Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.0 Administration Guide
5.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

Adding a second server to upgrade the Threat Hunting Repository

Adding a second server to upgrade the Threat Hunting Repository

Before you begin, ensure this upgrade method is right for you. See Determining the upgrade method for a Threat Hunting Repository.

Adding a second VM as a method for upgrading the Threat Hunting Repository includes the following steps:

  1. Installing a new VM

  2. Extracting data from the old Threat Hunting Repository

  3. Installing a new Threat Hunting Repository on the new VM

  4. Disconnecting the old Threat Hunting Repository

Installing a new VM

Install the new Threat Hunting OS version as a new node as shown the following phases.

To install a new VM:

  1. Create a virtual machine. See Creating a Virtual Machine.

  2. Install an operating system ISO. See Installing an Operating System ISO

  3. After installing the operating system ISO, stop. Do not continue to the Installing a FortiEDR Repository software ISO phase.

Extracting data from the old Threat Hunting Repository

To extract data from the old Threat Hunting Repository:

  1. Use terminal to connect to the old Threat Hunting Repository, and mount the new Threat Hunting ISO.

  2. Run the following commands:

    1. sudo su -

    2. mount /dev/sr0 /mnt/iso

    3. bash /mnt/iso/deployment/ci-tools/upgrade_edr-oldTH.sh

  3. Save the Elasticsearch IP address and the middleware password that were retrieved by the script because you will use them later in the upgrade phase.

    Ensure that you keep the password in a safe place.

Installing a new Threat Hunting Repository on the new VM

To install a new Threat Hunting Repository on the new VM:

  1. In the new node, mount the new Threat Hunting ISO.

  2. Connect to the machine, and run the following commands:

    1. sudo su -

    2. mount /dev/sr0 /mnt/iso

    3. bash /mnt/iso/deployment/ci-tools/upgrade_edr.sh

  3. Select option 1 for running the upgrade.

    1. Enter the manager IP and root user password.

    2. Validate the ISO version is the requested version and request “init” action

    3. Wait few minutes for the ISO to import the local image.

    4. Complete the FortiEDR installation:

      1. Enter number of seats from the FortiEDR License.

      2. Enter yes/no if the repository is used by MSSP, if yes, enter the number of organizations.

      3. Enter manager IP, administrator name and administrator password

      4. Enter yes for adding additional RO Elasticsearch datasource.

      5. For the RO Elasticsearch IP and the middleware user password, enter the IP and password fetched in the Extracting data from the old Threat Hunting Repository phase.

    5. Continue the installation as instructed in the manual:

      1. Configuring the Threat Hunting Repository Monitoring console
      2. Backing up Threat Hunting Repository data
      3. Activating the Threat Hunting Repository Monitoring console

  4. Validate that the new repository is connected to the Manager:

Disconnecting the old Threat Hunting Repository

Wait one (1) month, and then disconnect the old Threat Hunting Repository.

To disconnect the old Threat Hunting Repository:

  1. Connect to the installed ISO, and run the following commands:

    1. sudo su -

    2. mount /dev/sr0 /mnt/iso

    3. bash /mnt/iso/deployment/ci-tools/upgrade_edr.sh

  2. Select 2 for detaching the old Threat Hunting Repository.

  3. Delete the old Threat Hunting Repository VM.

Previous
Next

Adding a second server to upgrade the Threat Hunting Repository

Before you begin, ensure this upgrade method is right for you. See Determining the upgrade method for a Threat Hunting Repository.

Adding a second VM as a method for upgrading the Threat Hunting Repository includes the following steps:

  1. Installing a new VM

  2. Extracting data from the old Threat Hunting Repository

  3. Installing a new Threat Hunting Repository on the new VM

  4. Disconnecting the old Threat Hunting Repository

Installing a new VM

Install the new Threat Hunting OS version as a new node as shown the following phases.

To install a new VM:

  1. Create a virtual machine. See Creating a Virtual Machine.

  2. Install an operating system ISO. See Installing an Operating System ISO

  3. After installing the operating system ISO, stop. Do not continue to the Installing a FortiEDR Repository software ISO phase.

Extracting data from the old Threat Hunting Repository

To extract data from the old Threat Hunting Repository:

  1. Use terminal to connect to the old Threat Hunting Repository, and mount the new Threat Hunting ISO.

  2. Run the following commands:

    1. sudo su -

    2. mount /dev/sr0 /mnt/iso

    3. bash /mnt/iso/deployment/ci-tools/upgrade_edr-oldTH.sh

  3. Save the Elasticsearch IP address and the middleware password that were retrieved by the script because you will use them later in the upgrade phase.

    Ensure that you keep the password in a safe place.

Installing a new Threat Hunting Repository on the new VM

To install a new Threat Hunting Repository on the new VM:

  1. In the new node, mount the new Threat Hunting ISO.

  2. Connect to the machine, and run the following commands:

    1. sudo su -

    2. mount /dev/sr0 /mnt/iso

    3. bash /mnt/iso/deployment/ci-tools/upgrade_edr.sh

  3. Select option 1 for running the upgrade.

    1. Enter the manager IP and root user password.

    2. Validate the ISO version is the requested version and request “init” action

    3. Wait few minutes for the ISO to import the local image.

    4. Complete the FortiEDR installation:

      1. Enter number of seats from the FortiEDR License.

      2. Enter yes/no if the repository is used by MSSP, if yes, enter the number of organizations.

      3. Enter manager IP, administrator name and administrator password

      4. Enter yes for adding additional RO Elasticsearch datasource.

      5. For the RO Elasticsearch IP and the middleware user password, enter the IP and password fetched in the Extracting data from the old Threat Hunting Repository phase.

    5. Continue the installation as instructed in the manual:

      1. Configuring the Threat Hunting Repository Monitoring console
      2. Backing up Threat Hunting Repository data
      3. Activating the Threat Hunting Repository Monitoring console

  4. Validate that the new repository is connected to the Manager:

Disconnecting the old Threat Hunting Repository

Wait one (1) month, and then disconnect the old Threat Hunting Repository.

To disconnect the old Threat Hunting Repository:

  1. Connect to the installed ISO, and run the following commands:

    1. sudo su -

    2. mount /dev/sr0 /mnt/iso

    3. bash /mnt/iso/deployment/ci-tools/upgrade_edr.sh

  2. Select 2 for detaching the old Threat Hunting Repository.

  3. Delete the old Threat Hunting Repository VM.

Previous
Next