FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
goliver
Staff
Staff
Article Id 192010
Description
This article describes  how to upgrade a supervisor/worker (FSM) without Internet access. This assumes you have a way of uploading the upgrade .tar file to FSM.
Solution

The explanation is described step by step:


1) Download the file from images server onto your laptop


In this example we’re upgrading a supervisor from 5.0.1 to 5.1.0. We need to download this directory and the files within this link.


2) Copy the va-5.1.0.1336.tar file onto the supervisor (example using scp from laptop to FSM Supervisor)


scp va-5.1.0.1336.tar root@192.168.0.112:.

root@192.168.0.112's password:

va-5.1.0.1336.tar 100% 1369MB 41.4MB/s 00:33


Then we need to make sure this file is in a directory named ‘5.1.0.1336’, just like it is in the online image server:


Log onto your FSM Supervisor through SSH:


ssh root@192.168.0.112

root@192.168.0.112's password:

Last login: Thu Sep 20 09:23:54 2018 from 192.168.0.111

[root@tomic ~]# mkdir 5.1.0.1336

[root@tomic ~]# mv va-5.1.0.1336.tar 5.1.0.1336/

3) Run the phdownloadimage command and point to our directory

[root@tomic ~]# cd /pbin [root@tomic pbin]# ./phdownloadimage file:///root/5.1.0.1336
The process to download the upgrade image may take some time and use a considerable amount of bandwidth. Would you like to start the download now? (yes/no) :
yes
Proceeding to download.
Role is : phMonitorSupervisor
Version Downloading : 5.1.0.1336
DOWNLOAD FILE is va-5.1.0.1336
Downloading the file va-5.1.0.1336.tar from file:///root/5.1.0.1336
URL IS /usr/bin/curl -o /tmp/va-5.1.0.1336.tar file:///root/5.1.0.1336/va-5.1.0.1336.tar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1369M 100 1369M 0 0 91.9M 0 0:00:14 0:00:14 --:--:-- 76.0M
va-5.1.0.1336/
va-5.1.0.1336/RPM-GPG-KEY
va-5.1.0.1336/accelops-va-5.1.0.1336.rpm
va-5.1.0.1336/repodata/
va-5.1.0.1336/repodata/other.xml.gz
va-5.1.0.1336/repodata/filelists.xml.gz
va-5.1.0.1336/repodata/primary.xml.gz
va-5.1.0.1336/repodata/repomd.xml
Please wait...
./usr/bin/yumdownloader -c /etc/yum.repos.d/accelops-va.repo --setopt=sslverify=false --destdir=/var/cache/yum/accelops-va/packages/ accelops-va
Repository accelops-va is listed more than once in the configuration
accelops-va | 951 B 00:00 ...
accelops-va/primary | 14 kB 00:00 ...
accelops-va 1/1
.....https://os-pkgs-cdn.fortisiem.fortinet.com/centos6/base/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'os-pkgs-cdn.fortisiem.fortinet.com'"
Trying other mirror.
....https://os-pkgs.fortisiem.fortinet.com/centos6/base/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'os-pkgs.fortisiem.fortinet.com'"
Trying other mirror.
....https://os-pkgs-cdn.fortisiem.fortinet.com/centos6/extras/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'os-pkgs-cdn.fortisiem.fortinet.com'"
Trying other mirror.
....https://os-pkgs.fortisiem.fortinet.com/centos6/extras/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'os-pkgs.fortisiem.fortinet.com'"
Trying other mirror.
....https://os-pkgs-cdn.fortisiem.fortinet.com/centos6/updates/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'os-pkgs-cdn.fortisiem.fortinet.com'"
Trying other mirror.
....https://os-pkgs.fortisiem.fortinet.com/centos6/updates/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'os-pkgs.fortisiem.fortinet.com'"
Trying other mirror.
accelops-va-5.1.0.1336.rpm | 1.3 GB 00:00
[root@tomic pbin]#

4) Run phupgradeimage

[root@tomic pbin]# ./phupgradeimage

https://os-pkgs-cdn.fortisiem.fortinet.com/centos6/base/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'os-pkgs-cdn.fortisiem.fortinet.com'"

Trying other mirror.

https://os-pkgs.fortisiem.fortinet.com/centos6/base/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'os-pkgs.fortisiem.fortinet.com'"

Trying other mirror.

Error: Cannot retrieve repository metadata (repomd.xml) for repository: base. Please verify its path and try again

Proceeding to upgrade.

Upgrade image for accelops-va

phbackupsuper now.

Please wait...

.Stopping crond: [ OK ]

Stopping backend processes ................................................./bin/cp: cannot stat `org': No such file or directory

Run phimageinstaller now

[PH_MODULE_LOCAL_CONFIG_LOADED]:[eventSeverity]=PHL_INFO,[procName]=phtools,[fileName]=phConfigLoader.cpp,[lineNumber]=168,[configName]=global,[phLogDetail]=Module loaded local config successfully

[PH_GENERIC_DEBUG]:[eventSeverity]=PHL_TRACE,[procName]=phtools,[fileName]=phHttpClient.cpp,[lineNumber]=1031,[phLogDetail]=Response file of this cache will be located at /opt/phoenix/cache/192.168.0.112/phoenix/rest/config/systemConfig/default.dat

[PH_GENERIC_DEBUG]:[eventSeverity]=PHL_DEBUG,[procName]=phtools,[fileName]=phHttpClient.cpp,[lineNumber]=1813,[phLogDetail]=set CURLOPT_SSL_VERIFYPEER to no

[PH_GENERIC_DEBUG]:[eventSeverity]=PHL_DEBUG,[procName]=phtools,[fileName]=phHttpClient.cpp,[lineNumber]=774,[phLogDetail]=Send req with https://192.168.0.112:443/phoenix/rest/config/systemConfig

[PH_GENERIC_DEBUG]:[eventSeverity]=PHL_DEBUG,[procName]=phtools,[fileName]=phHttpClient.cpp,[lineNumber]=803,[phLogDetail]=Check curl result for https://192.168.0.112:443/phoenix/rest/config/systemConfig: result: 0

[PH_GENERIC_INFO]:[eventSeverity]=PHL_INFO,[procName]=phtools,[fileName]=phHttpClient.cpp,[lineNumber]=175,[phLogDetail]=Http time out has been set to 300

[PH_MODULE_INITIALIZING]:[eventSeverity]=PHL_DEBUG,[procName]=phtools,[fileName]=phBaseProcess.cpp,[lineNumber]=501,[phLogDetail]=Module initialization

[PH_MODULE_DB_CONFIG_LOADED]:[eventSeverity]=PHL_INFO,[procName]=phtools,[fileName]=phBaseProcess.cpp,[lineNumber]=843,[phLogDetail]=Module loaded database config succesfully

[PH_MODULE_LOG_LEVEL_CHANGE]:[eventSeverity]=PHL_INFO,[procName]=phtools,[fileName]=phBaseProcess.cpp,[lineNumber]=651,[oldLogLevel]=2047,[newLogLevel]=424,[phLogDetail]=Module received log level change

[PH_MODULE_INIT_COMPLETE]:[eventSeverity]=PHL_INFO,[procName]=phtools,[fileName]=phBaseProcess.cpp,[lineNumber]=525,[phLogDetail]=Module successfully started

Successfully send command --stop

[PH_GENERIC_INFO]:[eventSeverity]=PHL_INFO,[procName]=phtools,[fileName]=phToolsProcess.cpp,[lineNumber]=206,[phLogDetail]=Monitor received command --stop

[PH_MODULE_EXIT_OK]:[eventSeverity]=PHL_INFO,[procName]=phtools,[fileName]=phBaseProcess.cpp,[lineNumber]=339,[phLogDetail]=Module exited gracefully

[PH_BASE_PROC_GET_PID_FILE_FAILED]:[eventSeverity]=PHL_ERROR,[procName]=phtools,[fileName]=phBaseProcess.cpp,[lineNumber]=1176,[filePath]=/opt/phoenix/cache/r,[errorNoInt]=2,[phLogDetail]=Failed to get pid file

[PH_MODULE_EXIT_OK]:[eventSeverity]=PHL_INFO,[procName]=phtools,[fileName]=phBaseProcess.cpp,[lineNumber]=339,[phLogDetail]=Module exited gracefully

Setting up Update Process

Repository accelops-va is listed more than once in the configuration

Resolving Dependencies

--> Running transaction check

---> Package accelops-va.x86_64 0:5.0.1.1203-1 will be updated

---> Package accelops-va.x86_64 0:5.1.0.1336-1 will be an update

--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================================================================================================================

Package Arch Version Repository Size

================================================================================================================================================================================================================================================================================

Updating:

accelops-va x86_64 5.1.0.1336-1 accelops-va 1.3 G

Transaction Summary

================================================================================================================================================================================================================================================================================

Upgrade 1 Package(s)

Total size: 1.3 G

Downloading Packages:

warning: rpmts_HdrFromFdno: Header V3 DSA/SHA1 Signature, key ID 2b939d92: NOKEY

Retrieving key from file:///upgrade/va-5.1.0.1336/RPM-GPG-KEY

Importing GPG key 0x2B939D92:

Userid: "admin (admin) <admin@accelops.net>"

From : /upgrade/va-5.1.0.1336/RPM-GPG-KEY

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction

yumupdate image for super

SVN disk has already been migrated.

Updating : accelops-va-5.1.0.1336-1.x86_64 1/2

eth1: error fetching interface information: Device not found

System is in the single net interface mode.

Waiting for domain1 to start .............................................................................................................

Successfully started the domain : domain1

domain Location: /opt/glassfish3/glassfish/domains/domain1

Log File: /opt/glassfish3/glassfish/domains/domain1/logs/server.log

Admin Port: 4848

Command start-domain executed successfully.

upgrade App Server configuration parameters

Changing some file permissions

Setting adjtime to use UTC

Stopping NTP

Shutting down ntpd: [ OK ]

Syncing NTP

20 Sep 10:07:50 ntpdate[12614]: ntpdate 4.2.6p5@1.2349-o Fri Jan 26 02:18:05 UTC 2018 (1)

Exiting, name server cannot be used: Temporary failure in name resolution (-3)20 Sep 10:08:05 ntpdate[12614]: name server cannot be used: Temporary failure in name resolution (-3)

Starting NTP again

Starting ntpd: [ OK ]

Exit script without installing module during upgrade. Installation will proceed during reboot

cp: cannot stat `/opt/phoenix/config/remi-safe': No such file or directory

Cleanup : accelops-va-5.0.1.1203-1.x86_64 2/2

Verifying : accelops-va-5.1.0.1336-1.x86_64 1/2

Verifying : accelops-va-5.0.1.1203-1.x86_64 2/2

Updated:

accelops-va.x86_64 0:5.1.0.1336-1

Complete!

image update succeeded

('Upgrade Image return value is :', 0)

./phupgradeimage: line 170: 10241 Terminated progress

Running phupgradesuper now.

Setup File/Dir

Upgrade db

storage type is localstore

localstore

ext3

/dev/sdd

Storage type already in the db

Something went wrong in previous or present insertion

System hardware id: 564DE343-7115-B232-BBD2-153D9307CF3E

Hardware Id already exists in DB.

re-deploy app svr

Waiting for domain1 to start ............................................................................

Successfully started the domain : domain1

domain Location: /opt/glassfish3/glassfish/domains/domain1

Log File: /opt/glassfish3/glassfish/domains/domain1/logs/server.log

Admin Port: 4848

Command start-domain executed successfully.

upgrade App Server configuration parameters

deploying new phoenix.ear

Undeploy current phoenix application

Command undeploy executed successfully.

Stop server ...

Waiting for the domain to stop ......

Command stop-domain executed successfully.

Clean session persistent

Start server ...

Waiting for domain1 to start ....

Successfully started the domain : domain1

domain Location: /opt/glassfish3/glassfish/domains/domain1

Log File: /opt/glassfish3/glassfish/domains/domain1/logs/server.log

Admin Port: 4848

Command start-domain executed successfully.

Deploy /opt/phoenix/deployment/phoenix.ear

Application deployed with name phoenix.

Command deploy executed successfully.

new phoenix application is ready at Thu Sep 20 10:11:56 WEST 2018.

Populating data to DB….

This will then proceed with the upgrade and will finish with the following message and reboot:

==========================================

FortiSIEM Configuration Auto Upgrade Utility

Rev 1.1 (2018-05-10)

==========================================

Copying previous version 5.0.1.1203 phoenix_config.txt from /tmp/backup/phoenix_config.txt to /opt/phoenix/config/phoenix_config.txt.5.0.1.1203

FortiSIEM System Role: phMonitorSupervisor

Copying cainfo in section GLOBAL with value: /opt/phoenix/config/ca.crt from old phoenix_config.txt

Copying agent_key in section GLOBAL with value: /opt/phoenix/config/collector.prospecthills.net.key from old phoenix_config.txt

Copying agent_cert in section GLOBAL with value: /opt/phoenix/config/collector.prospecthills.net.crt from old phoenix_config.txt

Copying ccm_ftp_directory in section PHPARSER with value: # /opt/phoenix/cache/ccm from old phoenix_config.txt

Copying avaya_sftp_directory in section PHPARSER with value: # /opt/phoenix/cache/avayaCM from old phoenix_config.txt

Copying airline_sls_directory in section PHPARSER with value: # /opt/phoenix/cache/airline from old phoenix_config.txt

Copying airline_sls_directory_high in section PHPARSER with value: # higher priority than above from old phoenix_config.txt

Copying airline_thread in section PHPARSER with value: 2 from old phoenix_config.txt

Copying incoming_log_cfg in section PHPARSER with value: # /opt/phoenix/cache/bluecoat from old phoenix_config.txt

Copying tls_certificate_file in section PHPARSER with value: /etc/pki/tls/certs/tls_self_signed.crt from old phoenix_config.txt

Copying tls_key_file in section PHPARSER with value: /etc/pki/tls/private/tls_self_signed.key from old phoenix_config.txt

Copying tls_certificate_file in section phEventForwarder with value: #/opt/phoenix/bin/.ssh/my_cert.crt from old phoenix_config.txt

Copying tls_key_file in section phEventForwarder with value: #/opt/phoenix/bin/.ssh/my_cert.key from old phoenix_config.txt

Copying max_num_thread_per_task in section phQueryWorker with value: 2 from old phoenix_config.txt

Copying num_merge_threads in section phReportMaster with value: 3 from old phoenix_config.txt

Copying thread_num in section Kafka with value: 2 from old phoenix_config.txt

Automatically upgraded 5.0.1.1203 phoenix_config.txt to 5.1.0.1336 version which is now saved in the file: /opt/phoenix/config/phoenix_config.txt


If you had made any other changes to the parameters in previous releases, the original copy is found in /opt/phoenix/config/phoenix_config.txt.5.0.1.1203

Please manually make these parameter changes if needed. Otherwise, all settings except the ones above are factory default for 5.1.0.1336

Getting the super IP to clear cache

cache file does exits removing the same

Parsing policy file: /opt/tripwire/etc/tw.pol

Generating the database...

*** Processing Unix File System ***

### Warning: File system error.

### Filename: /opt/tripwire/etc/tomic-local.key

### No such file or directory

### Continuing...

Wrote database file: /opt/tripwire/lib/tripwire/tomic.twd

The database was successfully generated.

Broadcast message from root@tomic

(/dev/pts/2) at 10:29 ...

The system is going down for reboot NOW!


[root@tomic pbin]# Connection to 192.168.0.112 closed by remote host.

Connection to 192.168.0.112 closed.


Troubleshooting Tips:

1) License after Upgrade

After the upgrade if the system asks you for a license, make sure that all processes are up and running. This only happens if the Application Server hasn’t loaded the application completely.
You can verify that everything is running by doing phstatus in the console:


You can also force the services by issuing the phtools --start ALL command


2) Phdownloadimage error

If phdownloadimage gives you an error, it is most likely related to the fact that the path is wrong. Make sure to have three forward slashes (and not two) before the directory name: ./phdownloadimage file:///directory/path







Contributors