Introduction

Fortinet Security Orchestration Platform™ (FortiSOAR™) is a scalable, awareness-driven, and encrypted security management intelligence platform. FortiSOAR is a centralized hub for your security operations and dramatically improves the effectiveness and efficiency of your security operations teams, by providing automation and customizable mechanisms for prevention, detection, and response to cybersecurity threats.

To support disk sizes larger than 2 TB, FortiSOAR OVAs starting with the 7.5.0 release come pre-configured with a GPT-based disk layout. Previously, FortiSOAR OVAs were shipped with an MBR-based disk layout, which limited disk management to a size of 2TB. If you already have a FortiSOAR instance and need a partition larger than 2 TB, we recommend creating a new FortiSOAR VM on release 7.5.0 or later and utilizing the Export and Import wizards to migrate your data from the old instance to the new one.

From release 7.6.1 onwards, support for an on-demand feature, i.e., ability to encrypt all FortiSOAR's 'data at-rest' is added. For more information, see the Encrypting FortiSOAR's Data at Rest chapter in the "Best Practices Guide."

For information on deploying FortiSOAR, see the Deploying FortiSOAR chapter.
For information on deploying FortiSOAR using offline repositories, see the Deploying FortiSOAR using offline repositories chapter.
For information on deploying FortiSOAR on a docker platform, see the Deploying FortiSOAR on a docker platform chapter.
For information deploying the FortiSOAR Docker on an EKS cluster, see the Deploying FortiSOAR Docker on an Amazon Elastic Kubernetes Cluster chapter.

FortiSOAR is also available as a hosted option on FortiCloud. For information of FortiSOAR on FortiCloud, see the FortiSOAR Cloud documentation.

Purpose

Use the deployment guide to deploy the FortiSOAR virtual appliance using VMware, the ESX/ESXi server and AWS.

This document provides you with all the procedures for setting up FortiSOAR in your environment, including deploying FortiSOAR, the initial configuration for FortiSOAR, and troubleshooting of FortiSOAR.

Prerequisites

Starting with release 7.6.5, the csadmin user’s sudo privileges are restricted to only the commands required to work with FortiSOAR, instead of providing full 'root' access. This enhancement aligns with the principle of least privilege and reduces exposure to sensitive system files. Therefore, commands such as yum, systemctl, csadm, etc, must be prefixed with sudo, for example, sudo csadm --help. To open or edit a file, prefix the command with 'sudo' and specify the file’s full path (sudo vi <full path of file>). For example, sudo vi /opt/cyops-auth/utilities/das.ini. Additionally note that for security reasons, 'root' access is provided via the system console and is not available over SSH.

FortiSOAR does not support deployment in IPv6-only environments.

Before you deploy FortiSOAR, ensure you have done the following:

• Setup a system with minimal edition of either Rocky Linux version 9.3/9.4/9.5/9.6, or RHEL version 9.3/9.4/9.5/9.6, if you are installing FortiSOAR using the installation script. Release 7.6.5 has been tested with RHEL 9.6 and Rocky Linux 9.6.
  OR,
  If you are deploying FortiSOAR using the OVA, download the FortiSOAR Virtual Appliance and deploy it to VMware (via vSphere or vCenter) or AWS.
  NOTE: When installing FortiSOAR using the installation script, it is highly recommended to install FortiSOAR on a non-hardened operating system (OS). After the installation, the OS will undergo automatic hardening by FortiSOAR. Avoid any additional hardening of the OVA or consult with FortiSOAR support, to prevent issues in the FortiSOAR running instance. Installing FortiSOAR on a pre-hardened OS can lead to installation failure and issues with starting services, file permissions, etc. Any external monitoring agents must function correctly under FortiSOAR’s current SELinux policy. If the required SELinux context is not properly configured, the customer must uninstall these agents before performing an FortiSOAR upgrade that includes an underlying OS version upgrade.
• Decide the Hostname and IP address.
• Know the DNS server IP address for the appliance.
• Disable the IPv6 protocol from your VM where you are deploying FortiSOAR if you are not using the IPv6 protocol. This is necessary because, starting with RHEL 9.0 or Rocky Linux 9.0, ifcfg files are deprecated. To disable IPv6, you should check the appropriate NIC config file and make changes in /etc/NetworkManager/system-connections (see the Using NetworkManager to disable IPv6 for a specific connection document). Starting with RHEL 9.0 or Rocky Linux 9.0, network configurations are stored at /etc/NetworkManager/system-connections/ in a 'key file' format.
• Locale is set to en_US.UTF-8. FortiSOAR release 7.5.0 and later supports PostgreSQL 16. The postgresql-16 service will fail if the locale is not set to en_US.UTF-8, so make sure that the locale of your VM where you are deploying FortiSOAR is set to en_US.UTF-8. To install and apply the en-US.UTF-8 locale on your system use the following commands:
  # sudo yum install glibc-langpack-en -y
# sudo localectl set-locale en_US.UTF-8
• Company-specific SSL certificate, if you want to change the default certificate.
• Optionally configure an SMTP server and an NTP server. The SMTP server is used for outgoing notifications once the system is configured. The NTP server is used to synchronize the machine time after deployment.

Do not alter the /etc/sudoers file, as the users added by FortiSOAR in the sudoers file are necessary for FortiSOAR's functioning. Since certain commands are only accessible to these users, changing the /etc/sudoers file could interfere with FortiSOAR's functioning and cause issues such as services not starting or an inability to log into FortiSOAR's GUI.

Browser Compatibility

FortiSOAR 7.6.5 User Interface has been tested on the following browsers:

• Google Chrome version 142.0.7444.162
• Mozilla Firefox version 145.0.1
• Microsoft Edge version 142.0.3595.90
• Safari version 26.1 (20622.2.11.119.1)