04 - FortiEDR CORE MODULE
Requirements
As a security best practice, it is recommended to update the firewall rules so that they only have a narrow opening.
- virtual machine | decated workstation or server
- Intel or AMD x86/x64
- open firewall port 555 for listening communication
The ammount of cores results from the number of clients, respectively, an additional DMZ variant in the used network environment.
Calculation Basis:
| Amount of Devices | Cores |
| 3500 to 4000 Devices | 1 |
Example:
| Amount of Devices | Cores |
| 2500 | 1 |
| 5000 | 2 |
| 10000 | 3 |
System Requirements
| amount cores | 2 |
| amount cpu's/core | 2 |
| RAM | 8 GB |
| discs | 1 |
| disc size | 160 GB |
Communication Requirements
| Instance | Target | TCP/IP/PORT | FUNCTION |
| Collector | CORE | PORT 555 | Compressed OS Metadata |
| CORE | AGGREGATOR | PORT 8081 | Registration, Status and Events |
| CORE | EDR | PORT 443 | Thread Hunting Datas |
| AGGREGATOR | CORE | HIGHPORT | Registration, Status and Events |
Installation Informations
| Distribution | appliance ISO file |
| Virtualisation | all common HyperVisor supported |
| known issues at installation start up | after initial installation, the installation file should be removed to prevent loops |
| known issues due to CentOS7 (before Version 4) | CentOS File System needs to be fixed |
| CentOS7 Bug Fix | MX42_CentOS7_BUG_SOLUTION_MANUAL_Draft.dotx |
Installation Steps
StartUp
After the initial installation you will need to login for further configurations.
All further steps will be need to be done by arrow keys due to no mouse is supported by linux root systems.
Login:
User = root
PW = password needs to be set with following critereas
"More than 8 signs"
"username should not be included (even partically)"
After login successfully start the configuration process with:
fortiedr config - (observe upper/lower case)
Hostname
Hostnames can be set as FQDN
Please be sure that the DNS entries has been set properly at the DNS Servers and entirely distributed between master and slaves.
<PICTURE>
USE ARROW KEY TO < NEXT > / click ENTER
Device Role
Use arrow key to choose device role (x) CORE
<PICTURE>
USE ARROW KEY TO < NEXT > / click ENTER
Organization Name
At the prompt, enter the Organization name. For a non-multi-tenant setup, this must be left empty.
Registration Password
External IP Address
Primary Interface
DHCP
DNS Server
Debug Mode
Location Settings