FortiSIEM Windows Agent Pre-installation Notes

Hardware and Software Requirements Windows Agents

Windows Agent Manager

Supported versions

Windows Agent

Windows Agent Manager

Communication Ports between Agent and Agent Manager

Licensing

When you purchase the Windows Agent Manager, you also purchase a set number of licenses that can be applied to the Windows devices you are monitoring. After you have set up and configured Windows Agent Manager, you can see the number of both Basic and Advanced licenses that are available and in use in your deployment by logging into your Supervisor node and going to Admin > License Management, where you will see an entry for Basic Windows Licenses Allowed/Used and Advanced Windows Licenses Allowed/Used. You can see how these licenses have been applied by going to Admin > Windows Agent Health. When you are logged into the Windows Agent Manager you can also see the number of available and assigned licenses on the Assign Licenses to Users page.

There are two types of licenses that you can associate with your Windows agent.

License Type	Description
None	An agent has been installed on the device, but no license is associated with it. This device will not be monitored until a license is applied to it.
Advanced	The agent is licensed to monitor all activity on the device, including logs, installed software changes, and file/folder changes
Basic	The agent is licensed to monitor only logs on the device

When applying licenses to agents, keep in mind that Advanced includes Basic, so if you have purchased a number of Advanced licenses, you could use all those licenses for the Basic purpose of monitoring logs.. For example, if you have purchased a total of 10 licenses, five of which are Advanced and five of which are Basic, you could apply all 10 licenses to your devices as Basic.

Feature	License Type
Windows Security Logs	Basic
Windows Application Logs	Basic
Windows System Logs	Basic
Windows DNS Logs	Basic
Windows DHCP Logs	Basic
IIS logs	Basic
DFS logs	Basic
Any Windows Log File	Basic
Custom file monitoring	Basic
File Integrity Monitoring	Advanced
Installed Software Change Monitoring	Advanced
Registry Change Monitoring	Advanced
WMI output Monitoring	Advanced
Power shell Output Monitoring	Advanced

Hardware and Software Requirements

Windows Agents

Component	Requirement	Notes
CPU	x86 or x64 (or compatible) at 2Ghz or higher
Hard Disk	10 GB (minimum)
Server OS	Windows XP-SP3 and above (Recommended)
Desktop OS	Windows 7/8	Performance issues may occur due to limitations of desktop OS
RAM	1 GB for XP 2+GB for Windows Vista & above / Windows Server
Installed Software	.NET Framework 4.0 PowerShell 2.0 or higher	.NET Framework 4.0 can be downloaded from http://www.microsoft.com/enus/download/details.aspx?id=17718) You can download PowerShell from Microsoft at http://www.microsoft.com/e n-us/download/details.aspx?id=4045.
Windows OS Language	English

Windows Agent Manager

Each Manager has been tested to handle up to 500 agents at an aggregate 7.5K events/sec.

Component	Requirement	Notes
CPU	x86 or x64 (or compatible) at 2Ghz or higher
Hard Disk	10 GB (minimum)
Server OS	Windows Server 2008 and above (Strongly recommended)
Desktop OS	Windows 7/8 (performance issues might occur)	Performance issues may occur due to limitations of desktop OS
RAM	For 32 bit OS, 2 GB for Windows 7 / 8 is a minimum For 64 bit OS, 4 GB for Windows 7/8 and Windows Server 2008 / 2012 is a minimum
Installed Software	.NET Framework 4.5 SQL Server Express or SQL Server 2012 installed using “SQL Server Authentication Mode” Power Shell 2.0 or higher IIS 7 or higherinstalled IIS 7, 7.5: ASP .NET feature must be enabled from Application Development Role Service of IIS  IIS 8.0+: ASP .NET 4.5 feature must be enabled from Application Development Role Service of IIS	.NET Framework 4.5 can be downloaded from http://www.microsoft.com/e n-us/download/details.aspx?id=30653, and is already available on Windows 8 and Windows Server 2012 You can download PowerShell from Microsoft at http://www.microsoft.com /en-us/download/details.aspx?id=4045. SQL Server Express does not have any performance degradation compared to SQL Server 2012.

Windows OS Language

English

Supported versions

Windows Agent

Windows 7

Windows 8

Windows XP SP3 or above

Windows Server 2003 Server

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Windows Agent Manager

Windows Server 2008 R2 Windows Server 2012

Windows Server 2012 R2

Communication Ports between Agent and Agent Manager

TCP Port 443 (V1.1 on wards) and TCP Port 80 (V1.0) on Agent Manager for receiving events from Agents. Ports 135, 137, 139, 445 needed for NetBIOS based communication

Installing FortiSIEM Windows Agent Manager

Prerequisites

1. Make sure that the ports needed for communication between Windows Agent and Agent Manager are open and the two systems can communicate
2. For versions 1.1 and higher, Agent and Agent Manager communicate via HTTPS. For this reason, there is a special pre-requisite: Get your Common Name / Subject Name from IIS
   1. Logon to Windows Agent Manager
   2. Open IIS by going to Run, typing inetmgr and pressing enter
   3. Go to Default Web Site in the left pane
   4. Right click Default Web Site and select Edit Bindings.
   5. In Site Bindings dialog, check if you have https under Type column
   6. If https is available, then
      1. Select column corresponding to https and click on Edit
      2. In Edit Site Binding dialog, under SSL certificate section, click on .. button. iii. In Certificate dialog, under General tab, note the value of Issued to. This is your  Common Name / Subject Name
   7. If https is not available, then you need to bind the default web site with https.
      1. Import a New certificate. This can be done in one of two ways
         1. Either create a Self Signed Certificate as follows
            1. Open IIS by going to Run, typing inetmgr and pressing enter
            2. In the left pane, select computer name
            3. In the right pane, double click on Server Certificates
            4. In the Server Certificate section, click on Create Self-Signed Certificate... from the right pane
            5. In Create Self-Signed Certificate dialog, specify a friendly name for the certificate and click OK
            6. You will see your new certificate in the Server Certificates list
         2. Or, Import a third party certificate from a certification authority.
            1. Buy the certificate (.pfx or .cer file)
            2. Install the certificate file in your server
            3. Import the certificate in IIS
            4. Go to IIS. Select Computer name and in the right pane select Server Certificates
            5. If certificate is PFX File
               1. In Server Certificates section, click on .. in right pane
               2. In the Import Certificate dialog, browse to pfx file and put it in Certificate file(.pfx) box
               3. Give your pfx password and click Ok. Your certificate gets imported to IIS
            6. If certificate is CER File
               1. In Server Certificates section, click on Complete Certificate Request… in right pane
               2. In the Complete Certificate Request dialog, browse to CER file and put it in File name section
               3. Enter the friendly name, click Ok. Your certificate gets imported to IIS . b.  Bind your certificate to Default Web Site
            7. Open IIS by going to Run, typing inetmgr and pressing enter
            8. Right click on Default Web Site and select Edit Bindings… In Site Bindings… dialog, click on Add..
            9. In Add Site Binding dialog, select ‘https’ from Type drop down menu
            10. The Host name is optional but if you want to put it, then it must be the same as the certificate’s common name / Subject name
            11. Select your certificate from SSL certificate: drop down list

• Click

1. Your certificate is now bound to the Default Web Site.

4. Enable TLS 1.2 for Windows Agent Manager 2.0 for operating with FortiSIEM Supervisor/Worker 4.6.3 and above. By default SSL3 / TLS 1.0 is enabled in Windows Server 2008-R2. Hence, before proceeding with the server installation, please enable TLS 1.2 manually as follows.
   1. Start elevated Command Prompt (i.e., with administrative privilege)
   2. Run the following commands sequentially as shown.
   3. Restart computer

Procedures

1. On the machine where you want to install the manager, launch either the FortiSIEMServer-x86.MSI (for 32-bit Windows) or FortiSIEMSer ver-x64.MSI (for 64-bit Windows) installer.
2. In the Welcome dialog, click Next.
3. In the EULA dialog, agree to the Terms and Conditions, and then click Next.
4. Specify the destination path for the installation, and then click Next.

By default the Windows Agent Manager will be installed at C:\Program Files\FortiSIEM\Server.

5. Specify the destination path to install the client agent installation files, and then click Next.

By default these files will be installed at C:\FortiSIEM\Agent. The default location will be on the drive that has the most free storage space. This path will automatically become a shared location that you will access from the agent devices to install the agent software on them.

6. In the Database Settings dialog,
   1. Select the database instance where metrics and logs from the Windows devices will be stored.
   2. Select whether you want to use Windows authentication, otherwise provide the login credentials that are needed to access the SQL Server instance where the database is located.
   3. Enter the path where FortiSIEM Agent Manager database will be stored. By default it is C:\FortiSIEM\Data
7. Provide the path to the FortiSIEM Supervisor, Worker, or Collector that will receive information about your Windows devices. Click Next.
8. In the Administrator Settings dialog, enter username and password credentials that you will use to log in to the Windows Agent Manager.

Both your username and password should be at least six characters long.

9. (New in Release 1.1 for HTTPS communication between Agent and Agent Manager) Enter the common name/ subject name of the

SSL certificate created in pre-requisite step 2

10. Click Install.
11. When the installation completes, click Finish.
12. You can now exit the installation process, or click Close Set Up and Run FortiSIEM to log into your FortiSIEM virtual appliance.

 

 

Installing FortiSIEM Windows Agent

Prerequisites

1. Windows Agent and Agent Manager need to be able to communicate – agents need to access a path on the Agent Manager machine to install the agent software.
2. Starting with Version 1.1, there is a special requirement if you want user information appended to file/directory change events. Typically file/directory change events do not have information about the user who made the change. To get this information, you have to do the following steps. Without this step, File monitoring events will not have user information. a. In Workgroup Environment:
   1. Go to Control Panel
   2. Open Administrative Tools

• Double click on Local Security Policy

1. Expand Advanced Audit Policy configuration in the left-pane
2. Under Advanced Audit Policy, expand System Audit Policies – Local Group Policy Object
3. Under System Audit Policies – Local Group Policy Object, select Object Access

• Double-click on Audit File System in the right-pane
• Audit File System Properties dialog opens. In this dialog, under Policy tab, select Configure the following audit events. Under this select both Success and Failure check boxes

1. Click Apply and then OK
2. In Active Directory Domain Environment: FortiSIEM Administrator can use Group Policies to propagate the above settings to the agent computers as follows:
3. Go to Control Panel
4. Open Administrative Tools

• Click on Group Policy Management

1. In Group Policy Management dialog, expand Forest:<domain_name> in the left-pane
2. Under Forest:<domain_name>, expand Domains
3. Under Domains, expand <domain_name>

• Right-click on <domain_name> and click on ‘Create a GPO in this domain, and link it here…“
• New GPO dialog appears. Enter a new name (e.g., MyGPO) in Name text box. Press

1. MyGPO appears under the expanded <domain_name> in left-pane. Click on MyGPO and click on the Scope tab in the right-pane.
2. Under Scope tab, click on Add in Security filtering section
3. Select User, Computer or Group dialog opens. In this dialog click the Object Types xii. Object Types dialog appears, uncheck all options and check the Computers option. Click OK.

• Back in the Select User, Computer or Group dialog, enter the FortiSIEM Windows Agent computer names under Ente r the object name to select area. You can choose computer names by clicking the Advanced’ button and then in Advanced dialog clicking on the Find Now
• Once the required computer name is specified, click OK and you will find the selected computer name under Security Filtering.

1. Repeat steps (xi) – (xiv) for all the required computers running FortiSIEM Windows Agent. xvi. Right click on MyGPO in the left-pane and click on Edit. xvii.  Group Policy Management Editor In this dialog, expand Policies under Computer Configuration.

• Go to Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access > Audit File System.
• In the Audit File System Properties dialog, under Policy tab select Configure the following audit Under this, select both Success and Failure check boxes.

Procedure

Installing one agent

1. Log into the machine where you want to install the agent software as an adminstrator.
2. Navigate to the shared location on the Windows Agent Manager machine where you installed the agent installation files in Step 5 of Instal ling FortiSIEM Windows Agent Manager.

The default path is C:\FortiSIEM\Agent.

3. In the shared location, double-click on the appropriate .MSI file to begin installation.

FortiSIEMAgent-x64.MSI  is for the 64-bit Agent,  while FortiSIEMAgent-x86.MSI is for the 32-bit Agent

4. When the installation completes, go to Start > Administrative Tools > Services and make sure that the FortiSIEM Agent Service has a status of Started.

Installing multiple agents via Active Directory Group Policy

Multiple agents can be installed via GPO if all the computers are on the same domain.

1. Log on to Domain Controller
2. Create a separate Organization unit for containing all computers where FortiSIEM Windows Agent have to be installed.
   1. Go to Start > Administrative Tools > Active Directory Users and Computers
   2. Right click on the root Domain on the left side tree. Click New > Organizational Unit
   3. Provide a Name for the newly created Organizational Unit and click
   4. Verify that the Organizational Unit has been created.
3. Assign computers to the new Organizational Unit.
   1. Click Computers under the domain. The list of computers will be displayed on the right pane
   2. Select a computer on the right pane. Right click and select Move and then select the new Organizational Unit. c. Click
4. Create a new GPO
   1. Go to Start > Administrative Tools > Group Policy Management
   2. Under Domains, select the newly created Organization Unit
   3. Right click on the Organization Unit and select Create and Link a GPO here…
   4. Enter a Name for the new GPO and click OK.
   5. Verify that the new GPO is created under the chosen Organizational Unit
   6. Right click on the new GPO and click Edit. Left tree now shows Computer Configuration and User Configuration
   7. Under Computer Configuration, expand Software Settings.
   8. Click New > Package. Then go to AOWinAgt folder on the network folder. Select the Agent MSI you need – 32 bit or 64 bit. Click

OK.

1. The selected MSI shows in the right pane under Group Policy Editor window
2. For Deploy Software, select Assigned and click

5. Update the GPO on Domain Controller
   1. Open a command prompt
   2. Run gpupdate /force
6. Update GPO on Agents
   1. Log on to the computer
   2. Open a command prompt
   3. Run gpupdate
   4. Restart the computer
   5. You will see FortiSIEM Windows Agent installed after restart

Upgrade

Upgrade Overview

Upgrading from 3.7.6 to latest

1. First upgrade to 4.2.1 following steps in here. This involves OS migration
2. Upgrade from 4.2.1 to 4.3.1 following steps in here. This involves SVN migration
3. Upgrade from 4.3.1 to 4.5.2. This is a regular upgrade – single node case and multi-node case
4. Upgrade from 4.5.2 to 4.6.3 following steps in This involves TLS 1.2 upgrade.
5. Upgrade from 4.6.3 to 4.7.1. This is a regular upgrade – single node case and multi-node case

Upgrading from 4.2.x to latest

1. Upgrade to 4.3.1 following steps in here. This involves SVN migration.
2. Upgrade from 4.3.1 to 4.5.2. This is a regular upgrade – single node case and multi-node case
3. Upgrade from 4.5.2 to 4.6.3 following steps in here. This involves TLS 1.2 upgrade.
4. Upgrade from 4.6.3 to 4.7.1. This is a regular upgrade – single node case and multi-node case

Upgrading from 4.3.1 to latest

1. Upgrade from 4.3.1 to 4.5.2. This is a regular upgrade – single node case and multi-node case
2. Upgrade from 4.5.2 to 4.6.3 following steps in This involves TLS 1.2 upgrade.
3. Upgrade from 4.6.3 to 4.7.1. This is a regular upgrade – single node case and multi-node case

Upgrading from 4.3.3 to latest

1. Do the special pre-upgrade step as in here.
2. Upgrade to 4.5.2. This is a regular upgrade – single node case and multi-node case
3. Upgrade from 4.5.2 to 4.6.3 following steps in This involves TLS 1.2 upgrade.
4. Upgrade from 4.6.3 to 4.7.1. This is a regular upgrade – single node case and multi-node case

Upgrading from 4.4.x, 4.5.1 to latest

1. Upgrade to 4.5.2. This is a regular upgrade – single node case and multi-node case
2. Upgrade from 4.5.2 to 4.6.3 following steps in This involves TLS 1.2 upgrade.
3. Upgrade from 4.6.3 to 4.7.1. This is a regular upgrade – single node case and multi-node case

Upgrading from 4.5.2 to latest

1. Upgrade to 4.6.3 following steps in This involves TLS 1.2 upgrade.
2. Upgrade from 4.6.3 to 4.7.1. This is a regular upgrade – single node case and multi-node case

Upgrading from 4.6.1 to latest

1. Do the special pre-upgrade step as in
2. Upgrade to 4.6.3 following steps in This involves TLS 1.2 upgrade.
3. Upgrade from 4.6.3 to 4.7.1. This is a regular upgrade – single node case and multi-node case

Upgrading from 4.6.2 to latest

1. Upgrade to 4.6.3 following steps in This involves TLS 1.2 upgrade.
2. Upgrade from 4.6.3 to 4.7.1. This is a regular upgrade – single node case and multi-node case

Upgrading from 4.6.3 to latest

1. Upgrade to 4.7.1. This is a regular upgrade – single node case and multi-node case

Upgrading Windows Agents

FortiSIEM Windows Agent Upgrade is covered in Upgrading FortiSIEM Windows Agent and Agent Manager

Migrating from 3.7.x versions to 4.2.1

The 4.2 version of FortiSIEM uses a new version of CentOS, and so upgrading to version 4.2 from pervious versions involves a migration from those versions to 4.2.x, rather than a typical upgrade. This process involves two steps:

1. You have to migrate the 3.7.6 CMDB to a 4.2.1 CMDB on a 3.7.6 based system.
2. The migrated 4.2.1 CMDB has to be imported into a 4.2.1 system.

Topics in this section cover the migration process for supported hypervisors for both migrations in-place and using staging systems. Using a stagi ng system requires more hardware, but minimizes downtime and CMDB migration risk compared to the in-place method. If you decide to use the in-place method, we strongly recommend that you take snapshots for recovery.