Created on 10-17-2016 06:27 AM Edited on 06-02-2022 10:02 AM By Anonymous
Description
Solution
Here is a step by step guide for the 2 scenarios listed above.
# service crond stop# phtools --stop all (there are two “-“)# killall -9 phMonitor# killall -9 java# phstatus (make sure all ph* processes are down including phMonitor)
4. Go to /opt/phoenix/deployment5. Run the following command.
#db_restore.sh /tmp/phoenixdb_<timestamp>"
Skip to Step 14 if the CMDB is from the same FortiSIEM device (meaning they have the same IP address). Otherwise continue with the following steps.6. Change values in CMDB as follows:
=> su postgres=> psql -U phoenix -d phoenixdb=> select * from ph_sys_conf where property=’svn_url’;7.Svn_url row likely has a value of previous IP Address. This needs to be changed.=> update ph_sys_conf set value=’https://<New-IP>/repos/cmdb’ where property=’svn_url’;=> select * from ph_sys_server where id='1';This will reference the OLD FortiSIEM IP address.8. Ip_addr column likely has value of <Old-IP>. This needs to be changed.=> update ph_sys_server set ip_addr=’<New-IP>’ where id='1';9.If the SIEM has related Workers, then complete steps 10-12 otherwise skip to step 13.10.Find entries for Workers. This will reference the OLD ForstiSIEM Worker IP addresses.11.Update old FortiSIEM workers=> select * from ph_sys_server;
=> update ph_sys_server set ip_addr=’<New-IP>’ where id=’<id from select statement run in above step>’;12.Repeat for all workers
Example step 11-12 with 1 worker:phoenixdb=> select * from ph_sys_server;id | creation_time | cust_org_id | last_modified_time | owner_id | active | eps | ip_addr | mode | collector_id---------+---------------+-------------+--------------------+----------+--------+-----+----------------+------+--------------1 | 0 | 0 | 0 | 0 | t | 0 | 192.168.65.170 | 2 |1485000 | 1390522301525 | 1 | 1390522301525 | 500151 | t | 0 | 192.168.65.171 | 1 |
To update Worker IP like step 11:
=> update ph_sys_server set ip_addr=’10.1.1.1’ where id=’1485000’;
13. Quit \q14. Update SVN password as follows:To reset the SVN password for the admin user, make sure to have SSH access to the FortiSIEM as a root user [This is a MUST]
14.1 - Check the current SVN passwordcat /opt/phoenix/cache/<ip_of_your_FortiSIEM>/phoenix/rest/config/systemConfig/default.dat | grep -E -o "svn_password.{55}" | sed -n 's/.*value>\(.*\)</\1/p'[eg. cat /opt/phoenix/cache/192.168.67.100/phoenix/rest/config/systemConfig/default.dat | grep -E -o "svn_password.{55}" | sed -n 's/.*value>\(.*\)</\1/p']Results:K1MroxhTAzyM!Keep a note of this value.Alternatively the same can be done by performing the following:curl -k -u '1:Prospect@Hi123' 'https://<IP_OF_SERVER>:443/phoenix/rest/config/systemConfig' > /tmp/tmp.xml; grep -A 2 svn_password /tmp/tmp.xml
14.2 - Backup and removal of the admin password from the passwds file is needed.
cp /etc/httpd/accounts/passwds /etc/httpd/accounts/passwds.bakvi /etc/httpd/accounts/passwds
There should be a line that is formatted with an encrypted password [eg. admin:LaHn9RxpcAE/Y]press 'dd' and the line will delete itselfpress [ESC] , [:] , [w] , [q] , [ENTER] - [eg. :wq]This will save the file which is now empty and exit the VI interface14.3 - Reset the SVN Password
htpasswd -cmb /etc/httpd/accounts/passwds admin <your saved password value from step "A">[eg. htpasswd -cmb /etc/httpd/accounts/passwds admin K1MroxhTAzyM!]
14.4 - Verify
su - adminsvn ls file:///svn/repos
This is a physical folder location, if the svn has been moved, please verify the path before inserting it. This should result in the administrator being able to view the cmdb folder. [ie. cmdb/]
15. Reboot FortiSIEM.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.