizard checks if the hostname is valid or not; and throws an error in case of an invalid hostname. FortiSOAR™ optionally also asks for additional DNS servers.
  2. Configure Proxy: (Optional) You can configure an https/http proxy server to serve all https/http requests from FortiSOAR™. To configure an https or http proxy, you must specify the username and password, and the hostname and the port number of the HTTPS or HTTP proxy server. For example to configure an HTTPS proxy, enter the proxy details in the following format: https://user:password@[ip/fqdn]:port. You can also configure a comma-separated list of hostnames that do not require to be routed through a proxy server. For example, [ip1/fqdn1], [ip2/fqdn2]
  3. Set up messaging broker: This is an automatic process to set up messaging between FortiSOAR™ services.
  4. Update network configuration: This is an automatic process.
  5. Set up intra-service authentication: This is an automatic process to generate new appliance keys unique to your instance for communication to the FortiSOAR™ services.
  6. Generate certificates: This is an automatic process; you do not require to provide any inputs.
  7. Generate hardware key: This is an automatic process; you do not require to provide any inputs. The wizard also saves the hardware key in the /home/csadmin/hkey file.
    Once the hardware key is generated, you should send the same to a FortiSOAR™ Customer Support (CS) to generate the license file required for you to begin using FortiSOAR™. For more information, see the Licensing FortiSOAR™ topic.
    Important: You get logged out after the FortiSOAR™ VM is configured, so that the changes can take effect. Therefore, you require to ssh again to the FortiSOAR™ VM.
  8. Reset database passwords: This is an automatic process to reset database password to a new password unique to your instance.
  9. Restart services: This is an automatic process to reset all FortiSOAR™ services.
  10. Configure default HA cluster: This is an automatic process that creates the default single-node HA cluster. This FortiSOAR™ server is created as a primary-active node.
  11. Install python libraries: This is an automatic process to install some python libraries required by FortiSOAR™.

After the FortiSOAR Configuration Wizard is run, it displays the following:

  • Hardware Key
  • Path of where the Hardware Key is saved
  • Path of the Configuration Wizard log

Note: If your FortiSOAR Configuration Wizard displays errors when it is being run, then you can troubleshoot the FortiSOAR Configuration Wizard errors by checking its logs, which are located at /var/log/cyops/install/config_vm_<timestamp>. For example, /var/log/cyops/install/config-vm-09_Nov_2018_05h_37m_36s.log.

Important: If you want to replace the Self-Signed Certificates with your own signed certificates, see the Replacing FortiSOAR™ self-signed certificates with your own signed certificates topic.

Pointing the ntpd service to a valid ntp server

If you require to change the system time on your FortiSOAR™ instance, then perform this step immediately after running the FortiSOAR Configuration Wizard.

The ntpd service runs on your FortiSOAR™ instance, and it requires to be pointed to a valid ntp server. If the /etc/ntp.conf file contains entries to ntp server(s) that are not valid; then you might face Invalid System Time issues where you might not be able to log on to your FortiSOAR™ instance. Edit the /etc/ntp.conf file to add details of a valid ntp server(s). For a list of common NTP servers, go to https://www.ntppool.org/en/.

In case your FortiSOAR™ VM does not have access to the internet, then you must edit the /etc/ntp.conf to add details of a valid ntp server within your datacenter.

Editing the VM configuration

It is not necessary to perform the following steps, but they can quickly assist you to get access to the FortiSOAR™ VM:

  1. Setting a static IP
  2. Determining your DHCP IP Address

Setting a static IP

  1. On the ESX console for your FortiSOAR™ VM, login to the VM as the csadmin user.
  2. Type sudo i in the terminal and press Enter to become a root user.
  3. Once you are logged in to the terminal, type nmtui and press Enter.
    Entering nmtui on the terminal
  4. On the first screen, select the Edit a connection option and press Enter.
    Edit a connection option
  5. On the second screen, select the connection listed under Ethernet, which is Wired connection 1 and select <Edit...>.
    Select the Ethernet connection
  6. Use the arrow keys to select <Show> that appears to the right of the IPv4 Configuration option and press Enter.
  7. Enter the required information for your network. You must enter all the information, such as IP Address, Gateway, DNS servers address, on this screen:
    IPv4 Configuration
  8. (Optional) If you want to configure IPv6, repeat steps 5 and 6 and then enter the required information, such as IPv6 Address, for your network.
  9. Ensure that you have selected the Automatically connect and Available to all users options.
    Automatically connect and Available to all users options
  10. Select <OK> and press Enter.
  11. Select <Back> and press Enter.
  12. Select <OK> and press Enter.
  13. Restart the network service using the systemctl restart network command.

Once the network service restarts, you can use the assigned static IP.

Determining your DHCP IP address

  1. On the ESX console for your FortiSOAR™ VM, login to the FortiSOAR™ VM as the root user.
  2. Type ifconfig | more in the terminal and press Enter.
    Your IP address is listed in the eth** section, next to inet, as displayed in the following image:
    DHCP IP address'

Note

Once you have completed configuring the hostname and IP address ensure that the default inbound ports mentioned in the 'VM Inbound Networking' section are open and accessible.

Now you must follow the licensing process required for FortiSOAR™ and then you can use this IP address to log on to the FortiSOAR™ UI and begin the configuring the system. See the Licensing in FortiSOAR™ chapter for more information.