Hypervisor Installations

1 Reply

Hypervisor Installations

Topics in this section cover the instructions for importing the AccelOps disk image into specific hypervisors and configuring the AccelOps virtual appliance. See the topics under General Installation for information on installation tasks that are common to all hypervisors.

Installing in Amazon Web Services (AWS)

Determining the Storage Type for EventDB in AWS

Configuring Local Storage in AWS for EventDB

Setting Up Supervisor, Worker and Collector Nodes in AWS

Setting Up AWS Instances

Creating VPC-based Elastic IPs for Supervisor and Worker Nodes in AWS

Configuring the Supervisor and Worker Nodes in AWS

Registering the Collector to the Supervisor in AWS

Setting up a Network Bridge for Installing AccelOps in KVM

Importing the Supervisor, Collector, or Worker Image into KVM Configuring Supervisor Hardware Settings in KVM

Importing a Supervisor, Collector, or Worker Image into Microsoft Hyper-V

Setting the Network Time Protocol (NTP) for ESX

Installing a Supervisor, Worker, or Collector Node in ESX

Importing the Supervisor, Collector, or Worker Image into the ESX Server

Editing the Supervisor, Collector, or Worker Hardware Settings

Setting Local Storage for the Supervisor

Troubleshooting Tips for Supervisor Installations

Configuring the Supervisor, Worker, or Collector from the VM Console

Installing in Amazon Web Services (AWS)

You Must Use an Amazon Virtual Public Cloud with AccelOps

You must set up a Virtual Public Cloud (VPC) in Amazon Web Services for FortiSIEM deployment rather than classic-EC2. FortiSIEM does not support installation in classic-EC2. See the Amazon VPC documentation for more information on setting up and configuring a VPC. See Creating VPC-based Elastic IPs for Supervisor and Worker Nodes in AWS for information on how to prevent the public IPs of your instances from changing when they are stopped and started.

Using NFS Storage with Amazon Web Services

If the aggregate EPS for your FortiSIEM installation requires a cluster (an FortiSIEM virtual appliance + worker nodes), then you must set up an NFS server. If your storage requirements for the EventDB are more than 1TB, it is strongly recommended that you use an NFS server where you can configure LVM+RAID0. For more information, see Setting Up NFS Storage in AWS.

 

Determining the Storage Type for EventDB in AWS

Configuring Local Storage in AWS for EventDB

Setting Up Supervisor, Worker and Collector Nodes in AWS

Setting Up AWS Instances

Creating VPC-based Elastic IPs for Supervisor and Worker Nodes in AWS

Configuring the Supervisor and Worker Nodes in AWS

Registering the Collector to the Supervisor in AWS

Note: SVN password reset issue after system reboot for FortiSIEM 3.7.6 customers in AWS Virtual Private Cloud (VPC)

FortiSIEM uses SVN to store monitored device configurations. In AWS VPC setup, we have noticed that FortiSIEM SVN password gets changed if the system reboots – this prevents FortiSIEM from storing new configuration changes and viewing old configurations. The following procedure can be used to reset the SVN password to FortiSIEM factory default so that FortiSIEM can continue working correctly.

This script needs to be run only once.

  1. Logon to Super
  2. Copy the attached “ao_svnpwd_reset.sh” script to Super on EC2+VPC deployment
  3. Stop all backend processes before running script by issuing the following command: phtools –stop all
  4. Run following command to change script permissions: “chmod +x ao_svnpwd_reset.sh”
  5. Execute “ao_svnpwd_reset.sh” as root user: “./ao_svnpwd_reset.sh”
  6. The system will reboot
  7. Check SVN access to make sure that old configurations can be viewed.
Determining the Storage Type for EventDB in AWS

If the aggregate EPS for your FortiSIEM installation requires a cluster (a virtual appliance +  Worker nodes), then you must set up an NFS server as described in Using NFS Storage with Amazon Web Services. If your storage requirement for EventDB is more than 1TB, it is recommended that you use an NFS server where you can configure LVM+RAID0, which is also described in those topics. Although it is possible to set up a similar LVM+RAID0 on the FortiSIEM virtual appliance itself, this has not been tested.

Here’s an example of how to calculate storage requirements: At 5000 EPS, you can calculate daily storage requirements to be about 22-30GB (300k events take roughly 15-20MB on average in compressed format stored in eventDB). So, in order to have 6 months of data available for querying, you need to have 4 – 6TB of storage.

If you only need one FortiSIEM node and your storage requirements are lower than 1TB, and is not expected to ever grow beyond this limit, you can avoid setting up an NFS server and use a local EBS volume for EventDB. For this option, see the topic Configuring Local Storage in AWS for EventDB.

Configuring Local Storage in AWS for EventDB

Create the Local Storage Volume

Attach the Local Storage Volume to the Supervisor

Create the Local Storage Volume

  1. Log in to AWS.
  2. In the E2 dashboard, click Volumes.
  3. Click Create Volume.
  4. Set Size to 100 GB to 1 TB (depending on storage requirement).
  5. Select the same Availability Zone region as the FortiSIEM Supervisor instance.
  6. Click Create.

Attach the Local Storage Volume to the Supervisor

  1. In the EC2 dashboard, select the local storage volume.
  2. In the Actions menu, select Attach Volume.
  3. For Instance, enter the Supervisor ID.
  4. For Device, enter /dev/xvdi.
  5. Click Attach.

 

Setting Up Supervisor, Worker and Collector Nodes in AWS

The basic process for installing an FortiSIEM Supervisor, Worker, or Collector node is the same. Since Worker nodes are only used in deployments that use NFS storage, you should first configure your Supervisor node to use NFS storage, and then configure your Worker node using the Supervisor NFS mount point as the mount point for the Worker. See Configuring NFS Storage for VMware ESX Server for more information. Collector nodes are only used in multi-tenant deployments, and need to be registered with a running Supervisor node.

Setting Up AWS Instances

Creating VPC-based Elastic IPs for Supervisor and Worker Nodes in AWS

Configuring the Supervisor and Worker Nodes in AWS

Registering the Collector to the Supervisor in AWS

When you’re finished with the specific hypervisor setup process, you need to complete your installation by following the steps described under Ge neral Installation.

You Must Use an Amazon Virtual Public Cloud with AccelOps

You must set up a Virtual Public Cloud (VPC) in Amazon Web Services for FortiSIEM deployment rather than classic-EC2. FortiSIEM does not support installation in classic-EC2. See the Amazon VPC documentation for more information on setting up and configuring a VPC. See Creating VPC-based Elastic IPs for Supervisor and Worker Nodes in AWS for information on how to prevent the public IPs of your instances from changing when they are stopped and started.

Using NFS Storage with Amazon Web Services

If the aggregate EPS for your FortiSIEM installation requires a cluster (an FortiSIEM virtual appliance + worker nodes), then you must set up an NFS server. If your storage requirements for the EventDB are more than 1TB, it is strongly recommended that you use an NFS server where you can configure LVM+RAID0. For more information, see Setting Up NFS Storage in AWS.

Setting Up AWS Instances

You Must Use an Amazon Virtual Public Cloud with AccelOps

You must set up a Virtual Public Cloud (VPC) in Amazon Web Services for FortiSIEM deployment rather than classic-EC2. FortiSIEM does not support installation in classic-EC2. See the Amazon VPC documentation for more information on setting up and configuring a VPC. See Creating VPC-based Elastic IPs for Supervisor and Worker Nodes in AWS for information on how to prevent the public IPs of your instances from changing when they are stopped and started.

Using NFS Storage with Amazon Web Services

If the aggregate EPS for your FortiSIEM installation requires a cluster (an FortiSIEM virtual appliance + worker nodes), then you must set up an NFS server. If your storage requirements for the EventDB are more than 1TB, it is strongly recommended that you use an NFS server where you can configure LVM+RAID0. For more information, see Setting Up NFS Storage in AWS.

  1. Log in to your AWS account and navigate to the EC2 dashboard.
  2. Click Launch Instance.
  3. Click Community AMIs and search for the AMI ID associated with your version of FortiSIEM. The latest AMI IDs are on the image server where you download the other hypervisor images.
  4. Click Select.
  5. Click Compute Optimized.

Using C3 Instances

You should select one of the C3 instances with a Network Performance rating of High, or 10Gb performance. The current generation of C3 instances run on the latest Intel Xeons that AWS provides. If you are running these machines in production, it is significantly cheaper to use EC2 Reserved Instances (1 or 3 year) as opposed to on-demand instances.

  1. Click Next: Configure Instance Details.
  2. Review these configuration options:
Network and Subnet Select the VPC you set up for your instance.
Number of

Instances

 For enterprise deployments, set to 1. For a configuration of 1 Supervisor + 2 Workers, set to 3. You can also add instances later to meet your needs.
Public IP Clear the option Automatically assign a public IP address to your instances if you want to use VPN.
Placement

Group

 A placement group is a logical grouping for your cluster instances. Placement groups have low latency, full-bisection 10Gbps bandwidth between instances. Select an existing group or create a new one.
EBS

Optimized

Instance

 An EBS optimized instance enables dedicated throughput between Amazon EBS and Amazon EC2, providing improved performance for your EBS volumes. Note that if you select this option, additional Amazon charges may apply.
  1. Click Next: Add Storage.
  2. For Size, Volume Type, and IOPS, set options for your configuration.
  3. Click Next: Tag Instance.
  4. Under Value, enter the Name you want to assign to all the instances you will launch, and then click Create Tag.

After you complete the launch process, you will have to rename each instance to correspond to its role in your configuration, such as

Supervisor, Worker1, Worker2.

  1. Click Next: Configure Security Group.
  2. Select Select an Existing Security Group, and then select the default security group for your VPC.

FortiSIEM needs access to HTTPS over port 443 for GUI and API access,  and access to SSH over port 22 for remote management, which are set in the default security group. This group will allow traffic between all instances within the VPC.

  1. Click Review and Launch.
  2. Review all your instance configuration information, and then click Launch.
  3. Select an existing or create a new Key Pair to connect to these instances via SSH.

If you use an existing key pair, make sure you have access to it. If you are creating a new key pair, download the private key and store it in a secure location accessible from the machine from where you usually connect to these AWS instances.

  1. Click Launch Instances.
  2. When the EC2 Dashboard reloads, check that all your instances are up and running.
  3. All your instances will be tagged with the Name you assigned in Step 11, select an instance to rename it according to its role in your deployment.
  4. For all types of instances, follow the instructions to SSH into the instances as described in Configuring the Supervisor and Worker Nodes in AWS, and then run the script sh to check the health of the instances.

Creating VPC-based Elastic IPs for Supervisor and Worker Nodes in AWS

You need to create VPC-based Elastic IPs and attach them to your nodes so the public IPs don’t change when you stop and start instances.

  1. Log in to the Amazon VPC Console.
  2. In the navigation pane, click Elastic IPs.
  3. Click Allocate New Address.
  4. In the Allocate New Address dialog box, in the Network platform list, select EC2-VPC, and then click Yes, Allocate.
  5. Select the Elastic IP address from the list, and then click Associate Address.
  6. In the Associate Address dialog box, select the network interface for the NAT instance. Select the address to associate the EIP with from the Private IP address list, and then click Yes, Associate.

Configuring the Supervisor and Worker Nodes in AWS

  1. From the EC2 dashboard, select the instance, and then click Connect.
  2. Select Connect with a standalone SSH client, and follow the instructions for connecting with an SSH client.

For the connection command, follow the example provided in the connection dialog, but substitute the FortiSIEM root user name for ec2user@xxxxxx. The ec2-user .name is used only for Amazon Linux NFS server.

  1. SSH to the Supervisor.
  2. Run cd /opt/phoenix/deployment/jumpbox/aws.
  3. Run the script pre-deployment.sh to configure host name and NFS mount point.
  4. Accept the License Agreements.
NFS Storage <NFS Server IP>:/data

For <NFS Server IP>, use the 10.0.0.X IP address of the NFS Server running within the VPC
Local Storage /dev/xvdi
  1. The system will reboot.
  2. Log in to the Supervisor.
  3. Register the Supervisor by following steps in
  4. Run cd /opt/phoenix/deployment/jumpbox/aws.
  5. Run the script sh (now includes running post-deployment.sh automatically).
  6. The system will reboot and is now ready.
  7. To install a worker node, follow steps 1-9 and the worker is ready
  8. To add a Worker to the cluster (assume Worker is already installed)
    1. Log in to the FortiSIEM GUI
    2. Go to Admin > License Management > VA Information
    3. Click Add
    4. Enter the private address of the Worker Node

Registering the Collector to the Supervisor in AWS

  1. Locate a Windows machine on AWS.
  2. Open a Remote desktop session from your PC to that Windows machine on AWS.
  3. Within the remote desktop session, launch a browser and navigate to https://<Collector-IP>:5480
  4. Enter the Collector setup information.
Name Collector Name
User ID Admin User
Password Admin Password
Cust/Org ID Organization Name
Cloud URL Supervisor URL
  1. Click

The Collector will restart automatically after registration succeeds.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Hypervisor Installations

  1. Viet Le

    If you wonder where the script ao_svnpwd_reset.sh is

    It can be found in

    /opt/phoenix/deployment/jumpbox/phsetsvnpwd.sh

    Reply

Leave a Reply to Viet Le Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.