Upgrading a FortiSIEM Single Node Deployment

These instructions cover the upgrade process for an FortiSIEM Enterprise deployment with a single Supervisor.

1. Using SSH, log in to the FortiSIEM virtual appliance as the root user.

Your console will display the progress of the upgrade process.

6. When the upgrade process is complete, your FortiSIEM virtual appliance will reboot.
7. Log in to your virtual appliance, and in the Admin > Cloud Health page, check that you are running the upgraded version of FortiSIEM.

Upgrading a FortiSIEM Cluster Deployment

Overview

Upgrading Supervisors and Workers

Upgrading Collectors

Overview

Follow these steps while upgrading a VA cluster

1. Shutdown all Workers. Collectors can be up and running.
2. Upgrade Super first (while all workers are shutdown)
3. After Super is up and running, upgrade worker one by one.
4. Upgrade collectors

Step #1 prevents the accumulation of Report files while Super is not available during upgrade (#2). If these steps are not followed, Supervisor may not be able to come up after upgrade because of excessive unprocessed report fie accumulation.

Note: Both Super and Worker MUST be on the same FortiSIEM version, else various software modules may not work properly. However, Collectors can be in older versions – they will work except that they may not have the latest discovery and performance monitoring features in the Super/Worker versions. So FortiSIEM recommends that you also upgrade Collectors within a short period of time.

If you have Collectors in your deployment, make sure you have configured an image server to use as a repository for the Collector

Upgrading Supervisors and Workers

For both Supervisor and Worker nodes, follow the upgrade process described here, but be sure to upgrade the Supervisor node first.

1. Using SSH, log in to the FortiSIEM virtual appliance as the root user.

Your console will display the progress of the upgrade process.

6. When the upgrade process is complete, your FortiSIEM virtual appliance will reboot.
7. Log in to your virtual appliance, and in the Admin > Cloud Health page, check that you are running the upgraded version of FortiSIEM.

Upgrading Collectors

The process for upgrading Collectors is similar to the process for Supervisors and Workers, but you must initiate the Collector process from the Supervisor.

1. Log in to the Supervisor node as an administrator.
2. Go to Admin > General Settings.
3. Under Image Server Settings, enter the download path to the upgrade image, and the Username and Password associated with your license.
4. Go to Admin > Collector Health.
5. Click Download Image, and then click Yes to confirm the download.

As the download progresses you can click Refresh to check its status.

6. When Finished appears in the Download Status column of the Collector Health page, click Install Image.

The upgrade process will begin, and when it completes, your virtual appliance will reboot. The amount of time it takes for the upgrade to complete depends on the network speed between your Supervisor node and the Collectors.

7. When the upgrade is complete, make sure that your Collector is running the upgraded version of FortiSIEM.

Upgrading FortiSIEM Windows Agent and Agent Manager

Upgrade from V1.0 to V1.1

Upgrade from V1.1 to V2.0

Upgrade from V2.0 to V2.1

Upgrading Windows Agent License

Uninstalling Agents

Upgrade from V1.0 to V1.1

Version 1.0 and 1.1 Backward Incompatibility

Note 1.0 Agents and Agent Managers communicate only over HTTP while 1.1 Agents and Agent Managers communicate only over HTTPS. Subsequently, 1.1 Agents and Agent managers are not backward compatible with 1.0 Agents and Agent Managers. You have to completely upgrade the entire system of Agents and Agent Managers.

1. Uninstall V1.0 Agents
2. Close V1.0 Agent Manager Application. 3. Uninstall V1.0 Agent Manager
3. Bind Default Website with HTTPS as described in Pre-requisite in Installing FortiSIEM Windows Agent Manager.
4. Install V1.1 Agent Manager following Installing FortiSIEM Windows Agent Manager.
   1. In Database Settings dialog, enter the V1.0 database path as the “FortiSIEM Windows Agent Manager” SQL Server database path (Procedures Step 6 in Installing FortiSIEM Windows Agent Manager).
   2. Enter the same Administrator username and password (as the previous installation) in the Agent Manager Administrator account creation dialog
5. Install V1.1 Agents
6. Assign licenses again. Use the Export and Import feature.

Upgrade from V1.1 to V2.0

Windows Agent Manager

1. Enable TLS 1.2 on Agent Manager – FortiSIEM Supervisor/Worker 4.6.3 and above enforces the use of TLS 1.2 for tighter security. However, by default only SSL3 / TLS 1.0 is enabled in Windows Server 2008-R2. Therefore, enable TLS 1.2 for Windows Agent Manager 2.0 for operating with FortiSIEM Supervisor/Worker 4.6.3 and above.
   1. Start elevated Command Prompt (i.e., with administrative privilege) to Windows Agent Manager 1.1
   2. Run the following commands sequentially as shown.
   3. Restart computer
2. Uninstall Agent Manager 1.1
3. Install SQL Server 2012-SP1 Feature Pack on Agent manager available at https://www.microsoft.com/en-in/download/details.aspx?id=35
   1. Select the language of your choice and mark the following two MSIs (choose x86 or x64 depending on your platform) for download:
      1. msi
      2. msi
   2. Click on the Download button to download those two MSIs. Then double-click on those MSIs to install those one by one.
4. Install Agent Manager 2.0
   1. In Database Settings dialog, set the old database path as AccelOpsCAC database path.
   2. Enter the same Administrator username and password (as in the previous installation) in the new Agent Manager Administrator account creation dialog.
5. Run Database migration utility to convert from 1.1 to 2.0
   1. Open a Command Prompt window
   2. Go to the installation directory (say, C:\Program Files\AccelOps\Server)
   3. Run AOUpdateManager.exe with script.zip as the command line parameter. You will find script.zip alongside the MSI.
6. Register Windows Agent Manager 2.0 to FortiSIEM.

 Windows Agent

1. Uninstall V1.0 Agents
2. Install Agents

Upgrade from V2.0 to V2.1

Windows Agent Manager

1. Uninstall Agent Manager 2.0
2. Install Agent Manager 2.1
   1. In Database Settings dialog, set the old database path as AccelOpsCAC database path.
   2. Enter the same Administrator username and password (as in the previous installation) in the new Agent Manager Administrator account creation dialog.
3. Run Database migration utility to convert from 2.0 to 2.1
   1. Open a Command Prompt window
   2. Go to the installation directory (say, C:\Program Files\AccelOps\Server)
   3. Run AOUpdateManager.exe with script.zip as the command line parameter. You will find script.zip alongside the MSI.
4. Register Windows Agent Manager 2.1 to FortiSIEM.

 Windows Agent

1. Uninstall V2.0 Agents
2. Install 2.1 Agents

Upgrading Windows Agent License

Follow these steps if you have bought additional Windows Agent licenses or extended the term of the license.

1. Login to AccelOps Supervisor using admin account
2. Go to Admin > License Management and make sure that the license is updated
3. Go to Admin > Setup Wizard > Windows Agent
4. Edit each Windows Agent Manager entry and modify the agent count and license expiry date if needed

The new license will be automatically pushed to each Windows Agent Manager. You can now logon to each Windows Agent Manager and allocate the additional licenses if needed.

Uninstalling Agents

Single Agent

Simply uninstall like a regular Windows service

Multiple Agents using Group Policy

Go to the Group Policy you created during Agent installation. Right click and select Edit

In the Group Policy Management Editor, go to MyGPO > Computer Configuration > Policies > Software Settings > Software

Installation

Right click on FortiSIEM Windows Agent <version>

Click All Tasks > Remove

In Remove Software dialog, choose the option Immediately uninstall the software from users and computers. Then click OK.

The FortiSIEM Windows Agent <version> entry will disappear from the right pane. Close the Group Policy Management Editor. Force the group policy update

On Domain Controller > cmd, run gpupdate /force

On Agent server > cmd, run gpupdate Restart each Agent Computer to complete the uninstall.

Automatic OS Upgrades during Reboot

In order to patch CentOS and system packages for security updates as well as bugfixes and make the system on-par with a fresh installed FortiSIEM node, the following script is made available. Internet connectivity to CentOS mirrors should be working in order for the following script to be successful, otherwise the script will print and error and exit. This script is available on all nodes starting from 4.6.3: Supervisor, Workers,

Collectors, and Report Server

/opt/phoenix/phscripts/bin/phUpdateSystem.sh

The above script is also invoked during system boot up and is invoked in the following script:

/etc/init.d/phProvision.sh

The ensures that the node is up to date right after an upgrade and system reboot. If you are running a node that was first installed in an older release and upgraded to 4.6.3, then there are many OS/system packages that will be downloaded and installed the first time. Therefore, upgrade time is longer than usual. On subsequent upgrades and reboots, the updates will be small.

Nodes that are deployed in bandwidth constrained environments can disable this by commenting out the line phUpdateSystem.sh in phProvision.sh above. However, it is strongly recommended to keep this in-place to ensure that your node has security fixes from CentOS and minimize the risk of an exploit. Alternatively, in bandwidth constrained environments, you can deploy a freshly installed collector to ensure that security fixes are up to date.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!