ESX Installation Guide

FortiSIEM 6.6.2
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

10/20/2022
FortiSIEM 6.6.2 ESX Installation Guide
 TABLE OF CONTENTS

Change Log 4
Fresh Installation 6
Pre-Installation Checklist 6
All-in-one Installation 7
Set Network Time Protocol for ESX 7
Import FortiSIEM into ESX 8
Edit FortiSIEM Hardware Settings 11
Start FortiSIEM from the VMware Console 12
Configure FortiSIEM via GUI 12
Upload the FortiSIEM License 18
Choose an Event Database 19
Cluster Installation 21
Install Supervisor 21
Install Workers 23
Register Workers 24
Install Collectors 24
Register Collectors 28
Install Manager 31
Register Instances to Manager 31
Installing on ESX 6.5 33
Importing a 6.5 ESX Image 33
Resolving Disk Save Error 35
Adding a 5th Disk for /data 36
Install Log 37

FortiSIEM 6.6.2 ESX Installation Guide 3

Fortinet Inc.
Change Log

Date Change Description

09/05/2018 Initial version of FortiSIEM - ESX Installation Guide.

03/29/2019 Revision 1: updated the instructions for registering the Collector on the
Supervisor node.

05/22/2019 Revision 2: added a note regarding VMotion support.

11/20/2019 Release of FortiSIEM - ESX Installation Guide for 5.2.6.

03/30/2020 Release of FortiSIEM - ESX Installation Guide for 5.3.0.

08/15/2020 Revision 3: Updated deployment and installation for FortiSIEM 6.1.0 on

VMware ESX.

11/03/2020 Revision 4: Updated deployment and installation for FortiSIEM 6.1.1 on

VMware ESX.

02/04/2021 Revision 5: Updated Migration content.

02/16/2021 Revision 6: Added Installing on ESX 6.5 content to 6.1.1.

02/23/2021 Revision 7: Minor update to Pre-Migration Checklist.

03/18/2021 Revision 8: Minor update to Pre-Migration Checklist for 6.1.1.

03/29/2021 Revision 9: Minor update to Pre-Migration Checklist for 6.1.1.

04/21/2021 Revision 10: Added Installing on ESX 6.5 content to 6.2.0. Minor update to

Pre-Installation Checklist to 6.1.1 and 6.2.0.

04/22/2021 Revision 11: Added Installing on ESX 6.5 content to 6.1.0. Minor update to
Pre-Installation Checklist to 6.1.0.

4/28/2021 Revision 12: Updated Pre-Installation Checklist for 6.1.0, 6.1.1 and 6.2.0.

05/07/2021 Release of FortiSIEM - ESX Installation Guide for 6.2.1.

06/07/2021 Revision 13: Elasticsearch screenshot updated for 6.2.x guides.

07/06/2021 Release of FortiSIEM - ESX Installation Guide for 6.3.0.

08/26/2021 Release of FortiSIEM - ESX Installation Guide for 6.3.1.

09/13/2021 Updated Importing a 6.5 ESX Image section for 6.3.x guides.

10/15/2021 Release of FortiSIEM - ESX Installation Guide for 6.3.2.

11/17/2021 Updated Register Collectors instructions for 6.x guides.

12/22/2021 Release of FortiSIEM - ESX Installation Guide for 6.3.3.

FortiSIEM 6.6.2 ESX Installation Guide 4

Fortinet Inc.
Change Log

Date Change Description

01/18/2022 Release of FortiSIEM - ESX Installation Guide for 6.4.0.

05/09/2022 Release of FortiSIEM - ESX Installation Guide for 6.5.0.

07/26/2022 Release of FortiSIEM - ESX Installation Guide for 6.6.0.

08/18/2022 Updated All-in-one Installation section.

09/12/2022 Release of FortiSIEM - ESX Installation Guide for 6.5.1.

09/14/2022 Release of FortiSIEM - ESX Installation Guide for 6.6.1.

09/19/2022 Release of FortiSIEM - ESX Installation Guide for 6.6.2.

10/06/2022 Added Collector with Reduced Disk in OT Environments under Install

Collectors for 6.4.0-6.6.2 guides.

10/20/2022 Updated Register Collectors instructions for 6.x guides.

FortiSIEM 6.6.2 ESX Installation Guide 5

Fortinet Inc.
Fresh Installation

l Pre-Installation Checklist
l All-in-one Installation
l Cluster Installation
l Installing on ESX 6.5

Pre-Installation Checklist

Before you begin, check the following:

l Release 6.6.2 requires at least ESX 6.5, and ESX 6.7 Update 2 is recommended. To install on ESX 6.5, See
Installing on ESX 6.5.
l Ensure that your system can connect to the network. You will be asked to provide a DNS Server and a host that can
be resolved by the DNS Server and responds to ping. The host can either be an internal host or a public domain
host like google.com.
l Deployment type for Supervisor, Worker, and Collector – Enterprise or Service Provider. The Service Provider
deployment provides multi-tenancy.
l Whether FIPS should be enabled
l Install type:
l All-in-one with FortiSIEM Manager

Note: FortiSIEM Manager installation has slight differences from the Supervisor/Worker/Collector installation.
l Cluster with Manager, Supervisor and Workers

l All-in-one with Supervisor only, or

l Cluster with Supervisor and Workers

l Storage type for Supervisor, Worker, and/or Collector

l Online – Local or NFS or ClickHouse or Elasticsearch

l Archive – NFS or HDFS

l Before beginning FortiSIEM deployment, you must configure external storage excluding FortiSIEM Manager.
l Determine hardware requirements:

Node vCPU RAM Local Disks

Manager Minimum – 16 Minimum OS – 25GB

Recommended - 32 l 24GB
OPT – 100GB
Recommended CMDB – 60GB
l 32GB
SVN – 60GB

Supervisor (All Minimum – 12 Minimum OS – 25GB

in one) Recommended - 32 l without UEBA – 24GB
OPT – 100GB
l with UEBA - 32GB
CMDB – 60GB
Recommended SVN – 60GB
l without UEBA – 32GB

FortiSIEM 6.6.2 ESX Installation Guide 6

Fortinet Inc.
 Fresh Installation

Node vCPU RAM Local Disks

l with UEBA - 64GB Local Event database – based on
need

Supervisor Minimum – 12 Minimum OS – 25GB

(Cluster) Recommended - 32 l without UEBA – 24GB
OPT – 100GB
l with UEBA - 32GB
CMDB – 60GB
Recommended SVN – 60GB
l without UEBA – 32GB

l with UEBA - 64GB

Workers Minimum – 8 Minimum – 16GB OS – 25GB

Recommended - 16 Recommended – 24GB OPT – 100GB

Collector Minimum – 4 Minimum – 4GB OS – 25GB

Recommended – 8 ( based Recommended – 8GB OPT – 100GB
on load)

Note: compared to FortiSIEM 5.x, you need one more disk (OPT) which provides a cache for FortiSIEM.
Before proceeding to FortiSIEM deployment, you must configure the external storage.
l For NFS deployment, see FortiSIEM - NFS Storage Guide here.
l For Elasticsearch deployment, see FortiSIEM - Elasticsearch Storage Guide here.

All-in-one Installation

This is the simplest installation with a single Virtual Appliance. If storage is external, then you must configure external
storage before proceeding with installation.
l Set Network Time Protocol for ESX
l Import FortiSIEM into ESX
l Edit FortiSIEM Hardware Settings
l Start FortiSIEM from the VMware Console
l Configure FortiSIEM via GUI
l Upload the FortiSIEM License
l Choose an Event Database

Set Network Time Protocol for ESX

FortiSIEM needs accurate time. To do this you must enable NTP on the ESX host which FortiSIEM Virtual Appliance is
going to be installed.
1. Log in to your VCenter and select your ESX host.
2. Click the Configure tab.

FortiSIEM 6.6.2 ESX Installation Guide 7

Fortinet Inc.
 Fresh Installation

3. Under System, select Time Configuration.

4. Click Edit.
5. Enter the time zone properties.

6. Enter the IP address of the NTP servers to use.

If you do not have an internal NTP server, you can access a publicly available one at http://tf.nist.gov/tf-
cgi/servers.cgi.
7. Choose an NTP Service Startup Policy.
8. Click OK to apply the changes.

Import FortiSIEM into ESX

1. Go to the Fortinet Support website https://support.fortinet.com to download the ESX package FSM_FULL_ALL_
ESX_6.6.2_Build1637.zip. See Downloading FortiSIEM Products for more information on downloading
products from the support website.
2. Uncompress the packages for Super/Worker and Collector (using 7-Zip tool) to the location where you want to
install the image. Identify the .ova file.
3. Right-click on your own host and choose Deploy OVF Template.
The Deploy OVA Template dialog box appears.
4. In 1 Select an OVF template select Local file and navigate to the .ova file. Click Next. If you are installing from a
URL, select URL and paste the OVA URL into the field beneath URL.
5. In 2 Select a Name and Folder, make any needed edits to the Virtual machine name field. Click Next.

FortiSIEM 6.6.2 ESX Installation Guide 8

Fortinet Inc.
Fresh Installation

6. In 3 Select a compute resource, select any needed resource from the list. Click Next.

7. Review the information in 4 Review details and click Next.

8. 5 License agreements. Click Next.

9. In 6 Select Storage select the following, then click Next:

a. A disk format from the Select virtual disk format drop-down list. Select Thin Provision.
b. A VM Storage Policy from the drop-down list.
c. Select Disable Storage DRS for this virtual machine, if necessary, and choose the storage DRS from the
table.

FortiSIEM 6.6.2 ESX Installation Guide 9

Fortinet Inc.
Fresh Installation

10. In 7 Select networks, select the source and destination networks from the drop down lists. Click Next.

11. In 8 Ready to complete, review the information and click Finish.

12. In the VSphere client, go to your installed OVA.

FortiSIEM 6.6.2 ESX Installation Guide 10

Fortinet Inc.
 Fresh Installation

13. Right-click your installed OVA (example: FortiSIEM-611.1637.ova) and select Edit Settings > VM Options >
General Options . Setup Guest OS and Guest OS Version (Linux and 64-bit).
14. Open the Virtual Hardware tab. Set CPU to 16 and Memory to 64GB.
15. Click Add New Device and create a device.
Add additional disks to the virtual machine definition. These will be used for the additional partitions in the virtual
appliance. An All In One deployment requires the following additional partitions.

Disk Size Disk Name

Hard Disk 2 100GB /opt

Hard Disk 3 60GB /cmdb

Hard Disk 4 60GB /svn

Hard Disk 5 60GB+ /data (see the following note)

Note on Hard Disk 5:

l Add a 5th disk if using local storage in an All In One deployment. Otherwise, a separate NFS share or
Elasticsearch cluster must be used for event storage.
l 60GB is the minimum event DB disk size for small deployments, provision significantly more event storage for

higher EPS deployments. See the FortiSIEM Sizing Guide for additional information.
l NFS or Elasticsearch event DB storage is mandatory for multi-node cluster deployments.

After you click OK, a Datastore Recommendations dialog box opens. Click Apply.

16. Do not turn off or reboot the system during deployment, which may take 7 to 10 minutes to complete. When the
deployment completes, click Close.

Edit FortiSIEM Hardware Settings

1. In the VMware vSphere client, select the imported Supervisor.

2. Go to Edit Settings > Virtual hardware.
3. Set hardware settings as in Pre-Installation Checklist. The recommended settings for the Supervisor node are:
l CPU = 16

l Memory = 64 GB

FortiSIEM 6.6.2 ESX Installation Guide 11

Fortinet Inc.
 Fresh Installation

l Four hard disks:

l OS – 25GB

l OPT – 100GB

l CMDB – 60GB

l SVN – 60GB

Example settings for the Supervisor node:

l If event database is local, then choose another disk for storing event data based on your needs.
l Network Interface card

Start FortiSIEM from the VMware Console

1. In the VMware vSphere client, select the Supervisor, Worker, or Collector virtual appliance.
2. Right-click to open the options menu and select Power > Power On.
3. Open the Summary tab for the , select Launch Web Console.
Network Failure Message: When the console starts up for the first time you may see a Network eth0 Failed
message, but this is expected behavior.
4. Select Web Console in the Launch Console dialog box.

5. When the command prompt window opens, log in with the default login credentials – user: root and Password:
ProspectHills.
6. You will be required to change the password. Remember this password for future use.
At this point, you can continue configuring FortiSIEM by using the GUI.

Configure FortiSIEM via GUI

Follow these steps to configure FortiSIEM by using a simple GUI.

1. Log in as user root with the password you set in Step 6 above.
2. At the command prompt, go to /usr/local/bin and enter configFSM.sh, for example:
# configFSM.sh
3. In VM console, select 1 Set Timezone and then press Next.

FortiSIEM 6.6.2 ESX Installation Guide 12

Fortinet Inc.
Fresh Installation

4. Select your Region, and press Next.

5. Select your Country, and press Next.

6. Select the Country and City for your timezone, and press Next.

7. If installing a Supervisor, select 1 Supervisor. Press Next.

If installing a Worker, select 2 Worker, and press Next.
If installing a Collector, select 3 Collector, and press Next.
If Installing FortiSIEM Manager, select 4 FortiSIEM Manager, and press Next.
Note: The appliance type cannot be changed once it is deployed, so ensure you have selected the correct option.

FortiSIEM 6.6.2 ESX Installation Guide 13

Fortinet Inc.
Fresh Installation

Regardless of whether you select FortiSIEM Manager,Supervisor, Worker, or

Collector, you will see the same series of screens with only the header changed to reflect
your target installation, unless noted otherwise.

8. If you want to enable FIPS, then choose 2. Otherwise, choose 1. You have the option of enabling FIPS (option 3) or
disabling FIPS (option 4) later.
Note: After Installation, a 5th option to change your network configuration (5 change_network_config) is
available. This allows you to change your network settings and/or host name.

FortiSIEM 6.6.2 ESX Installation Guide 14

Fortinet Inc.
Fresh Installation

9. Determine whether your network supports IPv4-only, IPv6-only, or both IPv4 and IPv6 (Dual Stack). Choose 1 for
IPv4-only, choose 2 for IPv6-only, or choose 3 for both IPv4 and IPv6.

10. If you choose 1 (IPv4) or choose 3 (Both IPv4 and IPv6), and press Next, then you will move to step 11. If you
choose 2 (IPv6), and press Next, then skip to step 12.
11. Configure the IPv4 network by entering the following fields, then press Next.

Option Description

IPv4 Address The Manager/Supervisor/Worker/Collector's

IPv4 address

NetMask The Manager/Supervisor/Worker/Collector's

IPv4 subnet

Gateway IPv4 Network gateway address

DNS1, DNS2 Addresses of the IPv4 DNS server 1 and DNS

server2

12. If you chose 1 in step 9, then you will need to skip to step 13. If you chose 2 or 3 in step 9, then you will configure the
IPv6 network by entering the following fields, then press Next.

FortiSIEM 6.6.2 ESX Installation Guide 15

Fortinet Inc.
Fresh Installation

Option Description

IPv6 Address The Manager/Supervisor/Worker/Collector's

IPv6 address

prefix The Manager/Supervisor/Worker/Collector's

(Netmask) IPv6 prefix

Gateway ipv6 IPv6 Network gateway address

DNS1 IPv6, Addresses of the IPv6 DNS server 1 and DNS

DNS2 IPv6 server2

Note: If you chose option 3 in step 9 for both IPv4 and IPv6, then even if you configure 2 DNS servers for IPv4 and
IPv6, the system will only use the first DNS server from IPv4 and the first DNS server from the IPv6 configuration.
Note: In many dual stack networks, IPv4 DNS server(s) can resolve names to both IPv4 and IPv6. In such
environments, if you do not have an IPv6 DNS server, then you can use public IPv6 DNS servers or use IPv4-
mapped IPv6 address.
13. Configure Hostname for FortiSIEM Manager/Supervisor/Worker/Collector. Press Next.

Note: FQDN is no longer needed.

FortiSIEM 6.6.2 ESX Installation Guide 16

Fortinet Inc.
Fresh Installation

14. Test network connectivity by entering a host name that can be resolved by your DNS Server (entered in the
previous step) and can respond to a ping. The host can either be an internal host or a public domain host like
google.com. Press Next.
Note: By default, “google.com” is shown for the connectivity test, but if configuring IPv6, you must enter an
accessible internally approved IPv6 DNS server, for example: “ipv6-dns.fortinet.com"
Note: When configuring both IPv4 and IPv6, only testing connectivity for the IPv6 DNS is required because the IPV6
takes higher precedence. So update the host field with an approved IPv6 DNS server.

15. The final configuration confirmation is displayed. Verify that the parameters are correct. If they are not, then press
Back to return to previous dialog boxes to correct any errors. If everything is OK, then press Run.

The options are described in the following table.

Option Description

-r The FortiSIEM component being configured

-z The time zone being configured

-i IPv4-formatted address

-m Address of the subnet mask

-g Address of the gateway server used

FortiSIEM 6.6.2 ESX Installation Guide 17

Fortinet Inc.
 Fresh Installation

Option Description

--host Host name

-f FQDN address: fully-qualified domain name

-t The IP type. The values can be either 4 (for ipv4)

or 6 (for v6) or 64 (for both IPv4 and IPv6).

--dns1, --dns2 Addresses of DNS server 1 and DNS server 2.

--i6 IPv6-formatted address

--m6 IPv6 prefix

--g6 IPv6 gateway

-o Installation option (install_without_fips,

install_with_fips, enable_fips, or disable_fips,
change_network_config*)
*Option only available after installation.

-z Time zone. Possible values are US/Pacific,

Asia/Shanghai, Europe/London, or
Africa/Tunis

--testpinghost The URL used to test connectivity

16. It will take some time for this process to finish. When it is done, proceed to Upload the FortiSIEM License. If the
VM fails, you can inspect the ansible.log file located at /usr/local/fresh-install/logs to try and
identify the problem.

Upload the FortiSIEM License

Before proceeding, make sure that you have obtained valid FortiSIEM license from Forticare.
For more information, see the Licensing Guide.

You will now be asked to input a license.

1. Open a Web browser and log in to the FortiSIEM UI. Use link https://<supervisor-ip> to login. Please note
that if you are logging into FortiSIEM with an IPv6 address, you should input https://[IPv6 address] on the
browser tab.

FortiSIEM 6.6.2 ESX Installation Guide 18

Fortinet Inc.
 Fresh Installation

2. The License Upload dialog box will open.

3. Click Browse and upload the license file.

Make sure that the Hardware ID shown in the License Upload page matches the license.
4. For User ID and Password, choose any Full Admin credentials.
For the first time installation, enter admin as the user and admin*1 as the password. You will then be asked to
create a new password for GUI access.
5. Choose License type as Enterprise or Service Provider.
This option is available only for a first time installation. Once the database is configured, this option will not be
available.
For FortiSIEM Manager, License Type is not an available option, and will not appear. At this point,
FortiSIEM Manager installation is complete. You will not be taken the Event Database Storage page, so you can
skip Choose an Event Database.
Note: The FortiSIEM Manager license allows a certain number of instances that can be registered to
FortiSIEM Manager.
6. Proceed to Choose an Event Database.

Choose an Event Database

For a fresh installation, you will be taken to the Event Database Storage page. From the Event Database drop-down list,
choose EventDB on Local Disk, EventDB on NFS, ClickHouse, or Elasticsearch. For more details, see Configuring
Storage.

After the License has been uploaded, and the Event Database Storage setup is configured, FortiSIEM installation is
complete. If the installation is successful, the VM will reboot automatically. Otherwise, the VM will stop at the failed task.

FortiSIEM 6.6.2 ESX Installation Guide 19

Fortinet Inc.
Fresh Installation

You can inspect the ansible.log file located at /usr/local/fresh-install/logs if you encounter any issues
during FortiSIEM installation.
After installation completes, ensure that the phMonitor is up and running, for example:
# phstatus

For the Supervisor, Worker and Collector, the response should be similar to the following.

For FortiSIEM Manager, the response should look similar to the following.

FortiSIEM 6.6.2 ESX Installation Guide 20

Fortinet Inc.
 Fresh Installation

Cluster Installation

For larger installations, you can choose Worker nodes, Collector nodes, and external storage (NFS, ClickHouse, or
Elasticsearch).
l Install Supervisor
l Install Workers
l Register Workers
l Install Collectors
l Register Collectors
l Install Manager
l Register Instances to Manager

Install Supervisor

Follow the steps in All-in-one Install with two differences:

l Setting up hardware - you do not need an event database.
l Setting up an external Event database - configure the cluster for NFS, ClickHouse, or Elasticsearch.
NFS

ClickHouse

FortiSIEM 6.6.2 ESX Installation Guide 21

Fortinet Inc.
Fresh Installation

Elasticsearch

FortiSIEM 6.6.2 ESX Installation Guide 22

Fortinet Inc.
 Fresh Installation

You must choose external storage listed in Choose an Event Database.

Install Workers

Once the Supervisor is installed, follow the same steps in All-in-one Install to install a Worker except only choose OS and
OPT disks. The recommended settings for Worker node are:
l CPU = 8
l Memory = 24 GB
l Two hard disks:
l OS – 25GB

l OPT – 100GB

FortiSIEM 6.6.2 ESX Installation Guide 23

Fortinet Inc.
 Fresh Installation

Register Workers

Once the Worker is up and running, add the Worker to the Supervisor node.
1. Go to ADMIN > License > Nodes.
2. Select Worker from the drop-down list and enter the Worker's IP address and host name. Click Add.

3. See ADMIN > Health > Cloud Health to ensure that the Workers are up, healthy, and properly added to the
system.

Install Collectors

Once Supervisor and Workers are installed, follow the same steps in All-in-one Install to install a Collector except in Edit
FortiSIEM Hardware Settings, only choose OS and OPT disks.

FortiSIEM 6.6.2 ESX Installation Guide 24

Fortinet Inc.
Fresh Installation

l Collector in Regular IT Environments

l Collector with Reduced Disk in OT Environments

Collector in Regular IT Environments

The recommended settings for Collector node are:

l CPU = 4
l Memory = 8GB
l Two hard disks:
l OS – 25GB

l OPT – 100GB

Collector with Reduced Disk in OT Environments

FortiSIEM installations require the OPT drive to have exactly 100 GB. This is valid for all three node options (Supervisor,
Worker and Collectors).
Certain environments such as Operational Technology (OT) may find it difficult to dedicate 125 GB to a log collector. The
steps here explain how to bypass the requirement for Collector install. Be aware that reducing the size of the disk also
reduces the size of the available cache when there is a connection interruption between Collector and
Workers/Supervisor, and may result in loss of logs.

1. Follow the installation guide but instead of adding a 100 GB disk for OPT, add a disk of whatever size you require.
2. In this example, we will assume the OPT disk is 35 GB, so in total, the Collector VM will have 70 GB (25 for OS + 35
for OPT).

FortiSIEM 6.6.2 ESX Installation Guide 25

Fortinet Inc.
Fresh Installation

3. After you boot the VM and change the password, you will be editing the following files.
l /usr/local/syslib/config/disksConfig.json
l /usr/local/install/roles/fsm-disk-mgmt/tasks/disks.yml
Note: You must make changes to these files before running the configureFSM.sh installer.
4. The disksConfig.json file contains a map of installation types and node types. It defines the required sizes of
disks so that the installer can validate them. Since we are changing the KVM Collector opt disk requirement to 35
GB in this example, we must reflect that size in this file. Using a text editor, modify the "opt" line in the
disksConfig.json file, shown in blue to your requirement.

FortiSIEM 6.6.2 ESX Installation Guide 26

Fortinet Inc.
Fresh Installation

"FSIEMVMWARE": {
"SUPER": {
"number": "3",
"opt": "100",
"svn": "60",
"cmdb": "60"
},
"FSMMANAGER": {
"number": "2",
"opt": "100",
"cmdb": "60"
},
"WORKER": {
"number": "1",
"opt": "100"
},
"COLLECTOR": {
"number": "1",
"opt": "35"
}
},

5. Save the disksConfig.json file.

6. Load the /usr/local/install/roles/fsm-disk-mgmt/tasks/disks.yml file via a text editor. You can
choose to adjust only the (step a) OPT disk or (step b) adjust the swap disk and OPT disk. To change only the
OPT disk, proceed with step a, then skip to step 7. To adjust the swap disk and reduce the OPT disk, skip step a and
proceed with step b.
a. ADJUST OPT DISK ONLY
Navigate to line 54 in the /usr/local/install/roles/fsm-disk-mgmt/tasks/disks.yml file and change the line.
Original line (The original line assumes the drive is 100 GB)
parted -a optimal --script "{{ item.disk }}" mkpart primary "{{ item.fstype }}" 26G
100G && sleep 5

Change this line to reflect the size of your OPT disk (in this example 35 GB), marked in blue.
parted -a optimal --script "{{ item.disk }}" mkpart primary "{{ item.fstype }}" 26G
35G && sleep 5

Skip step b and c, and proceed to step 7.

b. ADJUST SWAP DISK and REDUCE OPT DISK
Reduce the Swap Disk by changing the following original line (The original line assumes swap disk to be
25GB).
parted -a optimal --script "{{ item.disk }}" mklabel gpt mkpart primary linux-swap 1G
25G && sleep 5

Change to (in this example 10G), marked in blue:

parted -a optimal --script "{{ item.disk }}" mklabel gpt mkpart primary linux-swap 1G
10G && sleep 5

c. Reduce /OPT disk: by changing the following line (The original line assumes the drive is 100 GB).

FortiSIEM 6.6.2 ESX Installation Guide 27

Fortinet Inc.
 Fresh Installation

parted -a optimal --script "{{ item.disk }}" mkpart primary "{{ item.fstype }}" 26G
100G && sleep 5

Change to reflect the size of your OPT disk (in this example 35 GB), marked in blue.
parted -a optimal --script "{{ item.disk }}" mkpart primary "{{ item.fstype }}" 11G
35G && sleep 5

7. Save the disks.yml file.

8. Run configFSM.sh to install the collector. When it reboots, you can provision it using the phProvisionCollector
command. Your partition output should appear similar to the following.
Partition Output of deployment:
sdb 8:16 0 35G 0 disk
├─sdb1 8:17 0 8.4G 0 part [SWAP]
└─sdb2 8:18 0 22.4G 0 part /opt

# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 12G 0 12G 0% /dev
tmpfs 12G 0 12G 0% /dev/shm
tmpfs 12G 17M 12G 1% /run
tmpfs 12G 0 12G 0% /sys/fs/cgroup
/dev/mapper/rl-root 22G 8.1G 14G 38% /
/dev/sdb2 23G 4.3G 19G 19% /opt
/dev/sda1 1014M 661M 354M 66% /boot
tmpfs 2.4G 0 2.4G 0% /run/user/500
tmpfs 2.4G 0 2.4G 0% /run/user/0

Register Collectors

Collectors can be deployed in Enterprise or Service Provider environments.

l Enterprise Deployments
l Service Provider Deployments

Enterprise Deployments

For Enterprise deployments, follow these steps.

1. Log in to Supervisor with 'Admin' privileges.
2. Go to ADMIN > Settings > System > Event Worker.
a. Enter the IP of the Worker node. If a Supervisor node is only used, then enter the IP of the Supervisor node.
Multiple IP addresses can be entered on separate lines. In this case, the Collectors will load balance the upload
of events to the listed Event Workers.
Note: Rather than using IP addresses, a DNS name is recommended. The reasoning is, should the IP
addressing change, it becomes a matter of updating the DNS rather than modifying the Event Worker IP
addresses in FortiSIEM.
b. Click OK.

FortiSIEM 6.6.2 ESX Installation Guide 28

Fortinet Inc.
Fresh Installation

3. Go to ADMIN > Setup > Collectors and add a Collector by entering:

a. Name – Collector Name
b. Guaranteed EPS – this is the EPS that Collector will always be able to send. It could send more if there is
excess EPS available.
c. Start Time and End Time – set to Unlimited.
4. SSH to the Collector and run following script to register Collectors:
# /opt/phoenix/bin/phProvisionCollector --add <user> '<password>' <Super IP or
Host> <Organization> <CollectorName>
The password should be enclosed in single quotes to ensure that any non-alphanumeric characters are escaped.
a. Set user and password using the admin user name and password for the Supervisor.
b. Set Super IP or Host as the Supervisor's IP address.
c. Set Organization. For Enterprise deployments, the default name is Super.
d. Set CollectorName from Step 2a.
The Collector will reboot during the Registration.
5. Go to ADMIN > Health > Collector Health for the status.

Service Provider Deployments

For Service Provider deployments, follow these steps.

1. Log in to Supervisor with 'Admin' privileges.
2. Go to ADMIN > Settings > System > Event Worker.
a. Enter the IP of the Worker node. If a Supervisor node is only used, then enter the IP of the Supervisor node.
Multiple IP addresses can be entered on separate lines. In this case, the Collectors will load balance the upload
of events to the listed Event Workers.
Note: Rather than using IP addresses, a DNS name is recommended. The reasoning is, should the IP
addressing change, it becomes a matter of updating the DNS rather than modifying the Event Worker IP
addresses in FortiSIEM.

FortiSIEM 6.6.2 ESX Installation Guide 29

Fortinet Inc.
Fresh Installation

b. Click OK.

c.
3. Go to ADMIN > Setup > Organizations and click New to add an Organization.

4. Enter the Organization Name, Admin User, Admin Password, and Admin Email.
5. Under Collectors, click New.
6. Enter the Collector Name, Guaranteed EPS, Start Time, and End Time.
The last two values could be set as Unlimited. Guaranteed EPS is the EPS that the Collector will always be able to
send. It could send more if there is excess EPS available.

7. SSH to the Collector and run following script to register Collectors:

# /opt/phoenix/bin/phProvisionCollector --add <user> '<password>' <Super IP or
Host> <Organization> <CollectorName>
The password should be enclosed in single quotes to ensure that any non-alphanumeric characters are escaped.

FortiSIEM 6.6.2 ESX Installation Guide 30

Fortinet Inc.
 Fresh Installation

a. Set user and password using the admin user name and password for the Organization that the Collector is
going to be registered to.
b. Set Super IP or Host as the Supervisor's IP address.
c. Set Organization as the name of an organization created on the Supervisor.
d. Set CollectorName from Step 6.

The Collector will reboot during the Registration.

8. Go to ADMIN > Health > Collector Health and check the status.

Install Manager

Starting with release 6.5.0, you can install FortiSIEM Manager to monitor and manage multiple FortiSIEM instances. An
instance includes a Supervisor and optionally, Workers and Collectors. The FortiSIEM Manager needs to be installed on
a separate Virtual Machine and requires a separate license. FortiSIEM Supervisors must be on 6.5.0 or later versions.
Follow the steps in All-in-one Install to install Manager. After any Supervisor, Workers, and Collectors are installed, you
add the Supervisor instance to Manager, then Register the instance itself to Manager. See Register Instances to
Manager.

Register Instances to Manager

To register your Supervisor instance with Manager, you will need to do two things in the following order.
l First, add the instance to Manager
l Then register the instance itself to Manager
Note that Communication between FortiSIEM Manager and instances is via REST APIs over HTTP(S).

Add Instance to Manager

You can add an instance to Manager by taking the following steps.

Note: Make sure to record the FortiSIEM Instance Name, Admin User and Admin Password, as this is needed when you

FortiSIEM 6.6.2 ESX Installation Guide 31

Fortinet Inc.
Fresh Installation

register your instance.

1. Login to FortiSIEM Manager.
2. Navigate to ADMIN > Setup.
3. Click New.
4. In the FortiSIEM Instance field, enter the name of the Supervisor instance you wish to add.
5. In the Admin User field, enter the Account name you wish to use to access Manager.
6. In the Admin Password field, enter the Password that will be associated with the Admin User account.
7. In the Confirm Admin Password field, re-enter the Password.
8. (Optional) In the Description field, enter any information you wish to provide about the instance.
9. Click Save.

10. Repeat steps 1-9 to add any additional instances to Manager.

Now, follow the instructions in Register the Instance Itself to Manager for each instance.

Register the Instance Itself to Manager

To register your instance with Manager, take the following steps.

1. From your FortiSIEM Supervisor/Instance, navigate to ADMIN > Setup > FortiSIEM Manager, and take the
following steps.
a. In the FortiSIEM Manager FQDN/IP field, enter the FortiSIEM Manager Fully Qualified Domain Name (FQDN)
or IP address.
b. In the FortiSIEM Instance Name field, enter the instance name used when adding the instance to Manager.
c. In the Account field, enter the Admin User name used when adding the instance to Manager.
d. In the Password field, enter your password to be associated with the Admin User name.
e. In the Confirm Password field, re-enter your password.
f. Click Test to verify the configuration.
g. Click Register.
A dialog box displaying "Registered successfully" should appear if everything is valid.

FortiSIEM 6.6.2 ESX Installation Guide 32

Fortinet Inc.
 Fresh Installation

h. Login to Manager, and navigate to any one of the following pages to verify registration.
l ADMIN > Setup and check that the box is marked in the Registered column for your instance.
l ADMIN > Health, look for your instance under FortiSIEM Instances.
l ADMIN > License, look for your instance under FortiSIEM Instances.

Installing on ESX 6.5

l Importing a 6.5 ESX Image

l Resolving Disk Save Error
l Adding a 5th Disk for /data

Importing a 6.5 ESX Image

When installing with ESX 6.5, or an earlier version, you will get an error message when you attempt to import the image.

To resolve this import issue, you will need to take the following steps:
1. Install 7-Zip.
2. Extract the OVA file into a directory.

FortiSIEM 6.6.2 ESX Installation Guide 33

Fortinet Inc.
Fresh Installation

3. In the directory where you extracted the OVA file, edit the file FortiSIEM-VA-6.6.2.1637.ovf, and replace all
references to vmx-15 with your compatible ESX hardware version shown in the following table.
Note: For example, for ESX 6.5, replace vmx-15 with vmx-13.

Note: For example, for ESX 6.5, replace vmx-15 with vmx-13.

Compatibility Description

EXSi 6.5 and This virtual machine (hardware version 13) is compatible with ESXi 6.5.
later

EXSi 6.0 and This virtual machine (hardware version 11) is compatible with ESXi 6.0 and ESXi 6.5.
later

EXSi 5.5 and This virtual machine (hardware version 10) is compatible with ESXi 5.5, ESXi 6.0, and ESXi
later 6.5.

EXSi 5.1 and This virtual machine (hardware version 9) is compatible with ESXi 5.1, ESXi 5.5, ESXi 6.0, and
later ESXi 6.5.

EXSi 5.0 and This virtual machine (hardware version 8) is compatible with ESXI 5.0, ESXi 5.1, ESXi 5.5,
later ESXi 6.0, and ESXi 6.5.

ESX/EXSi 4.0 This virtual machine (hardware version 7) is compatible with ESX/ESXi 4.0, ESX/ESXi 4.1,
and later ESXI 5.0, ESXi 5.1, ESXi 5.5, ESXi 6.0, and ESXi 6.5.

EXS/ESXi 3.5 This virtual machine (hardware version 4) is compatible with ESX/ESXi 3.5, ESX/ESXi 4.0,
and later ESX/ESXi 4.1, ESXI 5.1, ESXi 5.5, ESXi 6.0, and ESXi 6.5. It is also compatible with VMware
Server 1.0 and later. ESXi 5.0 does not allow creation of virtual machines with ESX/ESXi 3.5
and later compatibility, but you can run such virtual machines if they were created on a host
with different compatibility.

ESX Server 2.x This virtual machine (hardware version 3) is compatible with ESX Server 2.x, ESX/ESXi 3.5,
and later ESX/ESXi 4.0, ESX/ESXi 4.1, and ESXI 5.0. You cannot create, edit, turn on, clone, or migrate
virtual machines with ESX Server 2.x compatibility. You can only register or upgrade them.

Note: For more information, see here.

4. Right click on your host and choose Deploy OVF Template. The Deploy OVA Template dialog box appears.
5. In 1 Select an OVF template, select Local File.
6. Navigate to the folder with the OVF file.
7. Select all the contents that are included with the OVF.

FortiSIEM 6.6.2 ESX Installation Guide 34

Fortinet Inc.
 Fresh Installation

8. Click Next.

Resolving Disk Save Error

You may encounter an error message asking you to select a valid controller for the disk if you attempt to add an
additional 4th disk (/opt, /cmd, /svn, and /data). This is likely due to an old IDE controller issue in VMware, where
you are normally limited to 2 IDE controllers, 0, 1, and 2 disks per controller (Master/Slave).

If you are attempting to add 5 disks in total, such as this following example, you will need to take the following steps:

Disk Usage

1st 25GB default for image

2nd 100GB for /opt

3rd 60GB for /cmdb

4th 60GB for /svn

5th 75GB for /data (optional, or use with NFS or ES storage)

1. Go to Edit settings, and add each disk individually, clicking save after adding each disk.
When you reach the 4th disk, you will receive the "Please select a valid controller for the disk" message. This is
because the software has failed to identify the virtual device node controller/Master or Slave for some unknown
reason.
2. Expand the disk setting for each disk and review which IDE Controller Master/Slave slots are in use. For example, in
one installation, there may be an attempt for the 4th disk to be added to IDE Controller 0 when the Master/Slave
slots are already in use. In this situation, you would need to put the 4th disk on IDE Controller 1 in the Slave position,
as shown here. In your situation, make the appropriate configuration setting change.

FortiSIEM 6.6.2 ESX Installation Guide 35

Fortinet Inc.
 Fresh Installation

3. Click save to ensure your work has been saved.

Adding a 5th Disk for /data

When you need to add a 5th disk, such as for /data, and there is no available slot, you will need to add a SATA
controller to the VM by taking the following steps:
1. Go to Edit settings.
2. Select Add Other Device, and select SCSI Controller (or SATA).

You will now be able to add a 5th disk for /data, and it should default to using the additional controller. You should be
able to save and power on your VM. At this point, follow the normal instructions for installation.

Note: When adding the local disk in the GUI, the path should be /dev/sda or /dev/sdd. You can use one of the
following commands to locate: 
# fdisk -l
or
# lsblk

FortiSIEM 6.6.2 ESX Installation Guide 36

Fortinet Inc.
Install Log

Install Log

The install ansible log file is located here: /usr/local/fresh-install/logs/ansible.log.

Errors can be found at the end of the file.

FortiSIEM 6.6.2 ESX Installation Guide 37

Fortinet Inc.
 www.fortinet.com

Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.