FMOS Installation and Configuration Guide

Copyright Notice
Copyright 2015 - 2022 FireMon, LLC. All rights reserved. This product and related documentation are
protected by copyright and distributed under licensing restricting their use, copying, distribution,
and decompilation. No part of this product or related documentation may be reproduced in any
form or by any means without the written authorization of FireMon, LLC. All right, title, and interest
in the product shall remain with FireMon and its licensors.
This product and related documentation are provided under a license agreement containing
restrictions on use and disclosure and are protected by intellectual property laws.
This product and documentation may provide access to or information on content, products, and
services from third parties. FireMon, LLC is not responsible for and expressly disclaim all warranties
of any kind with respect to third-party content, products, and services. FireMon, LLC will not be
responsible for any loss, costs, or damages incurred due to your access to or use of third-party
content, products, or services.
The information in this document is subject to change without notice and is not warranted to be
error-free. If you find any errors, please report them to us in writing.
FireMon is a registered trademark of FireMon, LLC. All other products or company names
mentioned herein are trademarks or registered trademarks of their respective owners.
Contents
Copyright Notice 2
Cont ent s 3
FM OS Deployment Topics 14
About FMOS Generation III 14
What is FMOS? 14
Why FMOS? 14
Supported Platforms 15
FireMon (FM) Appliance 15
Non-FM Appliance 15
Virtual Machine 15
Cloud-based 16
System Requirements 17
Machine Specifications 17
Full Install 17
DC Only Install 17
FM Appliance Specs 18
Network Topology 18
Database Server (DB) 19
Application Server (AS) 19
Data Collector (DC) 19
SIP Ecosystem 20
SIP Roles 20
Deployment Scenarios 20
Single-Server 21
Partially Distributed 21
Fully Distributed 21
Multiple-Database Mode 21
Role Hierarchy 22
Planning the Ecosystem 22
Which Ecosystem Deployment is Right for Your Organization? 23
Download the FireMon Operating System 24
Build Variants 24
Distribution Formats 24
Download the Installation Files 25
Install FMOS 26
Ecosystem Setup 26
Initial Configuration 26
Initial Configuration Wizard 26
Host and Network Configuration 28
Network Configuration 28
Network Time 29
Organization 29
User 29
Notifications 30
Email Notifications 30
SMTP Settings 30
Deployment Environment 30
Installation for Cloud Deployments 32
Initial FMOS Setup for Cloud Deployments 32
Access the Setup UI 32
FMOS Admin User 33
Machine Configuration 33
Organization Information 34
Initial Deployment Process 34
Amazon Web Services 35

AMI 36
Step 1: Launch the AMI 36
To launch from AWS Marketplace 36
To launch from the EC2 Dashboard 37
Step 2: FMOS Initial Setup Authentication for AMI 38
Initial User Account 38
Setup UI Administration 38
Step 3: FMOS Initial Setup Completion for AMI 39
FMOS Administrative User 39
Machine Configuration 40
CFT 41
Launch the CloudFormation Template 41
To launch from CloudFormation 41
Microsoft Azure 43
Step 1: Launch Azure Marketplace VMI 43
To launch from Azure Marketplace 43
Step 2: FMOS Initial Setup Authentication for Azure 43
Initial User Account 43
Setup UI Administration 44
Step 3: FMOS Initial Setup Completion for Azure 44
FMOS Administrative User 45
Aft er Deployment Topics 47
Additional Installation and Configuration Topics 47
Access the Console After Initial Installation 47
Multiple Database Servers 47
Prerequisites 47
Fully Distributed Ecosystem 47

Disk Storage Space 47
Network Communication 48
Superior / Subordinate Servers 48
Step 1: Setup 49
Step 2: AS Machine: Enter Maintenance Mode 50
Step 3: CA Machine: Enable Multi-DB Mode 50
Step 4: Standby DB Machine: Join the Ecosystem 50
Step 5: CA Machine: Finish Deployment 51
Step 6: AS Machine: Exit Maintenance Mode 51
Standby Servers 51
Manual Switchover 51
Promote a Standby 51
Reconfigure AS and DB Machines 51
Recover CA Role 52
Reprovision Original Primary 53
Automatic Failover 53
Additional Application Servers 54
Load Balancing Solutions 54
Deploying Multiple Application Servers 54
Setting up a Load Balancer when not terminating SSL at the Load Balancer 55
Using a F5 BIG-IP as a Load Balancer for Application Servers 55
Reprovision an Ecosystem 58
Step 1: Back up the Database 58
Step 2: Back up the Server Certificate 59
Step 3: Install FMOS 60
Step 4: Restore Database Backup 60
Step 5: Restore Server Certificate 61
Step 6: Join Ecosystem as AS 61
Step 7: Distribute Server Certificate to Data Collectors 63

Remote Data Collectors Without DNS 64
Step 1: Generate a New Certificate 64
Step 2: Sign the Certificate 64
Step 3: Use an External CA 65
Step 3: Use the FMOS CA 65
Step 4: Verify the Certificate 65
Step 5: Import the New Certificate 66
Step 6: Join the Ecosystem 66
Use Different Subnets 67
MAC Address to Access SIP 67
FMOS Users 69
About FMOS Users 69
Unprivileged Users 69
Privileged Users 70
FireMon Administrators 70
Backup Operator 70
Create an FMOS User 71
Password Reset: CLI 73
FMOS User Password Policy 73
Delete a User 74
Change User Privileges 74
Authentication Servers 76
External Authentication 76
Authentication versus Authorization 76
Authorization 76
Authentication 76
LDAP 77
Attribute Mapping 77
Object Filtering 78
Encryption (TLS) 78
Privileged Groups 79
LDAP Configuration Commands 79
Kerberos 84
Kerberos Configuration Commands 85
Certificates 89
About Certificates 89
Command-Line Interface 89
Certificate Expiration and Renewal 89
Renewal for Database Server 90
Renewal for Application Server 90
If Certificates Have Already Expired 91
Certificate Signing Request 92
Create CSR using OpenSSL 92
Create CSR using FMOS CLI 92
Certificates for Multiple FQDNs 94
Trusted Certificate Authorities 94
CA-Signed Server Certificates 95
Server (HTTPS) Certificate 95
Certificate Use Examples 96
Example 1 96
Example 2 96
Certificate Health Checks 97
Configuration Commands 99
About the System Configuration File Commands 99
Generation III Commands 100
Replaced Commands 100
Release Improvements 101
9.7 Improvements 101

Resize Disk 102
FMOS Config Command 103
List Categories 103
Get Current Values 103
Update Values 103
Configuration Variables 104
Operating System Configuration 104
How to Apply Configuration Changes 108
Playbooks 109
SMTP Commands 110
Backups and Updates 111
About FMOS Backups 111
Backup Contents 111
Creating Backups 111
Scheduled Backup 111
On-Demand Backup 112
Pruning Old Backups 113
Post Backup Actions 113
Copy to a Remote SFTP Server 113
Example 1 114
Example 2 115
Copy to an S3 Bucket 115
Example 115
Send an Email Notification 116
Example 1 116
Example 2 116
Run a Command on the Local Machine 116

Example 1 116
Example 2 117
Restore a Backup 117
Recovery 117
Migration 118
Backup the Certificate Authority Server 119
Backing up the CA Store 119
Restoring the CA Store from Backup 120
Maintenance Mode 122
Maintenance Mode Disables Refresh 122
Backup Configuration Commands 122
About Updates 125
Update Source 125
Update Process 125
Requirements and Recommendations 125
Prerequisites for Updating 126
Supported FMOS Releases 127
Supported Releases 127
Release Formats 129
Build Variants 129
Distribution Formats 129
Default Update Channel Source 130
Using the Command Line 130
Reboot Required 131
FMOS Update Command 131
Set the FMOS Update Channel 131
Update FMOS 133
Install the FMOS ISO Update 133
Update Appliance Firmware 135

Using the iDRAC Web UI 135
Using the Pre-boot GUI 136
FMOS News Service 138
RSS Feed 138
FMOS Control Panel 139
About FMOS Control Panel 139
Default or Customized Value 139
Reset to Default Value 139
Advanced Configuration Variables 139
Access the FMOS Control Panel 141
Help Menu 141
How to Save Changes 141
Unstage Changes 141
Logout 142
Password Reset - Control Panel 142
Home 144
Health Check Results 144
Widgets on the page include: 144
System Status 144
Change Password 145
Disk Cleanup 145
Diagnostic Package 146
Delete a Diagnostic Package 146
OS 147
OS Settings Page 148
Set the FMOS Update Channel 148
Enable Show News 148
Authentication 149
Kerberos Authentication 149

LDAP 149
Password Policy 149
Password Complexity 150
Backups 151
Schedule an Automatic Backup 151
Post Backup Actions 151
Cryptographic Settings 151
Allow Weak Ciphers 152
Health Settings 152
Swap Memory Alert 152
Performance Metrics 154
Connect Prometheus in Grafana 154
Expose the Victoria Metrics API to the network 154
Send Performance Metrics 155
To send to FireMon Support 155
To send to other locations 155
Performance Metrics Retention 156
Add a Static Route 156
HTTP Proxy 156
SMTP Settings 157
SNMP Agent 158
Allow Weak SSH Algorithms 158
FMOS Syslog 159
SecMgr 160
Application Server 160
Apache 160
NdExec 160
SecMgr 161
Workflow 161
Enable TCP Syslog 161
Scheduled Configuration Deployment 161
Disk Cleanup Utility 163
About Disk Cleanup Utility 163
Examples 163
Example 164
Troubleshooting 165
Log Files 165
Support Diagnostic Package 166
Create a Diagnostic Package 166
Rescue Console - Reset User Password 167
Access the Rescue Console 167
Reset User Passwords 167
Cloud Password Recovery 169
FMOS CLI Commands for Troubleshooting 170
Next St eps 171

FMOS v9.8
FMOS Deployment Topics
About FMOS Generation III

What is FMOS?
The FireMon Operating System (FMOS) is a managed operating system. It is designed exclusively to
support the FireMon Security Intelligence Platform software suite. It provides all of the necessary
utilities to deploy, configure, use, and troubleshoot the Security Intelligence Platform (SIP) and its
related modules in a wide array of scenarios and environments.
Why FMOS?
To ensure all FireMon customers have a consistent experience when using FireMon software, FMOS
does not allow any users, including users with the FMOS Administrator privilege, to make direct
changes to any operating system or application configuration. FMOS provides an extensive set of
configuration options itself, which can be used to customize the FireMon software, the operating
system, and third-party software included in FMOS. The FireMon development team has evaluated
these configuration options and tests them for compatibility in a range of scenarios to identify and
eliminate issues and potential issues.
FMOS manages configuration files, kernel parameters, security options, user accounts, and more.
In addition to ensuring a consistent user experience and helping administrators avoid
misconfiguration, this approach has powerful security benefits. Limiting users’ access to prescribed
operations shrinks the attack surface area of the system dramatically.
Operating system security updates are provided by FireMon as part of our regular software
releases. With each release, the operating system package set is fully tested for compatibility with
our products – quality assurance that an administrator running SIP software on a different Linux
platform would have to do on their own.
As the FireMon Security Intelligence Platform module suite grows and evolves, so does FMOS. Each
release of FMOS includes additional functionality to simplify deployments, increase security, or
solve problems.
14 | FMOS Deployment Topics

FMOS v9.8
Supported Platforms
Regardless of platform type, system resources have to be available at the recommended system
requirements as documented in this guide based on number of devices and load observed on the
system given your specific deployment environment. FMOS follows CentOS 8 supported devices
from drivers perspective.
FireMon provides FMOS distribution options and deployment instructions for the mentioned
platforms. For other systems, standard steps should be used and performed by personnel on given
platform. FMOS can be deployed on mentioned platforms, FireMon Support does provide support
for FMOS but not operation, configuration or troubleshooting of the mentioned platforms unless it
is an FM appliance.
FMOS can be deployed on the following platforms:
FireMon (FM) Appliance

An FM appliance installation consists of:
l An FM appliance (at least one for a single deployment, more for distributed deployments).
l Security Intelligence Platform components: application server, database, one or more data
collectors, and a license for SIP.
Your FM appliance meets the system recommendation to run SIP efficiently.
Non-FM Appliance
An installation consists of:
l A physical or virtual machine in your environment (at least one for a single deployment, more
for distributed deployments).
If you are installing FMOS on a non-FM appliance machine, your hardware must meet or exceed
the system recommendations.
Virtual Machine
Virtual platforms that have been tested and are supported:
l VMware
l Linux Kernel Virtual Machine (KVM)
An installation consists of:

FMOS v9.8
l A virtual machine in your environment (at least one for a single deployment, more for dis-
tributed deployments).
A virtual machine must meet or exceed the system recommendations.
Cloud-based
Cloud-based platforms that have been tested and are supported:
l Amazon Web Services (AWS)
l Microsoft Azure

FMOS v9.8
System Requirements
Machine Specifications
Recommended system requirements are based on SIP best practices. Failing to meet these
recommendations can lead to possible performance issues.
Not e: We recommend accessing SIP using one of the following supported browsers: Mozilla
Firefox, Google Chrome, Microsoft Edge, and Apple Safari with a minimum screen resolution of
1280 x 800.
When first installing FMOS, the initial configuration wizard will check the local system to ensure it
meets the recommended system requirements. These requirements provide a baseline for all
deployments. When planning the deployment, consider the following guidelines:
l Servers with the database (DB) role will require very large amounts of RAM, especially when
generating reports or running assessments.
l Servers with the application server (AS) role will use a large amount of RAM and CPU time,
and demand will increase as the number of users grows.
l Servers with the data collector (DC) role will use large amounts of RAM and CPU time, and
demand will increase as the number of monitored devices grows.
These are the recommended system requirements, based on FM appliance system specifications. If
you are using your own machine hardware, it is recommended that it has a system equivalent to an
FM appliance.
Full Inst all
Machines running the full or cloud variant of FMOS must have at least these specifications:
l CPU: 32 cores, 3.2 GHz
l RAM : 96 GB DDR4-2666 with ECC
l St orage: 1200 GB (SAS, 15K RPM HDD or SSD, RAID 10)
DC Only Inst all
Machines running the dconly variant of FMOS must have at least these specifications:
l CPU: 24 cores, 3.4 GHz
l RAM : 64 GB DDR4-2666 with ECC

FMOS v9.8
l St orage: 240 GB (SATA or SAS, 15K RPM or SSD, RAID 1)
FM Appliance Specs
These are the FM Appliances that machine specifications are based on. FireMon offers three
purpose-built Dell machines to run FireMon SIP solutions in your enterprise or MSSP environment.
Whether you’re monitoring 100 devices or 15,000, on one continent or around the world, we offer
an FM appliance with the power and storage capacity to deliver FireMon’s high-performance, highly
scalable firewall management and risk analysis solutions.
FM -720ES* FM -715DC* FM -1110ES*
2x Intel Xeon Gold 2x Intel Xeon Gold 2x Intel Xeon Gold 6140
Processor
6134 (3.2 GHz) 6128 (3.4 GHz) (2.3 GHz)
12x 8 GB 2666 MT/s 8x 8 GB 2666 MT/s 8x 16 GB 2666 MT/s

Memory Dual Rank DDR4 Dual Rank DDR4 Dual Rank DDR4 RDIMM
RDIMM (96 GB) RDIMM (64 GB) (128 GB)
4x 600 GB 15K RPM 12 2x 240 GB 6 Gbit/s 2.5” 16x 300 GB 15K RPM 12
Storage
Gbit/s 2.5” SAS HDD SATA SSD Gbit/s 2.5” SAS HDD
* All models include iDRAC8 Enterprise.
Network Topology
When deploying multiple servers, consider the following guidelines for best overall performance:
l All servers holding the application server role must be on the same network segment.
l If the application server and database roles are held by separate servers, those servers
should be on the same network segment, with a very high bandwidth connection between
them.
l Servers holding the data collector role should be located logically near the devices they mon-
itor.
l Application servers must be able to resolve the database server by fully qualified domain
name (FQDN).
l Data collector servers must be able to resolve application servers by FQDN.
l A default gateway must be configured on all servers.

FMOS v9.8
Dat abase Server (DB)

l ICMP/ICMPv6
l IP protocol 50 (ESP)
l TCP port 5432 (PostgreSQL)
l TCP port 55555 (FMOS Control Panel)*
l UDP port 500 (ISAKMP)
l UDP port 4500 (IPsec-NAT-T)
Applicat ion Server (AS)

l ICMP/ICMPv6
l IGMP
l IP protocol 50
l TCP port 443 (HTTPS)
l TCP port 61617 (ActiveMQ)
l UDP port 500 (ISAKMP)
l UDP port 4500 (IPsec-NAT-T)
l Multicast UDP port 6155 (ActiveMQ Cluster Member Discovery)
Dat a Collect or (DC)

l ICMP/ICMPv6
l UDP port 514 (Syslog) (as needed)
l TCP port 1470 (Syslog) (as needed)
l TCP port 5150 (DC cluster) (as needed)
* Not e: TCP port 55555 is required for the DB to access the FMOS Control Panel UI but is optional
for AS and DC. If you do not want to open port 55555, you can use CLI commands within the DB.

FMOS v9.8
SIP Ecosystem
SIP Roles
To facilitate the distributed capabilities of the SIP software suite, FMOS provides tools for deploying
multiple servers that communicate with one another. Each server can hold one or more roles,
which define its responsibilities and the components of SIP that it runs.
l Applicat ion Server (AS): Servers with this role run the SecMgr and Workflow services and
expose their HTTP APIs to network consumers. These servers also expose the web-based
user interface applications. An ecosystem must have at least one server with this role.
l Cert ificat e Aut horit y (CA): FMOS uses TLS and IPsec to enable secure communication
between SIP components, including the PostgreSQL database, the Elasticsearch index,
SecMgr, the Data Collector, etc. These protocols use X.509 certificates to authenticate the
communicating parties to one another. FMOS manages an X.509 Certificate Authority to
issue and validate these certificates. Exactly one machine in the FMOS ecosystem must have
this role. Under normal circumstances, the first machine created in the ecosystem will hold
the CA role.
l Dat abase Server (DB): Servers with this role run the PostgreSQL database management
engine, which houses the data used by FireMon Security Manager. Additionally, these servers
store data, such as normalized configuration, in files on the filesystem, which can be shared
with other servers in the ecosystem. An ecosystem can have exactly one server with this role.
l Dat a Collect or (DC): Servers with this role are responsible for communicating with devices
managed by Security Manager, for example to retrieve configuration and process log
messages. An ecosystem must have at least one server with this role.
l Ent erprise Search (ES): Servers with this role run Elasticsearch to provide high-performance
search capability for FireMon Security Manager. There must be at least one machine with this
role in the ecosystem. It is typically held by the same servers that hold the Database Server
(DB) role.
A server may run a combination of roles as well. It is very common for a single server to hold all
three roles. In medium-sized environments, it is likely that there will be one server that holds the AS
and DB roles, and one or more separate servers with the DC role. Very large environments may
have one server with the DB role, and many servers with each of the other roles.
Deployment Scenarios
FMOS supports several deployment scenarios, each with specific strengths. The size of the
deployment will mostly depend on which features (modules) of SIP will be used, how many devices
it will monitor, and many other factors. FMOS cannot make specific recommendations on which

FMOS v9.8
scenario is correct for any specific case. In general, however, the larger deployment scenarios tend
to perform better than the smaller ones.
Single-Server
In a single-server deployment (also called an all-in-one or AIO deployment), a single machine holds all
of the SIP roles. This is very easy to set up, and requires very little maintenance. It also performs
extremely poorly in almost all cases, so its use should be limited to demonstration or evaluation
purposes only.
Part ially Dist ribut ed
A partially distributed deployment is one where one machine holds the AS, CA, DB, and ES roles, with
one or more separate machines holding the DC role. This type of deployment is useful in small
environments where the machine serving the HTTP API and Web UI is not able to directly
communicate with the devices Security Manager monitors. Like the single-server deployment,
performance in this type of scenario is generally poor, so its use is discouraged.
Fully Dist ribut ed
In a fully distributed deployment, each SIP role is held by a separate machine. Such a deployment
requires at least three machines: 1 CA+DB+ES, 1 AS, and 1 DC. This type of deployment takes
advantage of the horizontal scalability built into each component of SIP; performance of a
component increases with the number of those components present in the ecosystem.
Not e: This type of deployment, while more difficult to deploy, is strongly encouraged for all use
cases.
In a fully distributed ecosystem, FMOS requires a shared filesystem for AS machines to store non-
relational data (such as normalized configuration files, etc.). In single-database mode, the machine
holding the DB role shares its local filesystem with the AS machines using NFS. In multi-database
mode, the DB machines form a clustered filesystem that replicates its contents to each DB machine.
The AS machines access this cluster using NFS.
M ult iple-Dat abase M ode
By default, FMOS only allows a single machine in the ecosystem to hold the DB and ES roles. To
facilitate rapid disaster recovery scenarios, FMOS can be configured for multi-database mode. In this
mode, additional machines can hold these roles in a standby capacity. The original database
machine operates as a primary server, replicating its changes to the standby machines. In the event
of a failure, one of the standby machines can be promoted to become the primary.

FMOS v9.8
Role Hierarchy
Machines in an FMOS ecosystem are organized hierarchically. The relationship between machines
is described as superior or subordinate. In a typical ecosystem, the machine that holds the DB role
is the superior of all of the machines with the AS role. Thus, the AS machines are subordinates of
the DB machine. Similarly, machines that hold the DC role are subordinates of a machine with the
AS role.
The figure below shows the relationship between roles in a fully distributed ecosystem. The arrows
point to the superior server of each role.
Planning the Ecosystem

It is important when implementing a multi-server ecosystem to plan how many servers will be
required and which roles each server will hold. Having this information available ahead of time will
ease the deployment process significantly. The following questions can help identify exactly which
steps need to be performed in order to correctly deploy the ecosystem:
l Will the server holding the DB role be separate from the server holding the AS role?
l How many servers will hold the AS role?
l Will the servers holding the DC role be separate from the AS roles?
It is a good idea to list each server that will exist within the ecosystem, which roles it will hold, as
well as its host name and network settings before beginning.

FMOS v9.8
Which Ecosyst em Deployment is Right for Your Organizat ion?
These are only visual representations of potential deployment options. Your

environment is unique.

FMOS v9.8
Download the FireMon Operating System

Not e: These procedures only apply to non-FireMon machines. FM appliances ship with FMOS
already installed.
Build Variants
Every FMOS version is produced in multiple variants. Each variant is designed to serve a specific
purpose. When installing FMOS on a new machine, be sure to select the proper variant:
l Cloud: This variant is intended to be used for Cloud deployments, such as Microsoft Azure or
Amazon Web Services. It contains all of the Security Intelligence Platform application com-
ponents and all supporting software.
l DC Only: This variant only contains the Data Collector application component for the Secur-
ity Intelligence Platform.
l Full: This is the default variant. It contains all of the Security Intelligence Platform application
components, including the Security Manager server, the data collector, and all supporting
software such as PostgreSQL and elastic search.
Distribution Formats
Each FMOS build variant is distributed in multiple formats. The various formats are designed to
support different deployment environments or scenarios:
l FM OS Dist ribut ion Archive (.t ar.gpg) [all variant s]: This format is used by all FMOS vari-
ants for updating an existing installation of FMOS to a new version. When updating, be sure
to use the Distribution Archive for the same variant that is already installed.
l Virt ual M achine Templat e (.ova) [full, dconly]: This format is used to deploy a new virtual
machine, for example using VMware vSphere, Microsoft Hyper-V, or Oracle VirtualBox.
o If you choose VM Template, it downloads with a limited disk size of 250 GB. You will
need to either edit the disk size and make it the recommended size (500 GB) before
performing the FMOS installation or add a second disk size of 250 GB.
l Virt ual Disk Image (.qcow2) [full, dconly]: This format is used to deploy a new virtual
machine, for example using Linux KVM (with libvirt/QEMU) or OpenStack.
o If you choose Virtual Disk Image, it downloads with a limited disk size of 250 GB. You
will need to either edit the disk size and make it the recommended size (500 GB)
before performing the FMOS installation or add a second disk size of 250 GB.

FMOS v9.8
l Physical Hardware Inst aller (.iso) [full, dconly]: This format is used to install FMOS on a
physical machine.
l Azure Virt ual Disk Image (.vhd.zip) [cloud]: This format is used to create a new Virtual
Machine Image in Microsoft Azure.
l AWS Virt ual Disk Image (.vmdk) [cloud]: This format is used to create a new Amazon
Machine Image in Amazon Web Services.
Download t he Inst allat ion Files
1. Go to FireMon User Center (https://usercenter.firemon.com) and log in. Your User Center
user name and password were emailed to your organization.
2. Click Downloads.
3. In the SIP Soft ware section, click Click here t o select t he correct download to be directed
to the Art ifact Select ion page.
4. In the Inst all Select ion section, select your deployment type.
l Cloud: select for AWS and Azure installations
l DC Only: select for data collector only installations
l Full: select for full distribution installations
5. In the Dist ribut ion Select ion section, select the distribution type based on how your eco-
system is deployed.
l Cloud: AWS, AWS (Update Only), Azure, Azure (Update Only)
l DC Only: Physical Hardware, Update Only, Virtual Disk Image, VM Template
l Full: Physical Hardware, Update Only, Virtual Disk Image, VM Template
6. In the Select File section, verify that the install and distribution types are correct and then
click Select File to be directed to the file download page.
7. Click Download.
8. After downloading the FMOS file, decide if you will install on compatible hardware or to a vir-
tual machine.

FMOS v9.8
Install FMOS
Ecosystem Setup
The FMOS Ecosystem Setup process is done using the fmos ecosystem command. Future
versions of FMOS may support performing the ecosystem setup process from the FMOS Control
Panel browser-based graphical user interfaces, but current versions require using the FMOS
command line (e.g. over SSH).
Initial Configuration
Before deploying a multi-server ecosystem, each machine that will be a member of the ecosystem
needs to finish initial configuration. This is when basic options such as hostname, network
configuration, organization identification, etc. are provided for the machine. As part of this process,
the machine is prepared to join the ecosystem by choosing one of the available deployment
options.
Initial configuration of an FMOS machine is done in one of two ways, depending on where the
machine is hosted: a physical or virtual machine, or a cloud deployment.
When deploying a multi-server ecosystem, choose New Deployment only for the first machine
(the database server, which will hold the CA, DB, and ES roles). For all ot her machines, including
standby database machines (if any), choose Existing Deployment.
Initial Configuration Wizard

For FM appliances and other physical hardware servers, as well as on-premises virtual machines,
the FMOSInitial Configuration Wizard is used. This wizard is a text-based user interface that is
displayed on the machine’s graphical console or monitor, and uses the keyboard for input and
navigation.
After FMOS has been successfully installed on the system, the FireMon FMOSInitial Configuration
Wizard will start automatically on the first boot. This wizard will guide you through setting the
required configuration options in order to use the system.

FMOS v9.8
The FMOS Initial Configuration Wizard has the following deployment options:
l Single-Server Deployment : This server is the only server in the deployment. It will perform
all of the functions of SIP without communicating with other servers.
l Exist ing Deployment : This server will be a part of a SIP deployment that already exists in the
organization. This option is used for all machines in a multi-server ecosystem except the
primary database machine. The specific functions this server will perform will be configured
later.
l New Deployment : This is the first server in a new multi-server SIP deployment. It will provide
the database and application server, unless Dat abase Only is selected.
Be sure to select New Deployment for only the first server in a new ecosystem, and select
Existing Deployment for all other servers.
The configuration wizard is organized into several “pages” which contain groups of related
configuration options that can be set.

FMOS v9.8
Host and Net work Configurat ion
This page prompts for basic required information for configuring the machine and connecting it to
the network.
The host name is the single-label name of the server. It can contain only letters, numerals, and
hyphens. It is not typically case-sensitive, but the entered value will be used as-is. The host name
should not be longer than 15 characters.
The domain name is the name of the DNS domain to which the server belongs. In many cases, this
will match the DNS name of an Active Directory domain or Kerberos realm.
Together, the host name and domain name, when combined with a “dot” (.) character, form the
host’s fully-qualified domain name (FQDN). It is extremely important that the FQDN resolve
correctly using DNS, and that the listed address matches the primary IP address of the server. The
FQDN is used for certificate verification, cluster communication, and several other important
network functions.
Net work Configurat ion
All of the network interfaces detected by the system are listed under Net work Adapt ers on the
host configuration page. By default, the first detected network adapter is enabled, while all others
are disabled. To enable or disable a network adapter, position the cursor in the check box to the
left of the adapter name and select the space bar or enter key on the keyboard.
Enabled network adapters are automatically configured for DHCP address assignment. To change
this, position the cursor on the Configure button to the right of the network adapter name and
select the space bar or enter key on the keyboard. The network adapter configuration page will be
displayed.
To change the configuration mode for the selected network adapter, position the cursor on the
radio button to the left of the desired configuration mode and select the space bar or enter key on
the keyboard. If the Manual configuration mode is selected, the fields below such as IP Address and
Subnet Mask become available. Enter the appropriate information in these fields. To save the
changes and return to the host configuration page, position the cursor on the Ok button and select
the space bar or enter key on the keyboard. The Cancel button will return to the host configuration
page without saving any changes.
Although the Default Gateway and DNS Server fields appear on the network adapter
configuration page for every network adapter, these are system-wide configuration settings,
and can only have a single value. As such, changing the value on one adapter configuration
page will change it for all adapters as well.

FMOS v9.8
Net work Time
The operation of SIP is very dependent on accurate time information, it is highly recommended to
configure FMOS to synchronize its system clock with a network time source using NTP. FMOS
supports receiving time server information from the DHCP server (if you configured at least one
network adapter for automatic configuration, and your network’s DHCP server provides this
information) or specifying the time servers to use manually.
DHCP configuration of NTP sources is enabled by default. To manually enter one or more NTP
servers, position the cursor on the Use specific t ime servers radio button and select the space bar
or enter key on the keyboard. The Time Servers field will be automatically populated with the
recommended time servers. To specify different servers, position the cursor in the field and select
the backspace or delete keys on the keyboard. You can enter more than one server by separating
their host names or IP addresses with a space.
Organizat ion
FMOS requires identification information about the organization where the machine is deployed.
This information is used to generate X.509 certificates, and helps FireMon support correlate
diagnostic information when troubleshooting multiple machines.
l Name: The name of the company or organization
l Unit / Depart ment : (Optional) The name of the department, team, unit, etc.
l Cit y: (Optional) The city/locality of the organization or where the machine is deployed
l St at e/ Province: (Optional) The state or province of the organization or where the machine is
deployed
l Count ry: (Optional) The country of the organization or where the machine is deployed
User
At least one user must be created in order to access the FMOS system normally. Enter the desired
username for the user, and optionally the user’s full name.
Choose a strong password of at least eight (8) characters, containing at least one lowercase letter,
one uppercase letter, one number, and one other symbol (such as !, @, etc.). Repeat the
password to confirm you typed it correctly.
Additional users can be created from the operating system command line after initial configuration
is complete.

FMOS v9.8
Not ificat ions
Email Notifications
SMTP Settings
Several components of SIP and FMOS itself can send notification messages by email. FMOS
supports several configuration modes for sending these messages:
l Delivery M et hod: Configures how email messages will be delivered to recipients:

o Send email direct ly—Email messages will be delivered directly to the mail server
responsible for the recipient email addresses, found by querying looking up the MX
records in DNS
o Send email t hrough an SM TP relay—All email messages will be sent to a relay
server or “smart host” for delivery
o Do not send any email—All email messages will be discarded and never delivered
l Relay Host : If Send email through an SMTP relay delivery method is selected, value indicates
the host name or IP address of the relay server through which all messages will be sent
l Port : The TCP port on which to connect to the SMTP server on the remote host
l Securit y: Selects the security capability to use when communicating with the SMTP relay
server; has no effect on direct email delivery
Only explicit in-band TLS is currently supported. The legacy method of wrapping the entire
SMTP communication in an SSL session, known as “SMTPS” is not available
l Aut hent icat ion: Selects the authentication method to use when communicating with the
SMTP relay server; has no effect on direct email delivery
Only the “plain” authentication mechanism is currently supported. Since this method sends
the username and password in clear text, it should only be used when STARTTLS security is
enabled.
l Username/ Password: The credentials to use when authentication required for

communicating with the SMTP relay server; has no effect on direct email delivery
Deployment Environment
FMOS supports several “ecosystem” configurations, consisting of one or more servers performing
different functions. It is extremely important to select the correct deployment option for the

FMOS v9.8
system, as making changes later can be difficult. Be sure to plan ahead and decide how many
servers will be needed and the roles each one will hold.
l Single-Server Deployment : This server is the only server in the organization. It will perform
l Exist ing Deployment : This server will be a part of a SIP deployment already that already
exists in the organization. The specific functions this server will perform will be configured
later.
l New Deployment : This is the first server in a new multi-server SIP deployment. It will provide
the database and application server, unless Database Only is selected.
Be sure to select New Deployment for only the first server in a new ecosystem, and select
Existing Deployment for all other servers.

FMOS v9.8
Installation for Cloud Deployments

For cloud-hosted virtual machines (e.g. AWS, Azure), the FMOSInitial Setup UI is used. This is a
browser-based graphical (web) application, and thus requires network access to use.
Initial FMOS Setup for Cloud Deployments

Access the Setup UI
The initial setup process for machines deployed in cloud environments differs from the process for
machines deployed in traditional data centers. Because cloud environments do not typically
provide a mechanism for accessing the graphical console of a machine, the FMOSInitial
Configuration Wizard is not available. Instead, FMOS provides a web-based alternative, the
FMOS Setup UI.
The FMOSSetup UI is hosted by the FMOS Control Panel server, and as such is available over TLS on
TCP port 55555.
To access the FMOS Setup UI, navigate to https://hostname_or_address:55555/setup, replacing

hostname_or_address with the IP address or hostname (if it can be resolved) of the machine to
configure.
Not e: The FMOS Control Panel always uses a self-signed certificate initially, so browsers will
present a security warning. This cannot be avoided, because the machine has not yet been
configured and so does not have a host name or access to a trusted certificate authority.
32 |
FMOS v9.8
FMOS Admin User

FMOS requires at least one user that will be able to administer the system. Enter the appropriate
values for each field to create the first user. This user will automatically be granted the FMOS
Administrator privilege.
l Username—The user name for the new user, must be at least 3 characters
l Full Name—(Optional) The full name of the user
l Password—A password for the new user, must comply with the default FMOS password
policy
l Confirm Password—Re-enter the password to ensure it was typed correctly
Machine Configuration
SIP can operate in a self-contained environment on a single server, or as part of a multiple-server
ecosystem. Select one of the values to specify how the server will be deployed.
The FMOS Setup UI has the following deployment options:
l Single-Server Deployment : This server is the only server in the deployment. It will perform
l Exist ing Deployment : This server will be a part of a SIP deployment that already exists in the
organization. This option is used for all machines in a multi-server ecosystem except the
33 |
FMOS v9.8
primary database machine. The specific functions this server will perform will be configured
later.
l New Deployment : This is the first server in a new multi-server SIP deployment. It will
provide the database and application server, unless Dat abase Only is selected.
Organization Information
FMOS requires identification information about the organization where the machine is deployed.
This information is used to generate X.509 certificates, and helps FireMon support correlate
diagnostic information when troubleshooting multiple machines.
l Name—The name of the company or organization
l Unit / Depart ment —(Optional) The name of the department, team, unit, etc.
l Cit y—(Optional) The city/locality of the organization or where the machine is deployed
l St at e/ Province—(Optional) The state or province of the organization or where the machine

is deployed
l Count ry—(Optional) The country of the organization or where the machine is deployed
Initial Deployment Process

After submitting the required information in the Initial FMOS Setup, FMOS will begin the
deployment process. The status of the deployment can be viewed by using the FMOS Health
system. Health check results are available from a terminal session with the fmos healt h command,
or from the FMOS Server Control Panel.
Caut ion! During initial deployment, the FMOS Control Panel server certificate will be replaced.
Browsers will typically warn users when a server’s certificate has changed, so accessing the
FMOS Control Panel after using the FMOS Setup UI may generate such a warning.
34 |
FMOS v9.8
Amazon Web Services
This is a bring your own license (BYOL) AMI, you must already have a SIP license to activate the
subscription.
FMOS can run as an Elastic Compute Cloud (EC2) Instance in Amazon Web Services (AWS). FireMon
has taken the need to manually set up the AMI by providing it as a download using the AWS
Marketplace. There is also an AWS CloudFormation Template available for use.
Available in the AWS Marketplace:
AMI
CloudFormation Template
35 |
FMOS v9.8
AMI
Step 1: Launch the AMI
FMOS can run as an Elastic Compute Cloud (EC2) Instance in Amazon Web Services (AWS). FireMon
has taken the need to manually set up the AMI by providing it as a download using the AWS
Marketplace.
To launch from AWS Marketplace
1. Log in to the AWS Marketplace.
2. Search for FireM on and select the FireM on Securit y Int elligence Plat form BYOL entry.
3. Click Cont inue t o Subscribe.
4. Click Accept Terms after reviewing FireMon's EULA, and then click Cont inue t o Con-
figurat ion.
Not e: You can continue to launch or you can come back later to complete, starting from To
launch from the EC2 Dashboard
5. For Configure t his soft ware, verify the deployment:
l Delivery M et hod is set to the AMI version
l Soft ware Version is set to the latest release
l Region can be set to your preferred location or leave the default region
6. Click Cont inue t o Launch.
7. For Launch t his soft ware, in Configurat ion Det ails, click Usage Inst ruct ions to view
important setting information.
8. For Choose Act ion, select the Launch t hrough EC2, and then click Launch.
9. Select Launch from EC2 Dashboard, and then click Launch to open the AMI configuration
settings.
10. Choose Inst ance Type: Select an Inst ance Type from the list of available.
Recommended: A General or Memory Optimized type that is greater or equal to 64 GB

memory.
11. Configure Inst ance: Accept default settings or select data to meet your requirements.
12. Add St orage: Click Add New Volume and in the Size field enter at least 600.
36 |
FMOS v9.8
Be sure to click Add New Volume. This step must be done to prevent instance launch failure.
Do not change the Root Volume Type or the Root Volume Size. Modifying root partitions
render the machine unrecoverable.
13. Add Tags: Enter a Key and Value (a tag) for the instance.
14. Configure Securit y Group: The required types, protocols, and ports needed for FMOS are
set.
l HTTPS / TCP / 55555 to access FMOS Control Panel server for initial setup
l HTTPS / TCP / 443 to access web-based modules
l SSH / TCP / 22 for admin access
15. Click Review and Launch.
16. Review: Review that all information entered is correct and click Launch.
17. The Select an exist ing key pair or creat e a new key pair dialog box opens. These keys are
needed for authentication.
18. Select the acknowledgment that you have access to the selected key pair.
19. Click Launch Inst ance.
20. After the instance launches successfully, you can open a new browser tab to begin the
FMOS initial setup process.
21. Continue to Step 2: FMOS Initial Setup Authentication for AWS.
To launch from the EC2 Dashboard
If you did not launch the AMI at the time of subscribing, you can come back to continue to launch
using the EC2 Dashboard.
1. In the EC2 Dashboard toolbar, click Services.
2. Click AWS M arket place Subscript ions.
3. Find FireMon Security Intelligence Platform, and click Launch new inst ance.
4. For Configure t his soft ware, verify the deployment:
l Delivery M et hod is set to the AMI version
l Soft ware Version is set to the latest release
37 |
FMOS v9.8
l Region can be set to your preferred location or leave the default region
5. Click Cont inue t o launch t hrough EC2.
6. Continue as from Step 10 above.
Step 2: FMOS Initial Setup Authentication for AMI

The FMOS Initial Setup is responsible for collecting critical information about the system that is
required in order to perform the initial deployment. Among the values it collects are the credentials
for the first FMOS administrative user. This user is authorized to log in to the FMOS CLI using SSH,
run the fmos command, and use the FMOS Control Panel. Because the AWS Marketplace security
policy requires that the user must first enter a randomized password or the instance ID, the FMOS
Initial Setup will prompt for this value before allowing you to continue.
Initial User Account
When FMOS boots for the first time in a cloud environment, it will automatically create the initial
administrative user account. This must be done before you can complete the FMOS Initial Setup
process. The process for creating the user at first boot will be:
l The system will create a new Linux user account. The username will be fmosadmin.
l The system will assign the FMOS Administrator privilege to the account.
l The system will set the password for the new account. The password is the EC2 instance ID,
which is available through the instance metadata service.
Setup UI Administration
Because the administrator must be prompted for the instance ID before being allowed to change
the password for the initial FMOS administrator account, the FMOS Initial Setup must be protected
with authentication. This will ensure that the user provides proper credentials before being allowed
to perform the FMOS Initial Setup process and thereby changing the initial account password. The
authentication procedure will be:
1. Open a web browser to navigate to the host name or IP address of SIP running the
AWS instance. For example, ht t ps:/ / <host name_or_IPaddress>:55555/ set up, replacing
<hostname_or_address> with the host name or IP address of the instance to configure.
2. The UI will display an Aut hent icat ion dialog box before opening the FMOS Initial Setup
form.
38 |
FMOS v9.8
a. Username is fmosadmin.
b. Password is the EC2 inst ance ID.
c. Click Submit .
3. Following successful authentication, the UI will hide the authentication dialog box and display
the FMOS Initial Setup form.
Step 3: FMOS Initial Setup Completion for AMI

After the FMOS initial setup authentication completes, you will continue to enter information in the
required fields to finish setup of an AWS cloud deployment.
FMOS Administrative User
1. The user name is read-only and cannot be changed, but you can update the password.
l Username— This is fmosadmin and cannot be changed
l Full Name (optional) — The full name of the FMOS admin user
l Password— You can change from the EC2 Instance ID to a new password of your
choice
l Confirm Password — Retype the new password
2. Enter your organization's information.
l Name —The name of your company or organization. The name cannot contain non-
English characters, such as ã, ė , õ, ñ.
l Unit / Depart ment (optional) —The name of the department, team, unit, etc.
l Cit y (Optional) —The location of the organization or where the machine is deployed
39 |
FMOS v9.8
l St at e/ Province (optional) —The state or province of the organization or where the

machine is deployed
l Count ry (optional) —The country of the organization or where the machine is

deployed
Machine Configuration
3. Enter the FQDN.
4. Select the type of deployment this will be.
l Single-Server Deployment — This server is the only server in the deployment. It will
perform all the functions of SIP without communicating with other servers
l Exist ing Deployment — This server will be part of a deployment that already exists in
the organization. The specific functions this server will perform will be configured later
l New Deployment — This is the first server in a new multi-server deployment. It will
hold the Database and Enterprise Search roles
5. Click Submit .
6. Click the FM OS Cont rol Panel link in the deployment progress message to continue con-
figuration, and log in using your CLI credentials.
During initial deployment, the FMOS Control Panel server certificate will be replaced.
FMOS Control Panel after using the FMOS Setup UI may generate such a warning. It is safe to
proceed.
7. After the deployment process completes, you can log in to Security Intelligence Platform to
continue setting up your network, such as adding users and devices.
a. Open another browser tab.
b. Enter the IP address of your SIP instance.
c. Enter your username and password:
l Username is firemon (case-sensitive)
l Password is the MAC address for the instance with colons removed and lower-
case letters. For example, a MAC address of 00:05:95:A1:2B:CC would be
000595a12bcc. This is a one-time password to use at first installation and will
need to be reset after initial login.
l Click Log In
40 |
FMOS v9.8
CFT
Launch the CloudFormation Template
FMOS can run as a CloudFormation Template in Amazon Web Services (AWS).
To launch from CloudFormation
1. In the Cloud Formation Dashboard, click Creat e St ack (Wit h New Resources).
2. Select Upload a t emplat e file and choose a valid * yaml/ * json file.
3. Click Next .
4. Enter a St ack Name.
5. Enter data in all required fields in Paramet ers.
l VPC ID
l Subnet ID
l Instance Type
l KeyPair Name
l Volume Size
l FMOS username
6. In M achine Configurat ion specify Ecosyst em.
7. Add an Organizat ion Name.
8. Click Next .
9. Review: Review all sections entered and then click Next .
10. A new stack with above Stack Name is created with a status of CREATE_COM PLETE.
11. Go to the EC2 Dashboard. A new instance is created.
b. Enter the IP address of your AWS instance. For example, https://<hostname_or_IPad-

dress> or DNS
41 |
FMOS v9.8
c. Enter your username and password:
l Username is firemon (case-sensitive)
l Password is the MAC address for the instance with colons removed and lower-
case letters. For example, a MAC address of 00:05:95:A1:2B:CC would be
l Click Log In.
42 |
FMOS v9.8
Microsoft Azure
FMOS can run as a virtual machine on the Microsoft Azure cloud platform. FireMon has taken the
need to manually set up the VMI by providing it as a download using the Azure Marketplace.
This is a bring your own license (BYOL) VMI, you must already have a SIP license to activate the
subscription.
Step 1: Launch Azure Marketplace VMI
This is a bring your own license (BYOL) VMI, you must already have a SIP license to activate the
subscription.
To launch from Azure Marketplace
1. Log in to the Azure Marketplace.
2. Search for FireM on and select the FireM on Securit y Int elligence Plat form for Azure entry.
3. Click Get it Now.
4. Click Cont inue to accept terms of use, and to create this app in Azure.
5. Once the subscription has processed, select
Step 2: FMOS Initial Setup Authentication for Azure

The FMOS Initial Setup is responsible for collecting critical information about the system that is
required in order to perform the initial deployment. Among the values it collects are the credentials
for the first FMOS administrative user. This user is authorized to log in to the FMOS CLI using SSH,
run the fmos command, and use the FMOS Control Panel.
Initial User Account
When FMOS boots for the first time in a cloud environment, it will automatically create the initial
administrative user account. This must be done before you can complete the FMOS Initial Setup
process. The process for creating the user at first boot will be:
l The system will copy the OVF metadata from the virtual removeable disc to persistent
storage.
l The system will create a new Linux user account. The username is as specified by the user
during VM creation, which is provided in the OVF metadata.
43 |
FMOS v9.8
l The system will assign the FMOS Administrator privilege to the account.
l The system will set the password for the account. The password is as specified by the user
during VM creation, which is provided in the OVF metadata; if the user specified an SSH key
instead of a password, the password is the first 12 characters of the base64-encoded SHA256
fingerprint of the SSH public key.
Setup UI Administration
Because the administrator must be prompted for the instance ID before being allowed to change
the password for the initial FMOS administrator account, the FMOS Initial Setup must be protected
with authentication. This will ensure that the user provides proper credentials before being allowed
to perform the FMOS Initial Setup process and thereby changing the initial account password. The
authentication procedure will be:
1. Open a web browser to navigate to the host name or IP address of SIP running the Azure VM.
For example, ht t ps:/ / <host name_or_IPaddress>:55555/ set up, replacing <hostname_or_
address> with the host name or IP address of the instance to configure.
2. The UI will display an Aut hent icat ion dialog box before opening the FMOS Initial Setup
form.
a. Username is the username for t he creat ed VM .
b. Password is the password for t he creat ed VM .
c. Click Submit .
3. Following successful authentication, the UI will hide the authentication dialog box and
display the FMOS Initial Setup form.
Step 3: FMOS Initial Setup Completion for Azure

After the FMOS initial setup authentication completes, you will continue to enter information in the
required fields to finish setup of an Azure cloud deployment.
44 |
FMOS v9.8
FMOS Administrative User
1. Enter FMOS Administrator User information.
l Username— The username used for the created VM
l Full Name (optional)— The full name of the user
l Password— The password used for the created VM
l Confirm Password — Re-enter the password to ensure it was typed correctly
2. Enter your organization's information.
l Name —The name of the company or organization
l Unit / Depart ment (optional) —The name of the department, team, unit, etc.
l Cit y (Optional) —The location of the organization or where the machine is deployed
l St at e/ Province (optional) —The state or province of the organization or where the

machine is deployed
l Count ry (optional) —The country of the organization or where the machine is

deployed
3. Enter the FQDN.
4. Select the type of deployment this will be.
l Single-Server Deployment — This server is the only server in the deployment. It will
perform all of the functions of SIP without communicating with other servers
l Exist ing Deployment — This server will be part of a deployment that already exists in
the organization. The specific functions this server will perform will be configured later
l New Deployment — This is the first server in a new multi-server deployment. It will
hold the Database and Enterprise Search roles
5. Click Submit .
6. Click the FM OS Cont rol Panel link in the deployment progress message to continue con-
figuration, and log in using your CLI credentials.
During initial deployment, the FMOS Control Panel server certificate will be replaced.
FMOS Control Panel after using the FMOS Setup UI may generate such a warning. It is safe to
proceed.
45 |
FMOS v9.8
b. Enter the IP address of your Azure instance.
c. Enter your user name and password:
l Username is the username provided from the created VM
l Password is the MAC address for the created VM with colons removed and
lowercase letters. For example, a MAC address of 00:05:95:A1:2B:CC would be
l Click Log In
Not e: Refer to the Administration User's Guide (available in the User Center) for information
about device properties and monitoring, and other administrative tasks.
46 |
FMOS v9.8
After Deployment Topics
Additional Installation and Configuration Topics

Access the Console After Initial Installation
To SSH into the FMOS installation, you can use a terminal emulator like PuTTY or another terminal
software.
However, if a terminal emulator is not available to you, you can use Alt+F6 to open a prompt.
Multiple Database Servers
Not e: Beginning with FMOS 9.1, NFS Shared is no longer required.
FMOS supports deploying multiple database servers within a single ecosystem. This provides a
mechanism for rapid recovery from a failure of the primary database machine by automatically
replicating all data to one or more standby servers.
Prerequisit es
Before beginning the setup process for additional database servers, the ecosystem must be
prepared properly.
Fully Distributed Ecosystem
Multi-database mode is only available for fully distributed ecosystems. Specifically, there must be
exactly one machine with the CA, database, and enterprise search roles (the primary database
machine), one or more other machines with the database and ES roles (the standby database
machines), and at least one separate machine with the AS role. It is not possible to enable multi-
database mode in partially distributed or single-server deployments; multi-database mode cannot
be enabled if the same machine holds both the DB and AS roles.
Multi-database mode can be enabled when first deploying a new ecosystem, or after an ecosystem
has been fully deployed and is operational. In other words, it is possible to add standby database
machines to the ecosystem before or after application servers.
Disk Storage Space
When first enabling multi-database mode, FMOS needs to reorganize the files stored on the local
filesystem to make them available via the clustered filesystem. The /var volume on the primary
database machine needs to have at least 50% free space before beginning.
47 | After Deployment Topics

FMOS v9.8
Network Communication
Database servers do not need to be deployed on the same network or subnet, however, sufficient
bandwidth must be available between the primary server and each standby to ensure that changes
are replicated as quickly as possible. Replication delay can result in data loss if the primary server
fails before all standby servers have received and committed all changes.
Machines holding the AS role need to be able to resolve all DB machines, including standby servers,
by Fully Qualified Domain Name (FQDN), and must be able to communicate with them using the
following services (IPv4 and IPv6 are both supported):
l ICMP/ICMPv6
l IP protocol 50 (ESP)
l TCP ports 5432 (PostgreSQL) and 55555 (FMOS Control Panel)
l UDP ports 500 (ISAKMP) and 4500 (IPsec-NAT-T)
The same requirements apply to database machines as well; standby servers must be able to
communicate with the primary server using the same services.
Superior / Subordinate Servers
When operating in multi-database mode, the hierarchy of server roles change slightly. The first
appliance created in the ecosystem holds the Certificate Authority (CA) role and becomes the
superior server to all DB and AS machines. The CA role is responsible for issuing security
certificates that are used by the AS, DB, and ES machines to assert their identity to one another and
establish encrypted communication channels.

FMOS v9.8
St ep 1: Set up
Provisioning machines for deployment into an FMOS ecosystem with multiple database servers
follows the same process as for a standard multi-server ecosystem.

FMOS v9.8
1. Boot from FMOS installation media (example: DVD-ROM or USB flash drive) and start the
automatic installer
2. Use the Initial Configuration Wizard to set the host name, network connection settings, and
user credentials.
3. On the machine designated as the primary database server, choose New Deployment and
Dat abase Only on the ecosystem selection screen.
4. On all other machines (including standby database servers, application servers, and data col-
lectors), select Exist ing Deployment .
St ep 2: AS M achine: Ent er M aint enance M ode
If any machines in the ecosystem already hold the AS role, they must be placed in maintenance
mode:
fmos maintenance begin
St ep 3: CA M achine: Enable M ult i-DB M ode
Once all AS machines (if any) have successfully entered maintenance mode, multiple-database
mode can be enabled for the ecosystem by executing the following command on the primary
database server:
fmos ecosystem enable-multi-db
The tool will adjust the FMOS System Configuration to enable multi-database mode, and then apply
the FMOS Configuration Policy. During this process, FMOS will create a clustered filesystem. Before
the clustered filesystem can be used, at least one other database machine must join the ecosystem.
When FMOS is ready for additional database machines to join the ecosystem it will pause and print
this message: Waiting for clustered filesystem to be initialized.
St ep 4: St andby DB M achine: Join t he Ecosyst em
At this point, the standby database machines can be added to the ecosystem. As with all machines,
this process is handled by the fmos ecosyst em join command. When adding a standby database
machine to the ecosystem, both the DB and ES roles must be added, and no other role can be
added.
fmos ecosystem join firemon-db.mycompany.com
Joining the ecosystem may take some time, depending on the size of the database and the amount
of activity within the ecosystem. An initial synchronization with the master is performed, and then

FMOS v9.8
streaming replication is enabled to keep the standby up-to-date. The process will complete once the
standby database becomes consistent with the master.
Not e: When adding multiple standby servers to the ecosystem, be sure the pg_num_
st andby_servers variable is set to the correct value on the primary database server. By
default, it is set to 1, meaning there can only be one standby server.
St ep 5: CA M achine: Finish Deployment
Once at least one standby database machine has joined the ecosystem, the fmos ecosyst em
enable-mult i-db command will resume on the primary database server. It will finish setting up the
clustered filesystem, and then move the data from the local filesystem. When this is complete, the
AS machines can be brought out of maintenance mode and returned to service.
St ep 6: AS M achine: Exit M aint enance M ode
To bring the application servers back online, use the fmos maint enance end command. This will
mount the shared filesystem and start the Security Manager services.
Standby Servers
M anual Swit chover
In the event of a primary database server failure, one standby server can be promoted to become
the primary. The existing primary will become unusable at this point and must be removed from the
ecosystem. There is no switch-back mechanism.
Promot e a St andby
To promote a standby server to become the primary, execute the following command:
fmos ecosystem promote
This tool will attempt to connect to the existing primary server and request that it shut down. Doing
so reduces the risk of a “split brain” scenario, where two database servers are operating as the
primary at the same time. If the existing primary cannot be contacted, a warning will be displayed,
but the process can proceed anyway. In most cases, promoting a standby is only done when the
primary has failed, so it may not be possible to shut it down safely.
Reconfigure AS and DB M achines
After a standby server has been promoted to primary, all other standby database machine and all
application server machines will need to be pointed to the new server to become operational again.

FMOS v9.8
This is accomplished by running the fmos ecosyst em swit chover command, passing it the FQDN
of the new primary as a command-line argument. For example:
fmos ecosystem switchover <server name>
Not e: The switchover process may fail if the original primary database server is unavailable.
If the fmos ecosystem switchover command fails on an application server, try rebooting the AS
and running the command again.
After switching over an application server following an unexpected failure of the primary database
machine, the application server may be in a partially degraded state. When the shared filesystem
hosted by the original primary DB machine is not available during the switchover process, FMOS
needs to forcefully unmount it in order to mount it again from the newly-promoted database
machine. This forceful unmount prevents the application server machine from communicating with
the original database machine’s IP address, and can cause processes to accumulate. To resolve this
situation, any application server machine that has switched its superior server while its original
superior server is unavailable should be rebooted as soon as possible.
Recover CA Role
Once all application server and database machines have been reconfigured to use the new primary
server, the FMOS ecosystem will be operational again. At this point, however, no new machines can
be added to the ecosystem as there is no longer a machine with the CA role. Thus, the CA role
needs to be recovered onto the newly-promoted database machine.
This process requires a backup of the certificate authority store from the original CA machine. If it is
still accessible, a backup can be created using the fmos ca backup command.
If the CA machine is permanently inaccessible and no certificate authority store is available,

the FMOS ecosystem will have to be reprovisioned. For this reason, it is imperative to keep a
current backup of the certificate authority store in a safe location at all times!
1. Copy the most recent backup of the certificate authority store to the new primary database
machine.
2. On the new primary database machine, restore the backup, e.g.:
fmos ca restore ${filename}
3. Execute fmos ecosystem recover-ca to enable the CA role.

FMOS v9.8
Reprovision Original Primary
Once a primary server has been shut down, either safely when another server was promoted, or
forcefully, it must be reprovisioned before it can join the ecosystem again. FMOS must be reinstalled
using removable media, and appliance must be configured as a new member of an existing
ecosystem. It can be added as a standby DB server, and optionally promoted to primary again using
the same switchover procedure.
Aut omat ic Failover
FMOS does not provide a mechanism for automatic failover when the primary database server
becomes unavailable. Organizations should ensure that appropriate monitoring is in place in order
to be notified of communication issues quickly so that a manual switchover can be initiated in a
timely manner.

FMOS v9.8
Additional Application Servers

The steps for adding additional application server are identical to those for the first. Simply install
FMOS and choose Existing Deployment. Then, join the ecosystem using the command fmos
ecosyst em join, specifying the database server as the superior server.
The Security Manager super-user account must have the default credentials in order to add a
new application server to the ecosystem.
Not e: The MAC addressed used for initial SIP sign on is from the first application server installed.
Not e: When performing an FMOS update, the first application server will run the update scripts
against the database server. Because of this, the first application server may take longer to
update than any others in the deployment.
Load Balancing Solutions

If multiple application servers exist within an environment, some form of load balancing or fail-over
capability is desired. FMOS does not provide these capabilities, but there are several options that
may be suitable.
l Load Balancer M achine: Several third-party vendors offer load balancing solutions with
physical or virtual machines. For large sites, this the recommended option.
l Round-Robin DNS: DNS intrinsically provides simple load balancing, as the order of
returned results is not guaranteed. This solution requires that the TLS certificates used by
the HTTPS server have matching subject names. It also does not provide fail-over or high
availability features.
When using either of these options, the public_host name system configuration variable needs to
be set on all application servers before any data collectors are added to the ecosystem. This
variable should be set to the name the data collectors will use to connect to the application server
cluster, such as the FQDN of the load balancer.
Deploying M ult iple Applicat ion Servers
For deployments using multiple application servers in a load balanced configuration, the following
network requirements must be satisfied:
l All application servers must be on the same subnet
l Multicast traffic be allowed between all application servers
l The IP address for Multicast group is: 224.2.2.3

FMOS v9.8
For deployments using different servers with different roles, the application server and the
corresponding DB/ES/CA server must be on the same broadcast domain. We do not support
implementations that fall outside of this scenario.
Set t ing up a Load Balancer when not t erminat ing SSL at t he Load Balancer
Do I set the “public_hostname” property on both of the App Servers?
Yes. Before adding DCs, this needs to be set to the FQDN assigned to the load balancer.
Do I need to create a new certificate that includes the VIP of the load balancer (and public_
hostname value) then import to both App Servers?
Yes. When not doing TLS termination at the load balancer, all AS appliances need a
server certificate with at least the name the DCs will use. It does not strictly have to be
the same certificate on both appliances. It just needs to include the "virtual" name.
If I have to create a new certificate, does this need to include the AS actual FQDN as alt names?
Not necessarily, but the ` fmos pki gen-csr` command will add it.
Using a F5 BIG-IP as a Load Balancer for Applicat ion Servers
Not e: These are steps for setting up load balancing for your FireMon application servers with SSL
termination done at the F5 BIG-IP. There are many customizations that can be made based on
your environment so the below instructions are only guidelines.
1. You will need three virtual servers created on the same IP address.
l Ports 80 and 443 should be reachable by users.
l Ports 443 and 55555 should be reachable by your FM Data Collectors.
2. SSL Certificate setup. CA signed.
a. Generate CSR from your F5 BIG-IP:
l Click Syst em > Cert ificat e M anagement > Traffic Cert ificat e M anagement >
SSL Cert ificat e list > Creat e.
l In the Common Name box, type the name of your Virtual Server (example:
firemon.example.com)
l If you want to add Subject Alt ernat ive Names, you can specify them in the
format DNS:firemonha.example.com, DNS:www.exchange.example.com,

FMOS v9.8
DNS:www.example.net.
l Click Finished.
b. Download the Request File.
c. Click Finished (stay on this screen to import the certificate).
d. Upload the Request File to your FireMon CA/DB server.
e. Run the FMOS commands below:
l fmos ca sign example.csr example.crt
l fmos ca export -ca-cert --ca server server-chain.crt
f. Upload example.crt and server-chain.crt to your F5
l Import certificate by either pasting or uploading.
l Import server-chain (Import > Certificate > New).
l Name this certificate so you can tell it's your FireMon CA certificate.
g. Build a SSL profile with the example key, example cert, and server-chain.
l Local Traffic > Profiles > SSL > Client > New.
l Choose a name for this SSL profile.
l Choose an appropriate parent profile for your organization.
l Override Certificate Key Chain, Click Add.
l Fill in your created certificate for certificate and key. Use the FireMon CA
certificate for Chain.
l Click Add.
l Click Finished.
First pool settings:
l Port 443, HTTPS monitor (GET /\r\n), Slow Ramp Time of 45 seconds.
l Add all application servers into this pool
Second pool settings:
l Port 55555, HTTPS monitor, Slow Ramp Time of 10 seconds.
l This pool only needs any one application server.
First virtual server setup settings:

FMOS v9.8
l Port 443, HTTP profile, SSL profiles for Client and Server. You can use the default 'serverssl'
profile for your server side. For client SSL profile, use the profile previously set up. If your LTM
is not your default gateway, set up a Source Address Translation. Use some sort of session
persistence. If using cookie, set up source_addr as a fallback. The Data Collector servers will
connect to your Application Servers and will not use cookies.
l The default pool for this should be pointing to your pool with port 443.
l Refer to F5 article K14754 for websocket support information.
Second virtual server setup settings:
l Use all of the same settings as the 443 VS except for this should listen on port 55555 for the
FireMon Server Control Panel. This VS does not need session persistence and users will not
have any reason to access this VS.
l The default pool for this should be pointing to your pool with port 55555.
Third virtual server setup settings:
l This VS should listen on port 80 just to redirect to port 443. It only needs port 80, an HTTP pro-
file, and the irule _sys_https_redirect assigned to it. It does not need a pool.
Not using SSL termination on your load balancer:
l Set up virtual servers using TCP and leave SSL profiles blank. Do not put any HTTP profile.

FMOS v9.8
Reprovision an Ecosystem
FMOS does not provide any tools for removing roles from machines that are already members of
an ecosystem. This includes single-server ecosystems, where a single machine holds all FMOS roles.
In some situations, it may be desirable to reprovision an ecosystem where a single server holds
both the application server and database roles by separating these roles onto multiple appliances.
This procedure can result in data loss, so it is important to ensure the steps below are followed
precisely.
The text in the blue boxes are examples only. Do not copy this text into your CLI.
The user performing the reprovisioning must be assigned the Backup Operator role.
St ep 1: Back up t he Dat abase
Before making any changes to the ecosystem, it is imperative that a backup is made on the
machine that holds the database role.
1. Log in to database server.
2. At the prompt, enter the command: fmos backup
~]$ fmos backup
Backing up system configuration ... ok
Backing up database ... ok
Backing up files ... ok
Successfully created backup /var/lib/backup/firemon/fmos-ref8-15_2017-

06-23-2030.backup
3. Copy the backup to a remote storage location, such as an SFTP server.
sftp> cd /home/usernmae
sftp> put /var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup
Uploading /var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup
to /home/username/fmos-ref8-15_2017-06-23-2030.backup
/var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup 100% 365MB

30.4MB/s 00:12

FMOS v9.8
sftp> quit
Not e: If you encounter a Permission Denied error when attempting to copy the backup to a
remote machine, your account does not have the Backup Operator role assigned. See the
FMOSUsers chapter for details.
4. It is important to verify that the copy of the backup stored on the remote server is identical to
the one stored locally and has not been damaged. This can be done by calculating the
SHA256 checksum of both files and visually compare the results.
~]$ sha256sum /var/lib/backup/firemon/fmos-ref8-15_2017-06-23-

2030.backup
2abb45c74220534e5407326161cb661d63885c038768ac842b2d76bbe33a5d2c
/var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup
username-d4b .homeshare % sha256sum fmos-ref8-15_2017-06-23-2030.backup
2abb45c74220534e5407326161cb661d63885c038768ac842b2d76bbe33a5d2c fmos-
ref8-15_2017-06-23-2030.backup
St ep 2: Back up t he Server Cert ificat e
Backing up the server (HTTPS) certificate is required if the machine uses a custom certificate that is
signed by an internal or third-party certificate authority. It is optional, but highly recommended,
even if the default self-signed certificate is used as well.
1. Use the fmos pki export -server-cert command to make a copy of the server certificate.
2. You will need to provide an Export Passphrase.
$ fmos pki export-server-cert $(hostname -f).pem
Enter an optional passphrase to encrypt the private key. If no

passphrase is given, the private key will not be encrypted.
Export passphrase:
Confirm passphrase:
Successfully exported 2 certificate(s) and 1 private key(s)
3. Copy the file to a remote storage location and validate its checksum as well.

FMOS v9.8
St ep 3: Inst all FM OS
Once the data and certificate have been backed up, follow the standard procedure for installing
FMOS from removable media on both of the new machines. Be sure to use the FQDN of the original
server on the machine that will hold the application server role.
On the ecosystem selection screen, choose New Deployment and Dat abase Only for the new
database machine and Exist ing Deployment for the new application server machine.
St ep 4: Rest ore Dat abase Backup
After FMOS has been installed and configured on the new database appliance, the backup needs to
be restored.
1. Copy the file from the remote storage to the local machine.
2. After it is copied, restore the backup.
3. At the prompt, enter the command: fmos rest ore
sftp> lcd /var/lib/backup/firemon
sftp> cd /home/username
sftp> get fmos-ref8-15_2017-06-23-2030.backup
Fetching /home/username/fmos-ref8-15_2017-06-23-2030.backup to fmos-

ref8-15_2017-06-23-2030.backup
/home/username/fmos-ref8-15_2017-06-23-2030.backup 100% 365MB 33.2MB/s

00:11
sftp> quit
[firemon@fmos-ref8-15db ~]$ fmos restore /var/lib/backup/firemon/fmos-

ref8-15_2017-06-23-2030.backup
Restoring system configuration ... ok
Restoring database ... ok
Restoring files ... ok
Successfully restored backup /var/lib/backup/firemon/fmos-ref8-15_2017-

06-23-2030.backup
prepare to deploy security manager ...
...

FMOS v9.8
Successfully restored configuration
St ep 5: Rest ore Server Cert ificat e
If the server certificate was backed up, it needs to be imported onto the new application server
machine.
1. Retrieve the backup from the remote storage location.
2. After it is retrieved, import the backup.
3. At the prompt, enter the command: fmos pki import -server-cert
4. Enter the Passphrase used in Step 2.
~]$ sftp
SECUREPASSAGE\username@email.com's password:
Connected to fs.securepassage.com.
sftp> get fmos-ref8-15.development.frmn.pem
Fetching /home/username/fmos-ref8-15.development.frmn.pem to fmos-ref8-

15.development.frmn.pem
/home/username/fmos-ref8-15.development.frmn.pem 100% 7610 7.4KB/s 00:00
sftp> quit
The certificate or private key is encrypted. Enter the encryption

passphrase to unlock it
Passphrase:
Successfully imported server certificate, private key, and 1

intermediate CA certificate(s)
prepare to deploy security manager
...
Successfully deployed configuration
St ep 6: Join Ecosyst em as AS
Following the database restore, the new application server can be added to the ecosystem using the
fmos ecosyst em join command.

FMOS v9.8
1. At the prompt, enter the command: fmos ecosyst em join
2. Follow the on-screen prompts to complete the process.
~]$ fmos ecosystem join
The server's certificate is not trusted
The security certificate presented by the specified server is not

trusted. This means that it was issued by a certificate
authority (CA) that is not recognized by this system. This could mean a
man-in-the-middle attack is in progress. To be
certain that the server is machine you intended to contact, please

verify the certificate manually.
To verify this certificate, connect to the server in question and

execute the following command:
openssl x509 -in /etc/pki/tls/certs/fmos-admin.cer -noout -fingerprint

-sha256
The SHA256 fingerprint of the server's certificate is:
35:E5:1B:57:B6:AD:42:49:2A:27:CA:CB:18:26:B8:B3:B5:F3:2A:F7:A4:14:CA:E1
:A8:BC:CC:F7:8E:20:9B:EF
Is this correct? [y/N] y
Enter FMOS authentication credentials for fmos-ref8-

15db.development.frmn
Username:
Password:
Found Server Control Panel v0.3 on fmos-ref8-15db.development.frmn,

FMOS 8.15.0
Which of the available roles shall this machine hold?
Application Server [y/N] y
Data Collector [y/N] n
This machine will hold the following roles:
* Application Server

FMOS v9.8
Is this correct? [Y/n]
Joining ecosystem ... ok
prepare to deploy security manager
...
Not e: If the process fails at “ensure ndexec user exists in secmgr” with an “Unable to authenticate
username/password” error, the SIP super user credentials will need to be temporarily reset to
their default values (firemon/firemon). Log in to the Administration application, navigate to
Access > Users, choose user ID 1, and select Edit from the menu. Set the user name to firemon
and the password to firemon and click Save. Finally, return to the FMOS command line and apply
the configuration policy by running fmos redeploy.
St ep 7: Dist ribut e Server Cert ificat e t o Dat a Collect ors
If the server certificate was not backed up, a new self-signed certificate was generated when the
application server joined the ecosystem. This certificate needs to be added to the trust store on all
data collector appliances in the ecosystem. To do this:
1. At the prompt, enter the command: fmos pki export -server-cert ificat e
~]$ fmos pki export-server-cert --no-key $(hostname -f).crt
Successfully exported 1 certificate(s) and 0 private key(s)
2. Copy the file to each data collector, and then import it using fmos pki import -ca:

FMOS v9.8
Remote Data Collectors Without DNS

Occasionally, data collector appliances need to be deployed in environments where DNS resolution
is not available. In particular, if a data collector appliance cannot resolve the fully-qualified domain
name (FQDN) of the superior application server appliances, they will be unable to join the FMOS
ecosystem if the default configuration is used.
The Data Collector communicates with Security Manager using HTTPS. To ensure the
communication channel is secure from eavesdroppers and man-in-the-middle attacks, the Data
Collector enforces strict validation of the certificate presented by the Security Manager server when
establishing the TLS connection. One of the required validation rules is that the name listed on the
certificate, either in the certificate subject or the subject alternative name, matches the name
specified when the appliance first joins the ecosystem. By default, FMOS generates a certificate for
Security Manager that only includes the FQDN of the server. Thus, the FQDN must also be specified
when joining the ecosystem. If the FQDN cannot be resolved, then that name cannot be used, so
certificate validation will never succeed.
St ep 1: Generat e a New Cert ificat e
Certificates can include IPv4 and IPv6 addresses in their subject alternative name, but FMOS does
not do this by default. In order for data collectors or other clients to use an IP address to contact
Security Manager, the server certificate will need to be replaced with one that includes the IP
address(es) of the appliance. The fmos pki gen-csr command can be used to create a new Certificate
Signing Request that includes the IP addresses of the appliance on which it was run.
To generate a new certificate, complete the following steps.
1. Log on to the application server machine.
2. At the prompt enter: fmos pki gen-csr --ip-address -K server.key server.csr. IP address of
the machine.
This will generate a new RSA key pair and store it in server.key. It will then create a new CSR
that includes the FQDN of the appliance as well as all of its IP addresses. IPv4 and IPv6
addresses will be included, except for IPv6 link-local addresses.
The command will prompt for an export passphrase. If supplied, this will be used to encrypt
the private key file in server.key for safe keeping. Encrypting the key is optional, and can be
skipped by pressing Enter at the prompts.
St ep 2: Sign t he Cert ificat e
To convert the new CSR into a certificate that can be used by Security Manager, it must be signed
by a certificate authority (CA). Which CA signs the certificate will depend on the security policy of
the organization.

FMOS v9.8
l Organizat ion/ Corporat e CA—An internal certificate authority operated by the customer’s
organization. Most organizations operate a CA, and deploy configuration to end user devices
to ensure certificates it signs are trusted, so this should be the preferred option if possible.
l Public CA—Some organizations require that their certificates be signed by one of the public
certificate authorities such as Thawte or VeriSign. It is important to verify that the CA will sign
a certificate that includes an IP address, as many of them will only sign certificates for FQDNs.
l FM OS Ecosyst em CA—The CA operated automatically by FMOS.
St ep 3: Use an Ext ernal CA
Every CA has a different method for submitting a CSR and receiving a signed certificate. If your
organization has an internal CA, the administrator should have documentation specifying how to
use it. For public CAs, the process can normally be found on their websites.
Most public CAs use an intermediate CA certificate to sign certificates, as do some internal CAs. In
this case, be sure to obtain the certificate chain file that includes any necessary intermediate CA
certificates.
St ep 3: Use t he FM OS CA
If you do not have an internal CA, the fmos ca command can be used (on the server that holds the
Certificate Authority role) to sign the CSR and issue a new certificate.
To use the FMOS CA, complete the following steps.
1. Log on to the CA machine.
2. Copy the CSR (server.csr) file from the application server to the CA machine, if they are not
the same machine.
3. At the prompt, enter fmos ca sign server.csr server.cer, and then fmos ca export -ca-cert -
-ca server server-chain.crt .
This will produce a file named server.cer that contains the signed server certificate.
Additionally, it will create server-chain.crt, which contains the intermediate CA certificate that
signed the server certificate.
St ep 4: Verify t he Cert ificat e
After receiving a signed certificate from the CA, the openssl x509 command can be used to verify that
it does in fact contain the IP address of the Security Manager server.
l At the prompt enter: openssl x509 -in server.cer -noout -t ext -cert opt no_pubkey,no_sig-
dump

FMOS v9.8
If the certificate is correct, it will have a section labeled X509v3 Subject Alternative Name with
one or more IP address entries below it.
St ep 5: Import t he New Cert ificat e
After verifying that the new certificate is correct, it can be imported using the fmos pki import-server-
cert command.
To import the new certificate, complete the following steps.
1. Log on to the application server machine.
2. Copy the newly-signed certificate, as well as the intermediate CA chain file, if any, to the
application server appliance, if necessary.
3. At the prompt enter: fmos pki import -server-cert server.cer server.key --chain server-
chain.crt
This will import the new server certificate and make adjustments to the system configuration
to use it. If the private key file is encrypted, the command will prompt for the passphrase
before making any changes.
St ep 6: Join t he Ecosyst em
After the new certificate has been imported onto the application server, data collectors can now be
added to the ecosystem by specifying its IP address as their superior server.
To join the ecosystem, complete the following steps.
l At the prompt enter: fmos ecosyst em join <IPv4 or IPv6 IP address>
The command will prompt for initial manual verification as usual, and will proceed in the
same manner as if the FQDN had been used.

FMOS v9.8
Use Different Subnets
Caut ion! It is critical that you have a robust network between the AS and DB. There is significant
traffic between these servers, if you do not have the network to support increased traffic there
will be issues.
Caut ion! You can set up an AS and a DB in separate subnets, however, all application servers
must be in the same subnet.
To set up a database server and application server on different subnets, complete the following
steps.
1. Log in to the FMOS CLI.
2. Install the database server as a New Deployment and with a Dat abase Only role.
3. Install the application server as an Exist ing Deployment .
4. Do not join the application server to the database server at this time. Note the IP address of
the application server.
5. Access the Server Control Panel. ht t ps:/ / <DB server IP>:55555
6. On the toolbar, click SecM gr.
7. On the menu page, click DB.
8. Update the Shared Filesyst em Host s field. Enter one or more of the following (separated by
a space):
l IP address of the AS from step 4
l Network that the AS exists in
9. Click St age Changes.
10. Click Apply Configurat ion.
11. Return to the FMOS CLI to continue.
12. Run the ecosystem join command on the application server. fmos ecosyst em join <FQDN of
DB server>
MAC Address to Access SIP
Not e: We recommend accessing SIP using one of the following supported web browsers: Firefox,
Google Chrome, Edge, and Safari.

FMOS v9.8
The MAC address of the application server used to access SIP will be used as the password for the
initial SIP sign on. This is a one-time password to use at first installation and will need to be reset
after initial sign on.
l For a VM installation, use the MAC address of the VM used to access SIP
l For a multiple application server deployment, use the MAC address of the first application
server installed
The password is the MAC address of the server with colons removed and lowercase letters used.
For example, a MAC address of 00:05:95:A1:2B:CC would be 000595a12bcc.

FMOS v9.8
FMOS Users
About FMOS Users
Not e: This topic only pertains to FMOS. Users of SIP (Security Manager and other modules) are
discussed in the Administration User Guide.
When you first run the FMOS Initial Configuration Wizard you will create an account granting both
FireMon Administrator and System Administrator privileges.
l FireMon Administrator is used to access the FMOS CLI.
l System Administrator is used to access the Security Intelligence Platform (SIP). This account is
managed in the Administration module, not in FMOS.
FMOS uses the related practices of the Principle of Least Privilege and Privilege Separation.
Together, these practices help mitigate security risks and trace the origins of attacks that may
occur.
The Principle of Least Privilege states that users and program should never be given the capability
to perform any task outside what is strictly necessary to perform their primary functions. For
example, a program responsible for receiving email messages should not have the ability to reboot
the computer.
Privilege Separation is a practice whereby users can operate in one of two roles:
l Unprivileged—users in this role perform tasks such as web browsing and document editing
which do not require any control over the system beyond accepting keyboard and mouse
input.
l Privileged— users in this role perform tasks such as installing new software or making con-
figuration changes that affect multiple users.
Unprivileged Users
The FMOS operating system is a type of unprivileged user account. All users on an FMOS system
are unprivileged users by default. These users have limited access to system resources and almost
no control over system functions. Most daemon processes run as unprivileged users to reduce the
risk that they may leak sensitive information to unauthorized users or make changes to themselves
or the system.
69 |
FMOS v9.8
The FMOS operating system includes:
l fmjas: FireMon Security Manager Server
l fmnd: FireMon Normalized Worker
l fmdc: FireMon Data Collector
l ht t pd: Apache HTTPD
l post gres: PostgreSQL Database Server
Not e: FMOS manages its unprivileged users, you cannot do anything with them. These
unprivileged users have no password. They cannot be used to log in to the system, and are
strictly used for process separation.
Privileged Users
FMOS has two privileged user accounts.
FireM on Administ rat ors

l Users that are authorized to configure and control FireMon Security Manager services are
known as FireMon Administrators. These users are allowed to run the FMOS commands.
l Users who are members of the fmadmin group hold the FireMon Administrator role.
Not e: The user created by the FMOS Initial Configuration Wizard automatically holds the
FireMon Administrator role, as well as System Administrator.
Backup Operat or
l Users who are responsible for managing and maintaining FMOS backups are known as
Backup Operators. These users are allowed to edit the contents of the backup storage dir-
ectory located in /var/lib/backup/firemon.
l Users who are members of the fmbackup group hold the Backup Operator role.
Not e: By default, no users hold the Backup Operator role.
70 |
FMOS v9.8
Create an FMOS User
Not e: This procedure only creates an FMOS user. To create a SIP user, you'll need to log in to the
Administration module.
Recommendat ion: It is recommended that you create an additional admin user account in
case the password for the initial admin user account is lost.
FMOS includes a utility for managing users and privileges called fmos user. Using this tool, users
with the FireMon Administrator role can create and delete users as well as grant and revoke
privileges.
To create a new user, use the fmos user create command. The program will prompt for some
basic information about the user, including user name, full name, and password. In addition, it will
ask which roles the user should hold.
fmos user create
Username: fmosuser
Full Name: FMOS User
Select privileges:
FireMon Administrator? [y/N]
Backup Operator? [y/N]
Password:
Confirm Password:
Successfully created user 'fmosuser'
Not e: You must replace the example Username and Full Name with one that meets your
user name requirements.
Not e: A FireMon Administrator does not need to be a Backup Operator, nor does a Backup
Operator need to be a FireMon Administrator. The roles can be separate or combined.
Not e: If you have enabled password complexity, you must enter a strong 8-character
password that must contain one lowercase letter, one uppercase letter, one number, and
71 |
FMOS v9.8
one other symbol character. Using a character delimiter, such as \ or . or , can result in the
password not saving correctly.
Answers to each prompt can also be provided using command-line arguments:
fmos user create fmosuser -n 'FMOS User' -p fmadmin
Recommendat ion: It is recommended that you create an additional admin user account in case
the password for the initial admin user account is lost.
72 |
FMOS v9.8
Password Reset: CLI

FMOS users can reset their passwords if lost or forgotten. To ensure a user can only reset his or her
own password and not other users’ passwords, the user must have access to the e-mail address
associated with the account.
Not e: Passwords can only be reset for FMOS user accounts that have an associated e-mail
address. If a user did not associate an e-mail address with his or her account he or she will not
be able to reset the password.
The password for an FMOS user can be reset using the CLI, either using the local console or
remotely using SSH. A special user account, resetpassword is used to access the password reset
tool on the CLI.
1. Log in as the resetpassword user; a password is not required.
2. At the Username prompt, type your FMOS username and press Ent er.
3. Launch your e-mail client and check for a new message with the subject FMOS: Password
Reset Request.
4. Open the message and copy the Authorization Code.
5. Return to the FMOS CLI and type or paste the Aut horizat ion Code, then press Ent er.
6. Type a new password and press Ent er.
Not e: The new password must comply with the configured password policy.
7. Type the new password again to confirm it, then press Ent er.
8. After the password has been reset successfully, press Ent er to exit the password reset utility.
For SSH sessions, this will terminate the connection.
FMOS User Password Policy

The FMOS Initial Configuration Wizard has configuration options for the password policy applied to
FMOS users. These options include enabling or disabling password aging, password complexity, or
password history requirements.
Changes to this policy are done using the FMOS Control Panel. On the Password Policy page are
settings to use to set password requirements. Each field has an info icon that explains its use. Some
password policy rules, such as length and complexity, apply when passwords are set. Changes to
those rules will take effect the next time a user changes his or her password. Other rules, including
minimum and maximum age, only apply when the account is created. To change those, the account
must be deleted and recreated.
73 |
FMOS v9.8
Delete a User
Not e: The audit trail works differently in FMOS than in the Administration module. In FMOS you
actually delete a user, whereas in Admin you disable. FMOS does not require the user always
exist in order to resolve audit logs.
To delete existing users, use the fmos user delet e command.
fmos user delete <username>
The fmos user delete command will not delete a system account with a UID of 1000 or
less.
Change User Privileges
Not e: This procedure only changes an FMOS user. To change a SIP user, you'll need to log in to
the Administration module.
To grant additional privileges to a user, use the fmos user grant -privileges command. The system
will prompt for the user name and which roles should be granted:
fmos user grant-privileges

Username: fmosuser
Select privileges:
Backup Operator? [y/N]
For privilege changes to take effect, the user will need to log
out of all current sessions and log back in.
Not e: If the user already holds a role, it will not be listed.
Answers can be provided non-interactively as well:
fmos user grant-privileges fmosuer -p fmadmin
To revoke a privilege from a user, use the fmos user revoke-privileges command:
fmos user revoke-privileges

Username: fmosuser
Select privileges:
For privilege changes to take effect, the user will need to log
out of all current sessions and log back in.
74 |
FMOS v9.8
Not e: After granting or revoking privileges to an existing user, that user will need to log out and
log back in for the changes to take effect.
75 |
FMOS v9.8
Authentication Servers
External Authentication
FMOS supports authenticating users against several common types of external authentication
servers, including Kerberos and LDAP. As with other features of FMOS, external authentication is
configured by setting the appropriate configuration variables. Ideally, enabling external
authentication is as simple as setting the appropriate type_authn or type_authz variables to true, but
most environments will require additional configuration.
This topic attempts to describe how to best configure FMOS to use one or more external
authentication mechanisms to delegate user credential management to a remote service.
Many authentication settings can be set from the FMOS Control Panel.
Authentication versus Authorization

The Linux log in process consists of two phases, identity mapping (referred to as “Authorization”)
and password verification (referred to as “Authentication”).
Authentication is handled by PAM and authorization by the Name Service Switch. By default, both
phases are performed using local UNIX authentication, with users, groups, and passwords all kept
locally in plain-text files. FMOS requires local UNIX authentication be used for at least one account.
This allows an administrator to log in even in the event of a failure of all external authentication
providers.
FMOS provides several options for both phases, and supports practically any combination of them:
Aut horizat ion

l Local UNIX authentication
l LDAP
Aut hent icat ion

l Local UNIX authentication
l LDAP
l Kerberos
Not all external authentication mechanisms provide identity mapping (UID lookup and group
membership resolution) capabilities, so they must be used in tandem with ones that do. For
example, it is common to use LDAP for authorization and Kerberos for authentication. Alternatively,
identity mapping can be handled by local UNIX authentication in all cases, even if it is not used for
password verification.
76 |
FMOS v9.8
Not e: When using an external authentication method, FMOS does not enforce any password
policy (such as length and complexity requirements, expiration, etc.), but relies on the external
authentication server to provide this feature. Additionally, FMOS does not support changing of
external passwords.
LDAP
FMOS supports using LDAP for both authentication and authorization. It can be deployed by itself,
or alongside other authentication methods.
In order to connect to remote LDAP servers, FMOS requires a few pieces of information, depending
on the environment:
l URI of one or more LDAP servers
l Distinguished name of the base object in the directory where searches will be performed
l Distinguished name and password of an account that can bind to the directory service and
search for user identity information
FMOS will attempt to discover as many settings as it can from the environment if they are not
explicitly provided. If bind credentials are not supplied, FMOS will attempt to bind anonymously.
Not e: When using LDAP for authorization (identity mapping), it is common to encounter errors
and warnings once it has been enabled. This is because the system message bus service (D-Bus)
does not detect changes to the Name Service Switch while it is running. To resolve these issues,
reboot the machine.
Attribute Mapping
Many LDAP implementations use different names for attributes that contain user information. By
default, FMOS expects the attribute names uses by Microsoft Active Directory beginning with
Windows Server 2003 R2. For other environments, these may not be appropriate, so FMOS provides
the ability to change the mapping.
To explicitly map attributes, set the ldap_user_at t r_map, ldap_group_at t r_map, and/or ldap_
shadow_at t r_map variables.
The table below describes the values FMOS requires and the attributes it uses by default to find
them.
77 |
FMOS v9.8
User Attributes
Descript ion Value Default At t ribut e
Username uid sAMAccountName
User ID Number uidNumber derived from the user’s SID
Primary Group ID Num-

gidNumber derived from the user’s SID
ber
Display Name gecos displayName
homeDirectory (defaults to
Home Directory homeDirectory
/home/sAMAccountName if unset)
Login Shell loginShell loginShell (defaults to /bin/bash if unset)
Group Attributes
Descript ion Value Default Value
Group Name cn cn
Group ID Number gidNumber derived from the group's SID
Object Filtering
FMOS supports filtering objects in the directory to allow for more fine-grained control of which
ones are mapped to system users and groups. Filters can be used, for example, to only consider
objects of a certain class or type, or have a particular value in an attribute. To override the default
filters, simply set the ldap_user_filt er or ldap_group_filt er attributes to a valid LDAP query.
Encryption (TLS)
FMOS supports using LDAP inside a TLS-wrapped connection (LDAPS) as well as TLS message
encryption (STARTTLS). When using LDAP as an authentication source, one of these encryption
methods should be used, as user passwords will be transmitted in clear text otherwise.
To enable TLS-wrapped connections, use the ldaps scheme in LDAP server URIs.
To enable STARTTLS, use the ldap scheme and set ldap_ssl to st art _t ls.
By default, ldap:// URIs will use TCP port 389 while ldaps:// URIs will use port 636.
78 |
FMOS v9.8
Not e:When using the domain controller locator protocol, discovered servers will use the LDAP
URI scheme. To enable TLS communication for these servers, ldap_ssl must be set to start_tls.
It may be necessary to add additional certificate authority certificates to the local trust store in order
to establish TLS communication with remote servers. See Trusted Certificate Authorities for more
information.
Privileged Groups
At this time, there is no way to assign specific FMOS privileges to LDAP groups. To grant LDAP users
elevated permissions, they need to be explicitly added to the local groups. See About FMOS Users
for details.
LDAP Configuration Commands

A list of LDAP configuration settings that are customizable by local administrators.
Not e: Variables listed as critical must be present in the system configuration file when used
during initial deployment for automatic configuration. Variables listed as required must be
present if the server holds one or more of the roles listed in the applies to field.
LDAP Configurations
Command Type Required Default Funct ion
Enable LDAP authen-

ldap_authn Boolean No False tication (password veri-
fication).
79 |
FMOS v9.8
LDAP Configurations
Enable LDAP authorization

(identity mapping).
ldap_authz Boolean No
Defaults to the value of
ldap_authn.
URI pointing to the LDAP

server used for authen-
tication. Valid URIs take
the form scheme://host-
name:port. Possible
schemes include ldap and
ldaps. The port is optional
and will default to 389 for
ldap URIs and 636 for
ldaps URIs. Additionally,
the value can be DNS, in
ldap_uri String No
which case the LDAP serv-
ers specified by _ldap._tcp.-
domain DNS SRV records
will be used. By default,
the domain portion of the
host’s FQDN will be used;
to specify an alternate
domain, use DNS:domain.
Multiple URIs can be spe-
cified by separating them
with whitespace.
80 |
FMOS v9.8
LDAP Configurations
The distinguished name of

the base object in the dir-
ectory where all searches
will be performed. If not
specified, an attempt to
ldap_base String No
find it will be made by bind-
ing anonymously to the dir-
ectory and searching for
the defaultNamingContext
attribute on the root.
The distinguished name to

use when binding to the
directory to perform iden-
ldap_binddn String No
tity mapping. If not spe-
cified, an anonymous bind
will be performed.
The search scope for

object look-ups. If
unspecified, full sub-tree
ldap_search_ searches are performed,
String No
scope starting with the object
specified by ldap_base.
Choices: sub / one / base
The number of seconds to

wait for connection
ldap_bind_
Number No attempts to succeed when
timeout
initially binding to the dir-
ectory.
81 |
FMOS v9.8
LDAP Configurations
SSL (TLS) operational

mode. When set to on,
ldap_ssl String No only ldaps:// URIs are valid.
Choice: on / off / start_tls
Path on the local file sys-

ldap_client_ tem of the certificate used
String No
cert to authenticate to the
LDAP server.
Path on the local file sys-

tem of the private key
ldap_client_ used to authenticate to the
String No
key LDAP server. Defaults to
the value of ldap_client_
cert.
The number of results to

retrieve from search quer-
ies in a single request. This
ldap_pagesize Number No 1000 may need to be adjusted
based on network require-
ments and server cap-
abilities.
Whether or not to chase

ldap_referrals Boolean No False referrals received in search
results.
(&(objectClass=user)
ldap_user_fil- The LDAP query used to
String No (objectClass=person)(!
ter select all user objects.
(objectClass=computer)))
ldap_group_fil- (| (objectClass=group) The LDAP query used to

String No
ter (objectClass=person)) select all group objects.
The LDAP query used to

ldap_shadow_
String No select user shadow objects
filter
(i.e. account policy).
ldap_domain_ The security identifier of

String No
sid
82 |
FMOS v9.8
LDAP Configurations
the domain object in Active

Directory environments.
When specified, user and
group ID numbers are cal-
culated from their objects’
SIDs, relative to the SID of
the domain. In other envir-
onments, or in multi-
domain setups, this setting
is not required, but user
and group objects must
have explicit ID numbers
(specified in the respective
attribute maps).
This setting specifies the

names of user object attrib-
utes as presented by the
LDAP server. If this value is
ldap_user_ not set, the default attrib-
Mapping No
attr_map ute names are used, which
will work for RFC 2307-
compliant servers, includ-
ing Microsoft Active Dir-
ectory 2003 R2 and later.
83 |
FMOS v9.8
LDAP Configurations

names of group object
attributes as presented by
the LDAP server. If this
value is not set, the default
ldap_group_
Mapping No attribute names are used,
attr_map
which will work for RFC
2307-compliant servers,
including Microsoft Active
Directory 2003 R2 and
later.

names of shadow object
attributes as presented by
the LDAP server. If this
value is not set, the default
ldap_shadow_
Mapping No attribute names are used,
attr_map
which will work for RFC
2307-compliant servers,
including Microsoft Active
Directory 2003 R2 and
later.
Kerberos
FMOS supports using Kerberos as an authentication method only. It is typically coupled with LDAP
for authorization, but can be used on its own. When LDAP is not used, users will need to be
registered locally, though their passwords will be validated using Kerberos. To register a user, use
the useradd command, but do not set a password.
In many environments, the necessary configuration information can be automatically discovered

using DNS. If Kerberos is not fully integrated with DNS, some settings may need to be entered
manually:
l Realm name
l KDC address(es)
84 |
FMOS v9.8
Kerberos Configuration Commands

A list of Kerberos configuration settings that are customizable by local administrators.
during initial deployment (i.e. for automatic configuration). Variables listed as required must be
Kerberos Configurations
Enable Kerberos
krb5_authn Boolean No False authentication (pass-
word verification).
If specified, authen-
tication will be
attempted against
krb5_auth_realms List of Strings No these Kerberos
realms, in order,
instead of the
default realm.
Find KDCs by query-

ing _kerberos._udp.-
domain DNS SRV
records. If this is
krb5_dns_lookup_kdc Boolean No True
false, Kerberos
realms must be
manually configured
using krb5_realms.
85 |
FMOS v9.8
Find the default Ker-

beros realm by
querying the _ker-
beros.domain DNS
TXT records. If this is
krb5_dns_lookup_realm Boolean No False False, either krb5_
default_realm must
be set, or one or
more realms must
be specified in krb5_
auth_realms.
The default realm to

use for user authen-
tication, if the user
name does not
include the realm
name (in user-
name@REALM
krb5_default_realm String No form). By default,
the domain portion
of the host’s fully-
qualified domain
name, folded to
uppercase, is used
as the default realm
name.
A mapping of DNS
suffixes to Kerberos
realms, used when
requesting service
krb5_domain_realm Mapping No
tickets for host
names in other
domains and/or
realms.
The default lifetime

krb5_ticket_lifetime String No 24h for tickets requested
from the KDC.
86 |
FMOS v9.8
The maximum life-

time for renewable
krb5_renew_lifetime String No 7d
tickets requested
from the KDC.
Whether to request
krb5_forwardable Boolean No True forward-able tickets
from the KDC.
Whether or not to
find the canonical
krb5_canonicalize_host- names for services
Boolean No True
name when requesting ser-
vice tickets by using
DNS queries.
Whether or not to
extend canonical
host name res-
olution to include
krb5_rdns Boolean No False reverse address
look-ups. Requires
that all service hosts
have both A and PTR
DNS records.
Manually configures
Kerberos realms. If
krb5_dns_lookup_
kdc is False, this
mapping must con-
tain a key for every
realm this machine
krb5_realms Mapping No
will need to contact.
Each value is also a
mapping of con-
figuration settings
for that domain (e.g.
kdc), see krb5.conf
(5) for details.
87 |
FMOS v9.8
88 |
FMOS v9.8
Certificates
About Certificates
Certificates expire one year from the initial installation date and must be renewed before
expiration. FMOS will send an expiration notification message 30 days prior to expiration.
The X.509 public key infrastructure (PKI) is used by a number of standard protocols for
authentication and key exchange between participants in cryptographic communications.
Specifically, FMOS supports X.509 PKI for TLS-based communication protocols like HTTPS, LDAP,
and SMTP
FMOS includes a managed certificate authority. This certificate authority is used to issue certificates
for secure authentication and communication between members of a multi-server ecosystem. The
certificate authority manager is included with fmos-ut il, which exposes a command-line interface
with the fmos ca command.
FMOS supports integration with existing system infrastructure for various functions, such as
authentication and security.
A PKI issues certificates, enforces certificate policies, and manages the certificate life cycle. The
fmos pki command can be used to view and update the X.509 PKI configuration on machines
running FMOS.
Command-Line Interface
l fmos ca init —Create CA hierarchy and private keys
l fmos ca sign—Sign a Certificate Signing Request (CSR)
l fmos ca revoke—Revoke a certificate
l fmos ca updat e-crl—Generate Certificate Revocation List (CRL)
l fmos ca backup—Backup CA database and keys
l fmos ca rest ore—Restore a CA backup
l fmos ca show-cert s—List issued certificates
Certificate Expiration and Renewal
Not e: FMOS will automatically renew the self-signed certificates it creates when they expire, but
it will not do so for CA-signed certificates.
89 |
FMOS v9.8
Certificates expire one year after installation. Certificate renewal is required before the expiration
date.
There are processes in place to help support handling the expiration on both the application and
database servers.
Items of note:
l Both processes (DB and AS) are required in all multi-server ecosystem deployments.
l This applies to single-server deployments as well, particularly ones with remote data col-
lectors. The process is the same as for a stand-alone database server.
l All certificates will expire one year after initial installation.
l There is a specific health check that is run in FMOS to verify the status of certificates. These
alerts are displayed on the Server Control Panel dashboard, or in the CLI when running the
command fmos healt h -d.
Renewal for Dat abase Server
Within 30 days of the certificate expiring, you can run one of the following commands to “renew” the
certificate.
1. Log on to the database server CLI.
2. Run the command: fmos redeploy OR fmos updat e
3. In some cases, the machine may need to be rebooted after renewing the certificate.
When FMOS identifies that certificates are within 30 days of expiring and one of these two
operations take place, it will then automatically renew the certificates for another year.
Renewal for Applicat ion Server
You must renew the certificate on the database server first.
Within 30 days of the certificate expiring and after the database server's certificates have been
renewed, you will need to do the following.
1. Log on to the application server CLI.
2. Run the command: fmos ecosyst em refresh
3. In some cases, the machine may need to be rebooted after renewing the certificate.
This will request new certificates from the database server and renew for another year.
90 |
FMOS v9.8
If Certificates Have Already Expired

If the certificate for a machine with the AS role has already expired, then it cannot be renewed, as
there is no way for the machine to authenticate to the certificate authority server. In this case,
FMOS must be reinstalled on the AS machine and it will need to be added to the ecosystem
following the normal setup process.
91 |
FMOS v9.8
Certificate Signing Request

To eliminate browser security exception and privacy warnings and ensure all traffic is encrypted,
you will create a certificate signing request (CSR).
This process creates two files, a certificate file to be signed by a certificate authority (CA)—the .csr
file—and a public key—the .key file. These files provide the CA with the details needed to sign the
key. The .csr file represents the identity of the FMOS server and the .key file is the server’s public
key; which is used to provide unique instructions to the CA as to how to encrypt the .csr exclusively
for the FMOS server. No other device will have the same public key, or the private key needed to
decrypt the signed certificate.
You can create a CSR and a public key for your server one of two ways: use OpenSSL or an
FMOS CLI command.
Creat e CSR using OpenSSL
To use OpenSSL, use a similar command as exampled below to create the CSR:
openssl req -new -newkey rsa:2048 -nodes -out fmosServerIdentity.csr -

keyout fmosServerPublicKey.key
Not e: The file names <fmosServerIdentity> and <fmosServerPublicKey> can be set to

your company's approved file naming convention.
Creat e CSR using FM OS CLI
To use the FMOS CLI, complete the following steps.
1. Log in to the FMOS server with both an SSH and SCP/SFTP client. Unless you're comfortable
using Linux commands for copying files off and on to the FMOS server.
2. Run the command:
fmos pki gen-csr fmosServerIdentity.csr --new-key

fmosServerPublicKey.key
Not e: The file names <fmosServerIdentity> and <fmosServerPublicKey>

can be set to your company's approved file naming convention.
Or you can use alternative names to access the system using the same certificate by adding
a subject alternative name (SAN) to the CSR. To do so run the command:
fmos pki gen-csr fmos_identity.csr -K fmos-public.key -n

host1.domain.com -n host2.domain.com 10.10.1.1 -n
92 |
FMOS v9.8
Not e: Where <-n> indicates an individual SAN entry, and <host1.domain.com>

is the first SAN entry, <host2.domain.com> is the second SAN entry, and so
on. Multiple SAN entries are permitted, to suit your organization's needs.
3. When you run the fmos pki command, you will be prompted to enter a passphrase. You
can leave this blank by pressing Ent er to continue on without adding a passphrase, or if you
can set a passphrase.
Not e: If you set a passphrase, you must supply it to the CA to have it signed.
4. Take both files to your company’s certificate authority to have them signed. Follow your
company’s procedure for presenting the CSR and public key to your CA.
5. When you make the request to have the CSR signed, ensure that the complete certificate
chain is there as all certificates from the Root CA to the server CSR need to be included in the
export process.
Not e: For multiple intermediary certificates it is recommended to combine these into

one file. A .pem file typically works best for this task. Choose Base64 encoding.
Certificate authorities use their public key to sign the certificate, it and their identifying
certificate were signed by an authority above them. This is called a certificate chain, at the
top of which is the Root Authority. Root authorities can directly sign identity certificates
however most organizations use intermediate authorities to sign most certificates (so that
the root can be secured). All certificates from the root through intermediates must be
present on a server in order for its newly signed certificate to remain valid.
6. Once you have the certificates, you will need to move them to the FMOS server using WinSCP
or another file transfer tool and then switch back to the FireMon CLI and perform the
following tasks in order.
7. Import the root certificate using the command:
fmos pki import-ca root.cer
Not e: Replace <root.cer> with the actual file name.
8. Import the device certificate and key (optionally, include intermediate certificates with these
commands):
93 |
FMOS v9.8
fmos pki import-server-cert device.cer keyname.key
fmos pki import-server-cert device.cer keyname.key --chain

intermediate.cer
Not e: Replacing <device.cer> and <keyname.key> with the actual file name.
9. Optionally, you can import the same signed certificate used for the application server for the
FMOS Control Panel (https://fmosServerIP:55555) using this command: fmos pki import -cpl-
cert device.cer
10. Reboot the server you are installing the certificates on. A reboot is required.
Certificates for Multiple FQDNs

For distributed environments (multiple FMOS servers), please ensure that the root certificate is
present on both the application server, and any existing data collectors. Any data collectors you add
in the future will already contain this information as part of the ecosystem join process.
Place the signed certificate file on each data collector with WinSCP and then run the command:
fmos pki import -ca <cert name>
Trusted Certificate Authorities

A key component to the X.509 PKI is the certificate authority (CA). By default, FMOS trusts the
certificate authorities selected by the Mozilla Foundation. These authorities have undergone an
audit and comply with the security policies in the Mozilla CA Certificate Inclusion Policy.
To include additional certificate authorities to the list of CAs trusted by FMOS, use the following
command:
fmos pki import-ca mycacert.crt
Software that uses the system trust store, including SIP, will now trust the new CA.
For the change to take effect on an machine running the application server, the service will need to
be restarted using the following command:
fmos restart as
94 |
FMOS v9.8
CA-Signed Server Certificates

By default, FMOS provides a self-signed certificate for HTTPS communication. This certificate can be
replaced using the fmos pki import-server-cert command. This command will overwrite the
existing certificate and private key files:
fmos pki import-server-cert server.cer server.key
If the replacement certificate is signed by an intermediate certificate authority, the --chain

argument can be used to specify the path to a file containing the intermediate CA certificates that
should be sent along with the server certificate:
fmos pki import-server-cert server.cer server.key --chain server-

chain.crt
This command supports certificate and private key files in PEM (base-64), DER (binary) and
PKCS#12 formats. If the private key and certificate are stored in the same file (in PEM or PKCS#12
formats only), they will be separated automatically:
fmos pki import-server-cert server.p12
After replacing the server certificate, the changes will be applied automatically. No services need to
be restarted for the changes to take effect.
Not e: FMOS will automatically renew the self-signed certificates it creates when they expire, but
it will not do so for CA-signed certificates.
Not e: Repeat for any intermediate CA and root CA.
Server (HTTPS) Certificate

By default, FMOS provides a self-signed certificate for HTTPS communication. HTTPS
communication is used by the web browser for the Security Manager user interface as well as the
REST API interface that is accessed by the data collectors. This certificate can be replaced using the
fmos pki import -server-cert command. This command will overwrite the existing certificate and
private key files:
fmos pki import-server-cert server.cer server.key
If the replacement certificate is signed by an intermediate certificate authority, the --chain

argument can be used to specify the path to a file containing the intermediate CA certificates that
should be sent along with the server certificate:
95 |
FMOS v9.8
fmos pki import-server-cert server.cer server.key --chain server-

chain.crt
This command supports certificate and private key files in PEM (base-64), DER (binary) and PKCS#12
formats. If the private key and certificate are stored in the same file (in PEM or PKCS#12 formats
only), they will be separated automatically:
fmos pki import-server-cert server.p12
Not e: After replacing the original self-signed certificate on the application server with a certificate
that is issued and signed by an internal corporate certificate authority, that CA certificate must be
added to each remote data collector's trust store. These are the same steps as outlined in
Trusted Certificate Authorities.
After replacing the server certificate, the changes will be applied automatically. No services need to
be restarted for the changes to take effect.
Not e: FMOS will automatically renew the self-signed certificates it creates when they expire, but it
will not do so for CA-signed certificates.
Certificate Use Examples
Example 1
Scenario: Company A would like to use a corporate LDAP server for centralized user management.
The LDAP server accepts TLS connections and it uses a certificate that is issued and signed by the
company's internal certificate authority.
Descript ion: To trust the certificate that is presented by the LDAP server, the Certificate Authority's
certificate is added to the FireMon trust store and the application server is restarted using:
fmos pki import-ca mycacert.crt
fmos restart as
Example 2
Scenario: Company B maintains its own Certificate Authority (CA). Web browsers automatically trust
certificates issued by this CA due to standard corporate policy. The CA signs web server certificates
with an "intermediate CA certificate" rather than the "root CA certificate". The deployment consists
96 |
FMOS v9.8
of an application/database server and two remote data collectors. The server should utilize a server
certificate signed by the company's CA.
Descript ion: After obtaining a certificate and key from the CA, along with the intermediate and root
CA certificates, the application server's pre-installed, self-signed certificate can be replaced. The
intermediate CA certificate will be sent along with the server certificate in web requests. Therefore,
it must be imported with the --chain argument.
Since the data collectors rely on the HTTPS communication channel with the application server, the
company's ROOT CA certificate must be added to the trust store to validate the new server
certificate and intermediate CA certificate. Add the root CA certificate to each data collector's trust
store and restart the service:
fmos pki import-ca ca-root.crt
fmos restart dc
The server certificate and intermediate CA certificate can then be updated on the application
server:
fmos pki import-server-cert server.crt server.key --chain

intermediate.crt
Certificate Health Checks

FMOS has several health checks that will show the status of all certificates used by the various
Security Manager components. To see their status, run the following command: fmos health -d
If any certificates are within the 30-day renewal window, a warning message will be displayed for
each one.
To see certificate expiration dates using a diagnostic package, you will need to fetch or extract the
following files:
From the primary database machine:
l /etc/pki/tls/certs/fqdn.cer
l /etc/pki/tls/certs/fmos-admin.cer
l /var/lib/pgsql/server.crt
From any standby database machines:
97 |
FMOS v9.8
l /var/lib/pgsql/.postgresql/postgresql.crt
From any application server machines:
l /etc/pki/tls/certs/localhost.crt
You can use the OpenSSL command-line tool to inspect these certificates and view their validity
period:
openssl x509 -noout -text -certopt no_sigdump,no_pubkey -in FILENAME
98 |
FMOS v9.8
Configuration Commands
About the System Configuration File Commands
Not e: The command-line configuration editor will not provide an interactive editing experience.
For interactive editing, the FMOS Control Panel UI should be used.
All customizable options are configured in /etc/firemon/config.yml. This file contains a mapping of
settings in YAML syntax, the native variable definition language used by Ansible. For a basic
overview of this language, see the YAML Syntax section of the Ansible documentation which is
available online at https://docs.ansible.com .
To view a list of available commands, at the command prompt type: fmos -help.
For a list of customizable operating system options, see Configuration Variables.
Caut ion! The /etc/firemon/config.yml can contain sensitive information such as

passwords. When editing this file, ensure that the permissions stay secure. It should be
owned by root:root with a mode of 0600 or 0400.
99 |
FMOS v9.8
Generation III Commands

Because of the underlying operating system changes from Generation II (FMOS releases prior to
8.26) to Generation III, several FMOS commands have changed.
Added
l fmos fact ory-reset : This command can be used to erase all data and configuration from an
machine and return it to a clean state
l fmos healt h: This command replaces the fmos status command
l cat / et c/ fmos-release: This replaces fmos version
l fmos config apply: This replaces fmos redeploy
Removed
l fmos redeploy
l fmos st at us: Users should use the fmos health command instead
l fmos enable-updat es
l fmos inst all: Removed because the FMOS root file system is immutable
l fmos version: To view the current FMOS version, use cat / et c/ fmos-release
l fmos resizedisk
l fmos config -e
l fmos config --edit
Replaced Commands
The current command-line editor, fmos config --edit has been removed and replaced with new
commands for configuring FMOS from the command line. This replacement for command-line
configuration mechanism borrows the concept of category-based editing from the FMOS Control
Panel. The tool will display only the variables within the specified category.
Command Descript ion
fmos config categories List available configuration categories
fmos config schema <cat-

Print the schema document for a given category
egory>
Print the current values for variables in a given cat-

fmos config get <category>
egory
100 |
FMOS v9.8
fmos config put <category> Replace the values in a given category
fmos config apply <playbook> Apply configuration policy for the specified playbook
Release Improvements
Below are the improvements that were made to FMOS in each supported release:
9.7 Improvement s
l SNMPv3 agent has been added to FMOS to enable or disable the SNMP setting. The SNMP
CLI must be use to add or remove users.
l The command fmos redeploy has been replaced with fmos config apply.
l FMOS will provide native support for copying backups to the following services:
o SSH File Transfer Protocol (SFTP)
o Amazon Simple Storage Service (S3)
o Azure Blob Storage
9.6 Improvement s
l FMOS users will need to confirm an email address to use for password recovery.
l Improved backup performance was implemented. The fmos backup command now uses
multiple threads to compress backup content.
l FMOS now follows the NIST 800-63B recommendation for operating system user passwords.
This new password policy only applies to accounts created after installing FMOS 9.6. User
accounts created on earlier versions of FMOS will retain their existing policy settings. As
always, the password policy can be configured on a per-machine basis.
o Passwords must be at least 8 characters in length.
o Passwords do not need to contain special characters or numbers.
o Passwords do not need to be changed periodically.
l The Initial Deployment process can now be observed using the fmos config apply --watch
command. Additionally, the tasks are logged to /var/log/fmos/deploy.log, as with all other
FMOS Configuration Policy tasks.
101 |
FMOS v9.8
l The Disk Cleanup tool is no longer accessible from the FMOS Control Panel GUI. The fmos
disk-cleanup command remains in place and can be used as before.
9.5 Improvement s
l Added a new command - fmos storage autoexpand - to support increasing the size of the
OS disk or data disk (if any), and adding a (second) data disk.
l TCP Traceroute: Beginning with FMOS 9.5, the -T argument can be used with the
traceroute command.
l Static SecMgr Cluster Configuration: FMOS 9.5 introduced the jas_cluster_members

System Configuration Variable. This variable can be used to statically configure the members
of a SecMgr cluster, allowing deployments in scenarios where multicast networking is
unavailable.
o The jas_cluster_members variable must be set on every member of the cluster, and
the list must be the same on each member.
l If a reboot is needed before the update can be applied, FMOS informs the user with the
following message:
o The system cannot be updated at this time: A previous update has been installed but is
not yet active. Reboot the machine and try again.
Rebooting resolves the issue and the update can proceed.
Resize Disk
Although the fmos resizedisk command was removed during implementation of Generation III,
new resize functionality has been introduced in release 9.5.
The fmos st orage aut oexpand command supports three options to resize, or any combination
thereof.
There are three ways to add disk space to an FMOS machine:
l Increase the size of the OS disk
l Increase the size of the data disk (if any)
l Add a (second) data disk
Not e: At this time, there is no support for reducing any disk sizes.
102 |
FMOS v9.8
FMOS Config Command

In addition to the interactive, graphical configuration editor in the Control Panel, FMOS provides a
non-interactive command-line interface for making changes to System Configuration Variables: the
fmos config command.
The fmos config command is intended for advanced use cases such as scripts or shell pipelines; it
does not provide a mechanism for interactive editing. For basic, interactive editing of system
configuration variables, please use the FMOS Control Panel.
List Cat egories
Like the FMOS Control Panel, the fmos config command operates on a single category at a time. To
view the list of available configuration categories, use the fmos config cat egories command.
Get Current Values
To view the current values of the variables in a specific category, use the fmos config get
{cat egory} command, replacing {cat egory} with the path to the category. Example: fmos config
get os/ healt h
Updat e Values
To replace all of the values in a specific category, use the fmos config put {cat egory} {values}
command, replacing {cat egory} with the path to the category, and {values} with the name of a
YAML or JSON document containing the values.
For example,
1. Create a file named proxy.yml (vi proxy.yml) and add the values to it:
http_proxy: http://dev-proxy.securepassage.com:3128
https_proxy: http://dev-proxy.securepassage.com:3128
no_proxy: localhost,securepassage.com
2. Save the files and close the editor (ESC + :x + Enter).
3. Use the fmos config put command to update the configuration using the values specified in
the file:
fmos config put os/proxy proxy.yml
103 |
FMOS v9.8
Configuration Variables
A list of FMOS configuration settings that are customizable by local administrators.
during initial deployment (i.e. for automatic configuration). Variables listed as required must be
Using the command fmos -help will provide a complete list of available commands.
Not e: Additional configuration variables are included at the end of relevant chapters.
Operating System Configuration

Operating System
The proxy URL for use by all

all_proxy Strong No protocols (including HTTP,
HTTPS, FTP, raw TCP, etc.)
Defines how and when to run

auto_backup Mapping No
backups automatically.
Arguments to pass to fmos

backup. See fmos backup --
- -quiet - -
auto_backup.args String No help for possible options. If
prune
this option is null or empty, no
arguments will be passed.
When auto_backup.schedule is
monthly, this defines the day
auto_backup.date Number No 1
of the month on which the
backup will be performed.
Whether or not to enable auto-

mated backups. This defaults
auto_backup.enabled Boolean No to true if the server holds the
database role, and false oth-
erwise.
104 |
FMOS v9.8
Operating System
Defines the hour when the

backup will be performed
auto_backup.hour Number No 23
(does not apply when auto_
backup.schedule is hourly).
Defines the minute of the hour

auto_backup.minute Number No 48 when the backup will be per-
formed.
Defines how often automatic

backups should be performed.
auto_backup.schedule String No daily
Choices: daily, hourly, monthly,
weekly.
When auto_backup.schedule is
weekly, this defines the day of
the week on which the backup
auto_backup.weekday Number No 0 will be performed. The number
must be between 0 and 7,
where 0 and 7 are both
Sunday, 1 is Monday, etc.
The FireMon roles the server

fm_roles Mapping No
will hold.
fm_roles.as Boolean No Application Server.
fm_roles.db Boolean No Database.
fm_roles.dc Boolean No Data Collector.
fm_roles.nd Boolean No Normalization Worker.
The fully-qualified domain

fqdn String Yes-critical
name of the server.
The proxy URL to use for HTTP

http_proxy String No
connections.
The proxy URL to use for

https_proxy String No
HTTPS connections.
Whitespace-separated list of
notify_recipients String No
email addresses to whom sys-
105 |
FMOS v9.8
Operating System
tem notifications should be

sent.
This section introduces the con-

network Mapping Yes-critical figuration for system network
connections.
The IP address of the first DNS

network.dns1 String No
server.
The IP address of the second

DNS server.
The IP address of the second

DNS server.
The IP address of the default

network.gateway String No
gateway on the local network.
Network interface con-

network.interfaces Mapping Yes-critical
figuration.
The IPv4 address for the inter-

network.interfaces[
String No face (required when mode is
].addr
manual).
network.interfaces[ ].d-
Mapping No DHCPv6 options.
hcp6v
The IPv6 address and prefix

network.interfaces[
String No length for the interface (only
].addr6
valid when mode is manual).
network.interfaces[ ].d- Whether or not to enable

Boolean No True
hcpv6.enabled DHCPv6 for the interface.
network.interfaces[ ].d- Request a prefix be delegated

Boolean No False
hcpv6.pd to this host.
Boolean No False Use DHCPv6 in stateless mode.
hcpv6.stateless
Boolean No False Request a temporary address.
hcpv6.temporary
106 |
FMOS v9.8
Operating System
network.interfaces[ ].en- Whether or not the interface

Boolean Yes
abled should be activated at boot.
Comma-separated list of host

names to which direct con-
no_proxy String No nections should be made
(without using the proxy set for
the specific protocol)
ntp Mapping No Settings for network time.
List of Map-
ntp.keys No NTP authentication keys.
pings
The numeric ID of the key

ntp.keys[ ].id Number Yes
(must be greater than 0).
ntp.keys[ ].key String Yes The key password.
The type of key. Available: MDS

/ RMD128/ RMD160 / RMD256
ntp.keys[ ].type String No / RMD320 / SHA1 / SHA256 /
SHA384 / SHA512 / TIGER /
WHIRLPOOL
ntp.mode String Yes Choices: dhcp / manual / none
List of Map- NTP servers (required when

ntp.servers No
pings mode is manual).
Host name or IP address of the

ntp.servers[ ].host String No
server.
The ID of the key (from

ntp.servers[ ].key_id Number No ntp.keys) used for authen-
tication with this server.
List of Map- Settings for remote syslog serv-

remote_syslog No
pings ers.
107 |
FMOS v9.8
Operating System
FQDN for the remote logging

remote_syslog[].host String Yes
host.
Communication protocol to
remote_syslog[].mode String No UDP use to connect to the host.
Choices: TCP / UDP
Port to use to connect to the

remote_syslog[].port Number No
remote logging host.
remote_syslog[].usetls Boolean No False Use TLS with TCP.
Whether or not to send per-

send_perf_data Boolean No False formance metrics to FireMon
for diagnostic purposes.
How to Apply Configuration Changes

After making changes to the options in /etc/firemon/config.yml, the relevant playbook needs
to be run in order for the new settings to take effect. Because the FMOS update command uses an
Ansible playbook to update the software and configuration on the system, most settings will be
applied at that time. Since it may not be feasible to run FMOS update to apply configuration
changes, perhaps because an update source is not available, the FMOS redeploy command can be
used instead.
Not e: If a configuration change requires additional packages to be installed, FMOS redploy may
fail. This is typically only the case when FMOS was installed using custom settings and the new
configuration activates an additional Security Manager role. In these cases, only FMOS update can
be used.
To begin redeploying configuration to the system:
1. Log in to the FMOS console as a user with the FMOS Administrator privilege.
2. At the command prompt type: fmos config apply
This will apply any configuration changes that affect SIP, as the command runs the
secmgr.yml playbook by default. To apply changes to other system features, such as
health monitoring or network time, another playbook may need to be run instead. To
specify a different playbook, specify its name on the command line.
108 |
FMOS v9.8
Caut ion! Currently, if you run the FMOS redeploy from /etc/firemon it will fail. The solution is to
run the redeploy from /home/user.
Playbooks
The FMOS-autodeploy package includes several playbooks, each responsible for managing
different aspects of the system:
l secmgr.yml—this playbook is responsible for deploying the configuration for the four
FireMon Security Manager roles: Application Server (AS), Database (DB), Data Collector (DC),
and Normalization Worker (ND).
l fmos.yml—this playbook is responsible for deploying FMOS system configuration, including

SMTP and system health monitoring.
l init ial-set up.yml—this playbook is run in the very early stage of the first boot of a new
FMOS installation, before the fmos.yml playbook. It deploys critical host configuration such
as hostname, network settings, user accounts, etc. A reboot is typically required after run-
ning this playbook.
Caut ion! DO NOT apply this playbook if the value of the FQND variable in the
System Configuration File is different than the current FQDN of the machine!
Doing so will change the hostname of the machine, which will most likely break
communication with other machines in the FMOS ecosystem.
l net config.yml—this playbook is used to apply network configuration changes to the system.
Specifically, changes to members of the network mapping (such as network.dns1, net-
work.gateway, network.interfaces, etc.) are applied when this playbook is run.
109 |
FMOS v9.8
SMTP Commands
A list of SMTP configuration settings that are customizable by local administrators.
during initial deployment (for example, automatic configuration). Variables listed as required
must be present if the server holds one or more of the roles listed in the applies to field.
SMTP Configurations
smtp Mapping No Settings for SMTP (sending email).
The SMTP authentication method to

smtp.auth String No none use.
Choices: none / plain
The host name or IP address of the

smtp.host String No SMTP relay server (required when
smtp.mode is relay).
SMTP connection method.

smtp.mode String Yes
Choices: direct / none / relay
smtp.port Number No 25 The port on the SMTP relay server.
The SMTP security method to use

(only valid when smtp.auth is not
smtp.security String No none).
Choices: none / starttls
The user name used to authenticate

smtp.username String No to the SMTP server (required when
smtp.auth is plain).
The password used to authenticate to

smtp.password String No the SMTP server (required when smt-
p.auth is plain).
110 |
FMOS v9.8
Backups and Updates
About FMOS Backups

All of the SIP application data such as your device configurations and user profiles are stored in the
database. To ensure that you can access recent data in the unlikely event of a corruption or system
failure, SIP performs an automatic daily backup.
The average size of a backup with a fresh install (no devices) is about 200 MB, each device, report
and configuration will increase this size. The retention policy set in the FMOS Control Panel (55555,
interface) will determine how often the system will be backed up and how much will be retained.
Prerequisit e: A Backup Operator must be assigned as an FMOS privileged user before a backup
can be performed.
Not e: Only full backups are performed, not incremental backups.
FMOS provides utilities to create and restore backups of data created and used by FireMon
applications. These used can be accessed from the FMOS command-line interface with the fmos
backup and fmos restore commands. Keeping up-to-date backups is an important part of
maintaining a FireMon deployment.
Backup Contents
FMOS uses a custom file format for backups. Backup files consist of three parts:
l The FMOS system configuration document (config.yml)
l The PostgreSQL database, in pg_dump “custom” format
l The contents of /var/lib/firemon, as a tape archive (tarball)
Additionally, backup files include a checksum, which is used to verify their integrity when restoring.
Creating Backups
Scheduled Backup
By default, FMOS machines that hold the database or the data collector role automatically create
backups on a daily basis. These backups are stored in a special directory,
/ var/ lib/ backup/ firemon, which is on a separate, dedicated storage volume. As this volume is only
used to store backups, as many backups as will fit on the volume are kept. Thus, the most points in
time for recovery are always available. When a new scheduled backup is created, one or more
111 |
FMOS v9.8
backups are removed, or “pruned,” from the storage directory in order to make enough space
available for the new backup.
The auto_backup system configuration variable can be used to control how and when scheduled
backups are created. See Schedule an Automatic Backup.
When a backup is run, the file that is created is saved to / var/ lib/ backup/ firemon/ by default. The
file will be named HOSTNAM E_DATE.backup, and will be readable only by the group fmbackup.
The backup file that is created will contain the FMOS system configuration, PostgreSQL database
dump, and the file system archive.
If a server is configured to be a database, automatic backups are enabled by default; otherwise

automatic backups are disabled. The default auto backup configuration does a backup daily at 23:48
UTC.
On-Demand Backup
The fmos backup command can be used to create a backup on demand. By default, when run
without any command-line arguments, this command will create a new backup, named with the
current date and time, in the default location (/var/lib/backup/firemon). To create a file in a different
location or with a different name, pass the desired path as a positional argument, for example:
fmos backup my-special.backup
If only a filename is given, without the full path, the file will be created in the current working
directory.
When creating an on-demand backup in the default location, it may be necessary to remove old
backup files in order to make room. To facilitate this, the fmos backup command accepts a --
prune argument. When this argument is supplied, the command will remove backup files from the
destination directory, starting with the oldest, until there is enough space to create a new backup. If
enough space cannot be freed while keeping at least one existing backup, the command will abort
and no new backup will be created.
Not e: You must also include a new file name when you specify a location for the backup to be
saved.
To perform a manual backup, complete the following steps.
1. Access the server CLI.
2. At the command prompt, type: fmos backup <location>
By default, the backup is stored in the following location: var/ lib/ backup/ firemon
3. You can use SFTP to move the backup "off box" to be stored on another server.
112 |
FMOS v9.8
Pruning Old Backups
The fmos backup command will automatically delete old backup files when it estimates that there
is not sufficient free space in the destination directory to store another backup file. By default,
when pruning old backups, FMOS will remove as many files as necessary to make enough space
available, but it will keep at least one file. This helps ensure that there is always at least one good
backup. If enough space cannot be freed without deleting the last backup, the command will abort
and will not create a new backup.
To change the minimum number of backups that must be kept, pass a number after the --prune
argument, for example:
fmos backup --prune 3
This will ensure that at least three backups are kept in the destination directory.
In most cases, only one or two existing backup files need to be deleted.
To avoid deleting any backup files, pass the --no-prune argument, for example:
fmos backup --no-prune
If there is insufficient space to create a new backup, the fmos backup command will abort with an
error.
Not e: It is perfectly normal for the /var/lib/firemon directory to be very nearly full at all
times. This is by design: since the only files that can ever be stored there are backups, leaving
free space available on this filesystem would provide no benefit.
Post Backup Actions

After a backup finishes, FMOS can perform additional actions. These actions include copying the
new backup file to a remote server, sending an e-mail notification, or executing a command on the
local machine.
Actions can be configured to run after a successful backup or after a backup fails. Multiple actions
can be configured; they will be run sequentially if more than one is defined.
Post-Backup Actions are configured in the FMOS System Configuration File. They can be defined
using the fmos config command or the FMOS Control Panel GUI.
Copy to a Remote SFTP Server

FMOS can copy backup files to a remote location using the SSH File Transfer Protocol (SFTP). This
protocol is widely supported by network-attached storage systems, Linux and BSD servers, cloud
113 |
FMOS v9.8
storage services, and more. FMOS supports public-key and password authentication. Remote host
key verification is supported using a pre-configured public key.
To enable public-key authentication for SFTP post-backup actions, simply omit the password
configuration option. FMOS will attempt to authenticate to the remote host using a pre-generated
private key. This key cannot be changed or replaced. The public key is stored in the
/etc/firemon/fmbackup.pubkey file. It is currently only accessible using the FMOS command-
line interface:
cat /etc/firemon/fmbackup.pubkey
This file contains two different key types:
l the legacy ssh-rsa type and
l the modern ssh-ed25519 type.
The ssh-rsa type is used by default; set the key_type option to ed25519 to use the stronger, faster
ssh-ed25519 key.
To enable SSH host key validation, enter the full host key of the remote server. If the server does not
present a matching key during the initial handshake, the connection will fail. If the remote server
has multiple keys of different types, only one will be checked. Only the first key type from this list
that the server supports will be checked:
l ecdsa-sha2-nistp256
l rsa-sha2-512
l rsa-sha2-256
l ssh-rsa
l ssh-dss
l ssh-ed25519
Host key verification will fail if the provided key is of a type lower in the list than another type of key
that the server supports.
Example 1
This example uses password-based authentication and does not enable remote host key
verification:
post_backup:
114 |
FMOS v9.8
success:
copy-sftp:
- hostname: my-file-server.example.com
username: firemon
password: secretanduniquepassword
Example 2
This example uses public-key authentication and remote host key verification, and stores the file in
the /backups/firemon directory on the remote host:
post_backup:
success:
copy-sftp:
- hostname: backups.example.org
username: sip
key_type: ed25519
host_pubkey: >- ecdsa-sha2-nistp256

AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPrT7WppRS4sop40IBg
hUTcaZCrooVAg87CWxc9h3PiK4kwInSMDLX/kjDHWhSvRuHoH/TWcm5ln6XGjwcYyfjk=
Copy to an S3 Bucket
FMOS can copy files to any storage service that is compatible with the Amazon Simple Storage
Service (S3) protocol. Authentication can be performed using a specific Amazon Access Key ID and
Secret Key pair or, when FMOS is running in AWS, using an IAM instance role assigned to the EC2
instance.
Example
post_backup:
success:
copy-azure:
- account_name: myazstoracct
115 |
FMOS v9.8
container: /backups/firemon
key:
'bWmpsDbOqaNFw8PcR1AIkJQrflB/0wN43xrLOkTaeBJvBiUXWoSI4usTPumXBuAeVjyRmM5
5dYRGTdXXTOzL3Q=='
Send an Email Notification

FMOS can send email notifications when backups succeed or fail.
Example 1
This example sends an e-mail notification when a backup completes successfully.
post_backup:
success:
notify-email:
- recipients:
- me@mycompany.com
Example 2
This example sends an e-mail notification when a backup fails.
post_backup:
failure:
notify-email:
- recipients: ['admins@example.org']
Run a Command on the Local Machine

FMOS can run commands on the local machine (the machine where the backup process is running)
after backups succeed or fail.
When the command runs, the BACKUP environment variable contains the path to the newly-created
backup file, if it is available.
Example 1
This example makes an HTTP request to a remote server to notify it that the backup failed.
post_backup:
116 |
FMOS v9.8
failure:
run-command:
- command: curl -X POST

https://webhooks.example.net/backups/firemon/failed
Example 2
This example uploads the backup file to a remote server using HTTP.
post_backup:
success:
run-command:
- command: curl --upload-file ${BACKUP}

https://webdav.company.in/uploads/backups/firemon/
Restore a Backup
When restoring a backup, it is important to understand the different operational modes. There are
two separate use cases for restoring FireMon backups: to recover to an earlier point in time, or to
migrate data to another system. While the fmos restore command is used for both cases,
different arguments are necessary.
Not e: When restoring a backup on a database machine in a distributed deployment, all

machines with the Application Server role must be put in maintenance mode before starting the
restore.
Recovery
A recovery simply restores the data on the machine to its state from when the backup was created.
A recovery can be performed by restoring a backup file on the same machine where it was created.
When performing a recovery, all three parts of the backup are restored, including the FMOS system
configuration.
To perform a recovery restore, pass the --recovery argument to the fmos restore command
along with the path to the backup file, for example:
fmos restore --recovery /var/tmp/my-special.backup
117 |
FMOS v9.8
Migration
A migration transfers data from one system to another. This is done, for example, to copy data from
a production environment to a testing environment, or to move data to a new machine. When
performing a migration, the database and filesystem contents are restored, but not the FMOS
system configuration.
To perform a migration restore, use the --migration argument of the fmos restore command,
passing the path to the backup file as well:
fmos restore --migration /var/tmp/copied-from-prod.backup
Not e: When performing a migration in a distributed deployment, the backup must be restored
before any application server machines are added to the ecosystem. If AS machines have already
joined, they will have to be reset to factory defaults, reconfigured, and added to the ecosystem
again after the restore completes.
118 |
FMOS v9.8
Backup the Certificate Authority Server
This process is only meant to be used if your database machine has failed. This process is very
fragile and extreme care must be taken. If any steps are performed out-of-order or incorrectly,
the process will fail. It is recommended that you call Support to help with this process.
Not e: This topic is only meant for a fully-distributed multi-server ecosystem deployment.
The appliance in an FMOS ecosystem deployment that holds the certificate authority (CA) role
requires a special backup and restore process. The content of the CA store is extremely sensitive,
as it could be used to obtain unauthorized access to the FMOS ecosystem, potentially allowing an
attacker to obtain or manipulate FireMon application data.
During normal use, the contents are encrypted using appliance-specific information. This is not
possible for a backup file, so user-provided information is necessary to safely encrypt the backup.
For ecosystem deployments where the DB, ES, and AS roles are held by the same machine, backing
up the CA store may not be necessary.
A new CA store can be initialized on the target appliance without disrupting any intra-ecosystem
communication.
FMOS will issue an alert when a new backup should be created:
ALERT: The Certificate Authority store needs to be backed up
This alert appears in one of two circumstances:
l The CA store has never been backed up
l The CA store index has been modified (for example when a new certificate was issued) since
the last time the CA store was backed up
The alert will clear automatically once a new backup has been created.
Backing up the CA Store

To back up the FMOS CA store, the fmos ca backup command is used. The program will prompt to
enter an Export Passphrase, which will be used to derive an encryption key to protect the sensitive
parts of the backup. This example will create an CA backup file in the current working directory,
named for the host name of the appliance and the current date:
fmos ca backup fmos-ca_$(hostname -s)_$(date +%Y-%m-%d).tar.xz
119 |
FMOS v9.8
Restoring the CA Store from Backup
This process is very fragile and extreme care must be taken. If any steps are performed out-of-
order or incorrectly, the process will fail. It is recommended that you call Support to help with this
process.
Using certificates signed by the desired CA requires a special process. If this process is not followed,
a new CA will be created, and certificates will be signed by it.
Follow this process when restoring a CA store from a backup onto a different machine, or after
FMOS has been reinstalled on the same machine.
To restore the CA store from a backup file, use the fmos ca restore command, passing the name of
the backup file as an argument on the command line, and then entering the Export Passphrase when
prompted.
Warning! The destination machine must not hold any FMOS roles. This is achieved by choosing
Existing Deployment on the Ecosystem Selection page of the Initial Configuration Wizard. If the
machine already has one or more roles, it must be re-provisioned.
1. Install FMOS as usual, but select Exist ing Deployment on the Ecosystem Selection page of
the Initial Configuration Wizard.
2. Log in to the FMOS command-line interface using SSH.
3. Restore the system configuration file from the regular FMOS backup. Because the appliance
holds no roles, the database and file system portions of the backup will NOT be restored at
this time.
4. Use the fmos config --edit command to launch a text editor to modify the FMOS System Con-
figuration file.
5. Locate the following line in the file and remove it: fm_roles: {}
6. Add the following lines to the file: fm_roles: ca: t rue, db: t rue, es: t rue
7. Run the following command to apply the FireMon role changes: fmos redeploy first boot -
early
8. Restore the CA store from the backup file (replace ${FILENAME} with the path to the CA store
backup file): fmos ca rest ore ${FILENAM E}
9. Initialize the database instance by applying the secmgr playbook: fmos redeploy
10. Restore the regular FMOS backup. See Restore a Backup for details.
120 |
FMOS v9.8
The machine is now fully restored, and will operate as a CA, using the exact hierarchy as the original
appliance. All certificates issued by the previous appliance will continue to be valid, and new
certificates will be signed using the same keys.
121 |
FMOS v9.8
Maintenance Mode
Maintenance mode allows you to stop all FireMon services prior to performing any maintenance,
such as an update, to the system.
There are three maintenance-related commands:
l fmos maint enance begin is used to stop services
l fmos maint enance end is used to restart services
l fmos maint enance st at us is used to verify if the system is running or not
Transitions to and from maintenance mode are logged.
Maintenance Mode Disables Refresh

When an appliance is in maintenance mode, the fmos ecosystem refresh command will not make any
changes to the system. Previously, this command would apply configuration policy and start
services that were stopped when the appliance entered maintenance mode. This change should
help administrators appropriately schedule maintenance operations.
Backup Configuration Commands

A list of backup configuration settings that are customizable by local administrators.
during initial deployment (example, for automatic configuration). Variables listed as required
must be present if the server holds one or more of the roles listed in the applies to field.
Backup Commands
auto_backup object
122 |
FMOS v9.8
Backup Commands
Arguments to pass
to fmos backup. See
fmos backup –help
for possible
auto_backup.args string --quiet --prune options. If this
option is null or
empty, no argu-
ments will be
passed
When automatic
backups are sched-
uled to run
monthly, this
auto_backup.date integer 1
defines the day of
the month on which
the backup will be
performed.
Whether or not to
enable automatic
backups. This
auto_backup.enabled boolean defaults to true if
the server holds the
database role, and
false otherwise.
Defines the hour

when the backup
will be performed
auto_backup.hour integer 23 (does not apply
when backups are
scheduled to run
hourly).
123 |
FMOS v9.8
Backup Commands
Defines the minute

of the hour when
auto_backup.minute integer 48
backups will be per-
formed.
Defines how often

automatic backups
should be per-
auto_backup.schedule string daily
formed. Choices are
daily, hourly,
monthly, or weekly.
When automatic
backups are sched-
uled to run weekly,
this defines the day
of the week on
which the backup
auto_backup.weekday integer 0
will be performed.
The number must
be between 0 and 7,
where 0 and 7 are
both Sunday, 1 is
Monday, etc.
124 |
FMOS v9.8
About Updates
Updates to FireMon software are packaged as a single unit and delivered together as an FMOS
system update. These updates are applied using FMOS tools, which manage the process of
verifying the update source, installing the new software, updating configuration files, and migrating
data.
Updat e Source
Previously, an update source was the URL of a Yum package repository or the path to a block
device or file system image containing a Yum package repository. Now, an update source is a path
or URL to an FMOS Distribution Archive.
Updat e Process
Because the FMOS root file system is immutable, applying updates to a system requires replacing
the file system image. The machine must be rebooted in order to use the new image. Therefore,
the update process for the Generation III platform is as follows:
1. The distribution archive is fetched, validated, and unpacked.
2. The new root filesystem image is mounted at a temporary location.
3. The system is prepared to boot from the new image by generating a new initramfs image
and bootloader configuration file.
4. The root file system image is copied to the /boot directory.
5. The machine is rebooted.
6. During the next boot, the FMOS configuration policy is applied. This includes invoking the
Security Manager migration tool (Flyway) to manage database schema and other application-
level updates.
FireMon uses two types of updates:
l Product update releases replace an installed release of a product with a new release of the
same product (example: 9.3 to 9.4).
l Maintenance releases occur between product releases and are used to address resolved and
known issues (example: 9.3.4, 9.4.1).
Requirements and Recommendations

This section provides additional requirements and recommendations beyond system
requirements.
125 |
FMOS v9.8
l The download process requires an Internet connection and a browser.
l Updates are available to customers with current software subscriptions only.
l It is strongly recommended that you back up the SIP database and files before installing any
updates.
l If you are updating both a single-server Data Collector and an Application Server, you must
upgrade your Application Server first.
l If you are updating from a version that is three (or more) minor versions behind the current
version, please contact Support to help you perform a staged updating.
Prerequisites for Updating
Caut ion! During the update process, all SIP components will be stopped, and connectivity will be
terminated. Please consider updating your product during periods of low product use to
minimize the effects of this loss of connectivity.
l Prerequisit e for v8.24 users and older: If you are updating from a version that is three (or
more) behind current, please contact support@firemon.com
l Prerequisit e for v8.25 users: You will need to perform a backup of your existing 8.25
installation, move that backup ‘off box’, perform a new install of v9.x, and then restore 8.25
backup onto the new 9.x installation. please contact support@firemon.com
l Prerequisit e for v8.26 users: If you are updating from v8.26, a new install with a previous
backup restore is not needed. You can follow the normal update process.
l Prerequisit e for v9.x users: If you are updating from v9.x, a new install with a previous
backup restore is not needed. You can follow the normal update process
126 |
FMOS v9.8
Supported FMOS Releases

We constantly update our software to ensure consistent support for the latest versions of firewalls,
routers, and other network security enforcement points. We also update our software to offer new
functionality, correct defects, and improve security. We recommend customers update to our latest
release to get all the benefits of these changes.
We only provide full support for the two most recent releases of the FireMon operating system
(FMOS). We will attempt to support customers running unsupported releases, but support will be
limited and best effort only. Customers running an unsupported release are encouraged to update
to a supported release in order to receive the full support experience. A complete list of supported
releases is listed below.
We can provide assistance with updating to a supported release. Customers wanting to receive
assistance should contact us at support@firemon.com and specify the release number they are on
and the release number they want to update to. A customer support agent will reach out to assist.
Supported Releases
l Releases consist of major releases denoted by 0 in the third portion of the release number
and maintenance (bug fix) releases denoted by any number other than 0. For example, 9.4.0
is a major release whereas 9.4.2 is a maintenance release.
l Major releases typically include software improvements, new features, bug fixes, and
security improvements. Major releases are provided two to three times a year on average.
l Maintenance releases deliver software fixes and the occasional minor software
improvement. Maintenance releases are constrained in scope to improve quality and time to
market. Maintenance releases are provided on an as-needed basis until end of support is
reached for that major release.
Supported Releases
M ajor Release Num- M aint enance Release Num-
GA Dat e End of Support Dat e
ber ber
tentatively set 30 days after

9.6.0 1/26/2022
9.8

9.5.0 10/12/2021
9.7
9.5.1 11/15/2021
9.5.3 12/15/2021

9.4.0 7/7/2021
9.6
127 |
FMOS v9.8
Supported Releases
M ajor Release Num- M aint enance Release Num-
GA Dat e End of Support Dat e
ber ber
9.4.1 8/4/2021
9.4.2 8/8/2021
Unsupported Releases
M ajor Release M aint enance Release End of Support
GA Dat e
Number Number Dat e
9.3.0 9.3.1 - 9.3.3 3/5/2021 11/12/2021
9.2.0 9.2.1 - 9.2.3 11/2/2020 8/7/2021
8.25.0 8.25.3 - 8.25.12 4/15/2019 5/21/2021
9.1.0 9.1.1 - 9.1.5 5/28/2020 4/4/2021
9.0.0 9.0.1 3/23/2020 12/2/2020
8.24.0 8.24.1 - 8.24.10 5/28/2020 3/3/2020
128 |
FMOS v9.8
Release Formats
FMOS Generation III system updates are distributed in signed archive files, called distribution
archives. These files end with the extension .tar.gpg. They are cryptographically signed using
GnuPG with keys accessible only to us to ensure that third parties cannot tamper with or modify
them.
Although we distributes FMOS in various forms for initial deployment (new installations), only
distribution archives can be used to update an existing FMOS system.
Build Variants
Every FMOS version is produced in multiple variants. Each variant is designed to serve a specific
purpose. When installing FMOS on a new machine, be sure to select the proper variant:
l Full: This is the default variant. It contains all of the Security Intelligence Platform application
components, including the Security Manager server, the data collector, Global Policy Con-
troller, and all supporting software such as PostgreSQL and elastic search.
l DC Only: This variant only contains the Data Collector application component for the Secur-
ity Intelligence Platform.
l Cloud: This variant is intended to be used for Cloud deployments, such as Microsoft Azure or
Amazon Web Services. It contains all of the Security Intelligence Platform application com-
ponents and all supporting software.
Distribution Formats
Each FMOS build variant is distributed in multiple formats. The various formats are designed to
support different deployment environments or scenarios:
l FM OS Dist ribut ion Archive (.t ar.gpg) [all variant s]: This format is used by all FMOS vari-
ants for upgrading an existing installation of FMOS to a new version. When upgrading, be
sure to use the Distribution Archive for the same variant that is already installed.
l Virt ual M achine Templat e (.ova) [full, dconly]: This format is used to deploy a new virtual
machine, for example using VMware vSphere, Microsoft Hyper-V, or Oracle VirtualBox.
l Virt ual Disk Image (.qcow2) [full, dconly]: This format is used to deploy a new virtual
machine, for example using Linux KVM (with libvirt/QEMU) or OpenStack.
l Physical Hardware Inst aller (.iso) [full, dconly]: This format is used to install FMOS on a
physical machine.
l Azure Virt ual Disk Image (.vhd.zip) [cloud]: This format is used to create a new Virtual
Machine Image in Windows Azure.
129 |
FMOS v9.8
l AWS Virt ual Disk Image (.vmdk) [cloud]: This format is used to create a new Amazon
Machine Image in Amazon Web Services.
Default Update Channel Source

Previously, an update source was the URL of a Yum package repository or the path to a block device
or file system image containing a Yum package repository. Now, an update source is a path or URL
to an FMOS Distribution Archive.
By default, FMOS will automatically fetch updates from the FireMon User Center, if possible. If a new
version of FMOS is available on the User Center, it will be downloaded and used. If multiple versions
are available, the one selected is determined by the fmos_updat e_channel System Configuration
Variable. Machines using the latest channel (the default) will always fetch the most recent version
from the User Center. Machines using the stable channel will only fetch updates that are marked as
stable.
For machines that cannot access the FireMon User Center directly, a distribution archive can be
provided manually. This is also useful for updating to a version of FMOS that is not currently
available in the User Center.
Using the Command Line

To update an FMOS system using the command line, either via SSH or the local console, use the
fmos updat e command. Without any arguments, the command will use the default update channel
source, automatically fetching the distribution archive. Additionally, the fmos updat e command can
take a single positional argument, which refers to the distribution archive to use as the update
channel source. The distribution archive can be located on the local file system or on a remote HTTP
server. To specify a remote location, pass its URL as the source argument.
Not e: The fmos updat e command will, by default, no longer allow an update to be installed if it
is older (by date or by version) than the currently installed image.
For example, to use the default source:
fmos update
Alternatively, using a distribution archive on the local file system:
fmos update /var/tmp/FMOS-9.6.0-1.x86_64.tar.gpg
Or using a remote file:
fmos update https://example.com/fmos/FMOS-9.6.0-1.x86_64.tar.gpg
130 |
FMOS v9.8
When a URL is specified, the remote file will be downloaded to a temporary location on the local
machine, and removed when the update process is complete.
Reboot Required
After an FMOS update is installed, the appliance must be rebooted in order for it to take effect. The
new software will not be used until the appliance has been rebooted.
When the appliance is first rebooted after installing an update, the FMOS Configuration Policy is
applied in the background. During this process, some services provided by the appliance may not
be available. For FMOS appliances that hold the AS role, it can take several minutes or hours before
the process completes, depending on the amount of data.
The FMOS Health System will report the status of services on the appliance and the deployment
process. The fmos healt h command or the FMOS Control Panel browser application can be used
to view the health of the system.
FMOS Update Command

l Without any arguments, the fmos updat e command will use the default update channel
source, automatically fetching the distribution archive.
l Additionally, the fmos updat e command can take a single positional argument, which refers
to the distribution archive to use as the update channel source. The distribution archive can
be located on the local file system or on a remote HTTP server. To specify a remote location,
pass its URL as the source argument.
l The fmos updat e command will, by default, no longer allow an update to be installed if it is
older (by date or by version) than the currently installed image.
Set t he FM OS Updat e Channel
Updates to FMOS are packaged as a single unit and delivered together as an FMOS system update.
These updates are applied using FMOS tools, which manage the process of verifying the update
source, installing the new software, updating configuration files, and migrating data.
To set the FMOS update channel, complete the following steps.
1. Log in to the Control Panel.
2. On the toolbar, click OS > Operat ing Syst em.
3. Enable the FM OS Updat e Channel field.
131 |
FMOS v9.8
4. Select one of the following update channels:
l Lat est -the default channel. The system will be kept up-to-date with the most recent
version of FMOS released and available on the User Center.
l St able-this channel only includes fixes for critical bugs and security vulnerabilities,
without introducing new features.
5. When finished, click St age Changes and then click Apply Configurat ion.
132 |
FMOS v9.8
Update FMOS
Caut ion! During the update process, all Security Intelligence Platform components will be
stopped and connectivity will be terminated. Please consider updating your product during
periods of low product use to minimize the effects of this loss of connectivity.
Prerequisit e: Before installing any updates, you will need to back up your data. Then transfer
the backup 'off box' to a secure location. You must also have set your update channel.
For a distributed (multi-server) environment, there is a specific server order to install the update.
1. Database server
2. Application server
3. Data collector
For a single-server environment, install the update on the application server first and then any data
collectors.
Inst all t he FM OS ISO Updat e
Prerequisit e: Put all application servers into maintenance mode. At the prompt, type the
following command: fmos maint enance begin
To update your FMOS server, complete the following steps.
1. Log on to the User Center.
2. Click Downloads.
3. In the SIP Soft ware section, click the link to be directed to the Art ifact Select ion page.
4. In the Inst all Select ion section, select your deployment type:
l Cloud: select for AWS and Azure installations
l DC Only: select for data collector only installations
l Full: select for full distribution installations
5. In the Dist ribut ion Select ion section, select the distribution type based on how your eco-
system is deployed:
l Cloud: AWS, AWS (Update Only), Azure, Azure (Update Only)
l DC Only: Physical Hardware, Update Only, Virtual Disk Image, VM Template
l Full: Physical Hardware, Update Only, Virtual Disk Image, VM Template
133 |
FMOS v9.8
6. In the Select File section, verify that the install and distribution types are correct and then
click Select File to be directed to the file download page.
7. Click Download.
8. For a single-server environment, copy the file to your application server. For a distributed
environment, copy the file to your database server.
Not e: The file should be copied to / var/ t mp and then use that path in the fmos update
command.
9. Log in to the appropriate FireMon server (either application server or database server).
10. At the prompt, type the following command:
l For existing 9.0 users who have set the update channel: fmos updat e
l For users not updating from v9.0: fmos updat e / var/ t mp/ <filename> (replacing <file-
name> with the name of the ISO file downloaded).
11. You will be guided through the update process.
12. You will be asked to reboot the server. Type Y at the prompt to start the reboot process.
13. For a single-server environment, repeat the steps to update any data collectors. For a dis-
tributed environment, repeat the steps to update the application server (if you have multiple
applications servers, update each one-at-a-time and reboot each individually) and then data
collectors.
134 |
FMOS v9.8
Update Appliance Firmware

Occasionally, FireMon may publish firmware updates for branded machine hardware. Because FM
appliances are built upon the Dell PowerEdge platform, the Lifecycle Controller present in these
devices makes applying firmware updates extremely simple.
There are two methods for applying firmware updates using the Lifecycle Controller:
l iDRAC web-based GUI
l pre-boot console GUI
Warning! Updating system firmware will require the appliance to reboot. When updating
firmware on a machine that is a member of a multi-server ecosystem, be sure any subordinate
servers are placed into maintenance mode, as appropriate.
Using the iDRAC Web UI
For FM appliances that have their iDRAC connected and configured, the easiest way to apply
firmware updates is by using the Update and Rollback feature within the iDRAC web UI.
1. Navigate to the iDRAC web application using your browser and log in as a user with iDRAC
administrator privileges.
Not e: The default iDRAC user name and password should be changed before putting am FM
appliance into production.
2. Click iDRAC Set t ings > Updat e and Rollback.
3. On the Firmware Update page, click the Updat e tab and then select Local for File Location.
4. Click the Browse button for File Path under Single Update Location and navigate to the firm-
ware update image stored on your local machine. After selecting the correct file for your
hardware, click Upload.
Not e: Although FMOS is a Linux-based operating system the Lifecycle Controller uses the
Windows packaging format, so updates are distributed as .exe files.
5. Uploading the firmware image to the iDRAC may take a few minutes. When the upload
completes, select the check box next to the update in the Update Details pane and click
Inst all and Reboot .
6. The update will be processed in the background. To view the status of the update, click the
Job Queue button. The job queue can also be accessed from the server link in the navigation
tree and choosing the Job Queue button from the top bar.
135 |
FMOS v9.8
7. The job queue will show the status of the update as it progresses. Use the refresh button to
update the display.
8. After the update applies successfully, a new job queue entry will be created to reboot the
machine. After the machine reboots, the update process is complete and FMOS will load as
normal.
Using the Pre-boot GUI
In cases where the iDRAC is not usable, another option for updating appliance firmware is to use the
pre-boot Lifecycle Controller GUI. This option requires physical access to the machine and a USB
storage device.
1. Copy the firmware image onto a USB storage device, such as a flash drive.
Not e: The device must be formatted with the FAT32 filesystem. USB 2.0 and 3.0 devices are
supported.
2. Connect the USB storage device to the appliance and power it on. During system initialization,
a list of special boot options will be displayed on the screen. Press F10 on the keyboard to
enter the Lifecycle Controller UI.
3. When prompted for the Set up Password, contact FireMon support to obtain the specific
password for your device.
4. When the Lifecycle Controller UI finishes loading, select Firmware Updat e from the
navigation list, then click Launch Firmware Updat e.
5. On the Select Update Repository page, select Local Drive(CD or DVD or USB). Ensure the
USB storage device is connected and click Next .
6. On the Enter Access Details page, select the appropriate device from the Local Drive menu
(e.g. USB0 (Front USB 1)). Type the name of the firmware image file in the File Pat h or
Updat e Package Pat h field box and click Next .
7. The Lifecycle Controller will scan the image file and verify its contents. This process may take
a few minutes, depending on the size and type of firmware to update. If any errors are
encountered, they must be resolved before continuing.
8. After verifying the selected image file, the Lifecycle Controller will present a list of identified
updates. Ensure the check box next to the desired update is selected and click Apply.
9. At this point, the update process should proceed automatically. The Lifecycle Controller will
download the update package from the USB storage device and apply the update to the
system.
136 |
FMOS v9.8
10. After applying updates, the appliance will reboot and the Lifecycle Controller UI will start
again. Click the Exit button at the top-right corner of the screen and then click OK to reboot
the appliance and load FMOS as normal.
137 |
FMOS v9.8
FMOS News Service

In effort to better communicate important information to FireMon customers, FMOS v9.0 includes a
new utility for reading news items. These news items are published by FireMon and can target
specific deployment types, so they will only be shown to relevant users.
FMOS can automatically check for new items periodically and display a list of unread items to users
when they log in to the FMOS command line (e.g. SSH). To read news items, use the fmos news
read command or enable to show news at log on.
The FMOS Control Panel can also display these messages, for those administrators who do not use
the command-line interface.
RSS Feed
The User Center has an RSS feed available for Security Intelligence Platform v9 releases and
documentation. If you would like to subscribe to this feed, you can find it on the Downloads page.
Please note that it will not interfere or replace the existing v8-specific RSS feed. If you have licenses
for both v8 and v9, please subscribe to both RSS feeds to guarantee you receive the most current
notifications.
138 |
FMOS v9.8
FMOS Control Panel

About FMOS Control Panel
The FMOS Control Panel (CP) is used to manage configuration changes (yml files) on any FireMon
server.
All FMOS configuration is currently done by editing / et c/ firemon/ config.yml using the command
fmos config --edit. The reason we built Control Panel is to decrease the need to access the file
system to perform configuration changes. One of the goals is to be usable by administrators with
little to no experience with Linux or system administration in general. As such, Control Panel is a
simple, intuitive interface to make configuration changes, without requiring you to edit YAML
settings by hand.
Information icons are available for each entry field to provide more detail about the type of data
that can be entered into the field.
Default or Customized Value

You can easily identify if a field is using a default or customized value by looking at the Status key. A
field that has been customized will be highlighted and the Status key switched to the enabled
position (solid blue toggle). The default value is seen below the field box.
Reset to Default Value

To reset a customized field to its default value, click the Status key to switch back to the disabled
position.
Advanced Configuration Variables

Several system configuration variables have been marked as 'advanced' and are no longer visible or
modifiable. If there are no 'basic' settings available for configuration, you will see a "No
139 |
FMOS v9.8
configuration settings available." on the page. Modifying advanced settings requires Support
Services.
140 |
FMOS v9.8
Access the FMOS Control Panel

Accessing the FMOS Control Panel is easy. Using a secure web browser, use the IP address of the
server you want to access. The port 55555 is hard set and must be used to access this module.
In the web browser, enter the following:
https://FMOSIPaddress:55555
The module’s authentication is the FMOS administrative user account. Typically, this would be the
user account that you created during the initial FMOS installation wizard. You cannot log into this
module using a SIP user account created in the Administration module. If you’ve setup an
authentication server for the FMOS log in, it will also work.
Not e: The user must be a member of the FMOS admin group
Help Menu
A help menu is located on the toolbar. Click the icon to access it.
l Click User's Guide to view the user's guide available for this module.
l Click About to view the FMOS Version and Server Control Panel Version.
How to Save Changes

There are three options when saving changes that have been made using the server control panel.
l St age Changes will save any configuration changes, but will not redeploy the server. This is a
useful command if you are making multiple changes to numerous settings and want to wait
until you've completed the changes to redeploy the server.
l Apply Configurat ions only appears if there are changes to any configuration settings. This
function will redeploy the server.
l Submit saves and updates information without the need to redeploy the server.
Not e: All changes made using CP are tracked the same as if you were editing the system config
using CLI and then redeploying.
Unst age Changes
You cannot unstage changes. If you made a change by mistake, you must revert the field back to its
original default setting, and then click Stage Changes again.
141 |
FMOS v9.8
Any staged changes, even if not applied to the configuration will automatically apply when the
server redeploys.
Logout
To exit the module, click Logout on the toolbar.
Password Reset - Control Panel

FMOS users can reset their passwords if lost or forgotten. To ensure a user can only reset his or her
own password and not other users’ passwords, the user must have access to the e-mail address
associated with the account.
Not e: Passwords can only be reset for FMOS user accounts that have an associated e-mail
address. If a user did not associate an e-mail address with his or her account he or she will not be
able to reset the password.
The password for an FMOS user can be reset using the FMOS Control Panel.
1. Navigate to the Control Panel log in screen.
2. Click Forgot your password?
3. Enter your FMOS user name in the Username field and click Send Email .
4. Launch your e-mail client and check for a new message with the subject FMOS: Password Reset
Request.
5. Open the message and click the Reset Password link.
Not e: Instead of clicking the link from the e-mail message, you can also copy the
Authorization Code from the message and enter it in the Aut horizat ion Code field that
appears after you click Send Email.
6. Type a new password in the New Password field.
Not e: The new password must comply with the configured password policy.
7. Type the new password again to confirm it in the Confirm New Password field.
8. Click Reset Password.
142 |
FMOS v9.8
After the password has been reset successfully, it can be used immediately to log in to the FMOS
Control Panel.
143 |
FMOS v9.8
Home
The Home page displays information on the overall status and performance of the server at any
given time. If you logged in to the actual server, you would have access to this same information.
This is view-only information.
If there are any system alerts that need your attention, they will be listed at the top of the screen.
When you log in to the control panel, the data provided is specific to the server IP address.
Health Check Results
You are presented with three levels of system health check:
l Degraded
l Warning
l Passed
Things to do in this section, include:
l You can expanded each section to view a list of health checks.
l Click Learn more to open a information topic with possible next steps to correct an issue.
l Click Det ailed Healt h Check or Full Healt h Check
l Click the icons to open in a new window, download, or copy t o clipboard.
Widgets on the page include:

l Load Average the maximum value is the number of CPUs with the last minute, 5 minutes
and 15 minutes
l M emory displays how memory is being distributed
l Swap M emory displays the available virtual memory
System Status
The Syst em St at us, located in the upper right of the page, provides a quick visual look at the health
of your server.
l Green—system is functioning properly
l Yellow—system is in maintenance mode
l Orange—system is degraded
144 |
FMOS v9.8
l Red—system failure
l No color—not able to connect
Change Password
Not e: This is only for the password of the FMOS administrator accounts for the server being
accessed. To change a user password, use the Administration module process.
Caut ion! Passwords expire every 90 days and must be changed prior to expiration.
To change a password, complete the following steps.
1. On the FMOS SCP, click Change Password.
2. In the Current Password field, enter the current password.
3. In the New Password field, enter the new password.
4. In the Re-ent er Password field, re-enter the new password.
5. Click Submit .
Disk Cleanup
Disk Cleanup can be used to remove old files from the file system that are no longer needed. This
utility is designed to help administrators reclaim disk space.
To run disk cleanup, complete the following steps.
1. On the toolbar, click Disk Cleanup.
2. Select the types of files to delete. Click the status key to enable the selection (a solid blue
toggle).
3. You can Include files older t han by setting the number of days.
4. Click Next .
5. Review the results, and then click the check box next to the files to delete.
6. Click Next .
The confirmation page opens.
145 |
FMOS v9.8
Diagnostic Package
FMOS provides a feature called diagnostic packages that can be used to troubleshoot system issues,
including crashes, errors, and unexpected behavior. These packages can be created on any FMOS
installation and transferred to FireMon support for analysis.
To create a package, complete the following steps.
1. In the Ticket / ID field, if you have an open case with FireMon support enter the ticket number,
or if you do not have an open case enter your organization's name.
2. Click Creat e.
3. The Creat e Diagnost ic Package dialog box will open and you can view the data collection
process. You can close this dialog box and it will not impact the creation process.
Not e: The creation process can take several minutes depending on the file size. Progress is
displayed in the St at us column.
Upon completion, a file named fmos-diag_timestamp.hostname.ticket.tar.xz.gpg will be created in the

current working directory. This file is encrypted and can only be opened by FireMon staff.
Delete a Diagnostic Package

To delete a package, click the Delet e icon for that package, confirm the deletion and then click
Delet e.
146 |
FMOS v9.8
OS
From the Operating System (OS) page you can access a variety of FMOS configuration settings.
Not e: An information icon is available for numerous entry fields to provide more information
about the type of data that can be entered into the field.
To activate a field for editing, click the Enable toggle to the on position. A blue toggle indicates
that the field is active.
On the OS page, you can access:
l FMOS update channel
l Usage thresholds
l Aut hent icat ion

o Kerberos
o LDAP
o Password Policy is where you set criteria for user account passwords
l Backup is where you schedule routine system backups

o Aut o Backup is used to setup a scheduled automatic system backup
o Post -Backup Act ions is used to set actions to be performed if a backup succeeds
l Crypt o is used
l Healt h is for the FMOS Health Evaluation System settings. The platform consists of a number
of health checks, each of which defines a specific operation to perform to produce a check
result. Check results are aggregated to create a health summary, providing a view of the over-
all health of the system.
l M et rics is used to gather performance information and expose it to Victoria Metrics. Per-
formance metrics can be sent directly to FireMon Support or using a Prometheus remote
write protocol.
l Net work is used for network configuration. You can add static routes from this page.
l NTP is used for time synchronization settings
l Proxy is used for HTTP and HTTPS proxy settings
l SM TP is used for server email settings
147 |
FMOS v9.8
l SNM P is used to enable or disable the SNMP agent
l SSH is used for SSH settings, such as allowing weak SSH algorithms
l Syslog is used for remote syslog configurations
OS Settings Page
Think of the OS Settings as an admin page used for behind-the-scenes system settings, such as
console timeout and adding recipients for system notifications.
Set t he FM OS Updat e Channel
Updates to FMOS are packaged as a single unit and delivered together as an FMOS system update.
These updates are applied using FMOS tools, which manage the process of verifying the update
source, installing the new software, updating configuration files, and migrating data.
To set the FMOS update channel, complete the following steps.
1. Log in to the Control Panel.
3. Enable the FM OS Updat e Channel field.
4. Select one of the following update channels:
l Lat est -the default channel. The system will be kept up-to-date with the most recent
version of FMOS released and available on the User Center.
l St able-this channel only includes fixes for critical bugs and security vulnerabilities,
without introducing new features.
5. When finished, click St age Changes and then click Apply Configurat ion.
Enable Show News
FMOS can automatically check for new items periodically and display a list of unread items when
you log in to the FMOS command line, to enable this functionality complete the following steps.
2. Enable the Show news at login field.
3. Set the default to True.
148 |
FMOS v9.8
4. When finished, click St age Changes.
5. If no other changes are being made, click Apply Configurat ion.
Not e: Set the default value to False to turn off this feature.
Authentication
Kerberos Aut hent icat ion
On the Kerberos Authentication page are settings to use to set authentication requirements. Each
field has an info icon that explains its use.
To change from the default values, move the Status key to the enabled position and then change
the default value. A blue toggle indicates an enabled field. When finished, click St age Changes and
then Apply Configurat ion.
LDAP
On the LDAP page are settings to use to set LDAP authentication requirements. Each field has an
info icon that explains its use.
Password Policy
On the Password Policy page are settings to use to set password requirements. Each field has an
info icon that explains its use. Some password policy rules, such as length and complexity, apply
when passwords are set. Changes to those rules will take effect the next time a user changes his or
her password. Other rules, including minimum and maximum age, only apply when the account is
created. To change those, the account must be deleted and recreated.
Not e: Minimum password character length cannot be less than six. Eight is the default minimum
set.
Not e: Maximum Age (the number of days a password is valid until it must be changed) only
applies when the account is created. If the default value (90 days) is changed after account
creation, existing accounts must be deleted and recreated for the change to apply.
149 |
FMOS v9.8
Password Complexit y
If enabled, passwords must contain at least one uppercase letter, one lowercase letter, one number,
and one other symbol. Additionally, new passwords must contain at least 4 characters that were not
present in the previous password, and passwords cannot contain any variation on the user’s
username or real name.
Not e: Using a character delimiter, such as a colon (:), comma (,), period (.), semi-colon (;), or
slashes (\ /) can result in the password not saving correctly.
150 |
FMOS v9.8
Backups
FMOS provides utilities to create and restore backups of data created and used by SIP.
Schedule an Aut omat ic Backup
When a backup is run, the file that is created is saved to / var/ lib/ backup/ firemon/ by default. The
file will be named HOSTNAM E_DATE.backup, and will be readable only by the group fmbackup.
The backup file that is created will contain the FMOS system configuration, PostgreSQL database
dump, and the file system archive.
If a server is configured to be a database automatic backups are enabled by default, otherwise

automatic backups are disabled. The default auto backup configuration does a backup daily at
23:48 UTC.
To set an automatic backup. complete the following steps.
1. On the toolbar, click OS > Backup > Aut o Backup.
2. Enable backup fields to change default settings.
Post Backup Act ions
After a backup finishes, FMOS can perform additional actions. These actions include copying the
new backup file to a remote server, sending an e-mail notification, or executing a command on the
local machine.
Actions can be configured to run after a successful backup or after a backup fails. Multiple actions
can be configured; they will be run sequentially if more than one is defined.
Cryptographic Settings
The following Red Hat Enterprise Linux 8 policy levels are available in SIP:
l DEFAULT: The default system-wide cryptographic policy level offers secure settings for
current threat models. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2
protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 2048
bits long.
151 |
FMOS v9.8
l LEGACY: This policy ensures maximum compatibility with Red Hat Enterprise Linux 5 and
earlier; it is less secure due to an increased attack surface. In addition to the DEFAULT level
algorithms and protocols, it includes support for the TLS 1.0 and 1.1 protocols. The
algorithms DSA, 3DES, and RC4 are allowed, while RSA keys and Diffie-Hellman parameters
are accepted if they are at least 1023 bits long.
l FUTURE: A conservative security level that is believed to withstand any near-term future
attacks. This level does not allow the use of SHA-1 in signature algorithms. The RSA keys and
Diffie-Hellman parameters are accepted if they are at least 3072 bits long
Allow Weak Ciphers

CentOS 8 changed RSA settings for JDK, causing some devices with RSA keySIze < 2048 to fail. The
System Crypto Policy must be set to 'legacy' to allow weak ciphers and keys (RSA keySize < 1024).
To set the system crypto policy to allow weak ciphers and keys, complete the following steps.
1. On the toolbar, click OS > OS.
2. Enable the Syst em Crypt o Policy field.
3. Select LEGACY from the list.
5. Click Apply Configurat ion if no additional changes are being made.
Health Settings
Not e: An information icon is available for numerous entry fields to provide more information
about the type of data that can be entered into the field.
The FMOS Health Evaluation System settings consists of a number of health checks, each of which
defines a specific operation to perform to produce a check result. Check results are aggregated to
create a health summary, providing a view of the overall health of the system.
From this settings page, you can adjust usage thresholds to maximize system performance.
Swap Memory Alert

When you run out of physical memory, you use virtual memory, which stores the data in memory
on disk. Reading from disk is slower than reading from memory. Exchanging data between real
memory and virtual memory is referred to as "swapping". The space on disk is "swap space".
Swapping is useful because applications that aren't being used can be stored on disk until they are
used. Then they can be "paged in" and run normally again. While it is not in memory, though, the OS
can use that memory for something else, like disk cache.
152 |
FMOS v9.8
Swap usage is only a problem if you see it continually climb and eventually reach 100%, which will
cause performance issues. To address this issue from reoccurring, we recommend increasing the
swap alert threshold for swap event alerts from triggering a warning message.
To increase the swap alert threshold, complete the following steps.
1. On the toolbar, click OS > Healt h.
2. Enable the Free Swap Space Threshold field by clicking the status key.
3. Enter a new threshold percentage. We recommend setting the threshold to 50%.
4. Click St age Changes, and then click Apply Changes.
If you continue to see swap alerts after increasing your swap usage threshold consider adding
more RAM for your FMOS server.
153 |
FMOS v9.8
Performance Metrics
Victoria Metrics can be configured to pull metrics from (scrape) any HTTP resource that exposes
data in the Prometheus exposition format.
FMOS configures collectd, using the write_prometheus plugin1, to expose its metrics in this way.
Collectd listens on TCP port 9103 (the same port as the Prometheus collectd exporter) and
exposes metrics at http://localhost:9103/metrics. This port is never exposed to the network,
irrespective of the the vm_allow_outside setting.
Using Grafana with the Prometheus is FireMon's preferred metric protocol.
Connect Promet heus in Grafana
1. Log in to your Grafana account.
2. In the side menu, click Configurat ion.
3. Click the Dat a Source tab.
4. Click Add dat a source.
5. Select Promet heus from the list.
6. Enter a Name or use the Grafana system generated name.
7. In the HTTP section, in the URL field enter the SIP server URL.
8. In the Aut h section, select the authentication type.
9. Additional fields can be configured to meet your network security guidelines. What has been
provided is the minimum needed to connect to SIP.
10. Click Save & Test .
Expose t he Vict oria M et rics API t o t he net work
1. Log in to the FMOS Control Panel.
2. On the toolbar, click OS > M et rics.
3. Enable the Allow out side access t o Vict oria M et rics field. TCP port 8428 is used for
HTTP API.
4. Set the value to t rue.
154 |
FMOS v9.8
1The Write Prometheus plugin starts an internal webserver on port 9103 (configurable) and accepts
scrape requests from Prometheus, an open-source monitoring system. This plugin is similar in
scope to the collectd_exporter written by the Prometheus team and uses the same naming schema
so it can be used as a drop-in alternative. Synopsis: LoadPlugin write_prometheus <Plugin "write_
prometheus"> Port "9103" </Plugin>
Send Performance Metrics

You can send performance metrics to FireMon Support and to additional locations using the
Prometheus API or "remote write" protocol.
To send t o FireM on Support
2. Enable the Send performance met rics t o FireM on Support field.
To send t o ot her locat ions
Requires prior setup of Prometheus. FireMon's preferred metrics monitoring service is Grafana.
2. Enable the Send performance met rics t o t hese locat ions field.
3. Click the Add icon.
4. Enter the full HTTP or HTTPS URL to a Prometheus "remote write" endpoint. Example:
https://prometheus.mycompany.com/api/v1/write
5. Click the Add icon to add any additional addresses.
6. Enable the Allow out side access t o Vict oria M et rics field. TCP port 8428 is used for
HTTP API.
155 |
FMOS v9.8
Performance Metrics Retention

You can set the number of months to keep time performance metrics data. The default retention
setting is three months.
After the retention period is met, all metrics will be deleted.
Add a Static Route

To add a static route, complete the following steps.
1. On the toolbar, click OS > Net work.
2. Scroll to the bottom of the page.
3. Click Add St at ic rout es.
4. Enable the Type field, and then select the type of route to create. Omit this is you are adding
a simple route.
5. Enable the M et ric field, and then select the route metric.
6. In the Net work Address field, enter the destination network prefix of the route in
CIDR notation.
7. Click Add Next Hop.
8. In the Address field, enter the address of the next hop gateway or router for this route.
9. Enable the Weight field, and then enter the bandwidth or quality of a path. This should be
omitted for simple routes.
10. You can add additional routes and hops.
HTTP Proxy
Many environments require using an HTTP proxy in order to establish communication with hosts on
the Internet. Depending on the configuration of the proxy server, it may allow access to the FMOS
package repository.
To configure the system to use a proxy server, the proxy URL of the server must be set in the
HTTPS proxy environment variable in the Server Control Panel (SCP > OS > Proxy).
156 |
FMOS v9.8
Not e: Only proxy servers that support HTTP CONNECT will work. Proxies that require TLS
decryption (also called “SSL bumping”) will not work. This is because the FMOS package
repository uses TLS mutual authentication to prevent man-in-the-middle attacks. Since
decrypting proxies are a form of man-in-the-middle attack, they cannot work by definition. If
fmos enable-updates fails with an error like “certificate issuer is not recognized,” it is likely the
proxy is doing TLS decryption.
To add an HTTP proxy, complete the following steps.
1. On the toolbar, click OS > Proxy.
2. Enable the Default Proxy field and enter the proxy URL.
3. Enable the HTTP Proxy and/or HTTPS Proxy fields and enter the proxy URL to use for each
connection type that will be used.
4. Enable the No Proxy For field and enter host names to which direct connections should be
made without using the proxy set for the specific protocol.
Not e: The list should be comma separate.
SMTP Settings
Several components of Security Manager and FMOS itself can send notification messages by email.
FMOS supports several configuration modes for sending these messages:
l Configurat ion M ode—configures how email messages will be delivered to their recipients:
l Direct will be delivered directly to the mail server responsible for the recipient
email addresses, found by querying looking up the MX records in DNS.
l Relay will send all email messages to a relay server or “smart host” for delivery.
l None will discard and never deliver messages.
l Relay Host —if the Send email t hrough an SM TP relay delivery method is selected, value
indicates the host name or IP address of the relay server through which all messages will be
sent.
l Relay Port —the TCP port on which to connect to the SMTP server on the remote host.
157 |
FMOS v9.8
l Securit y M ode—selects the security capability to use when communicating with the SMTP
relay server; has no effect on direct email delivery.
Not e: The legacy method of wrapping the entire SMTP communication in an SSL session,
known as “SMTPS” is not available.
l Aut hent icat ion—selects the authentication method to use when communicating with the
SMTP relay server; has no effect on direct email delivery.
Not e: Only the “plain” authentication mechanism is currently supported. Since this method
sends the username and password in clear text, it should only be used when STARTTLS
security is enabled.
l Username/ Password—the credentials to use when authentication required for com-

municating with the SMTP relay server; has no effect on direct email delivery.
Recommendat ion: Ensure that SMTP is working correctly so that a password recovery email can
be sent / received.
SNMP Agent
An SNMPv3 agent has been added to FMOS to enable or disable the SNMP setting.
The SNMP CLI must be used to add or remove users.
Allow Weak SSH Algorithms
This setting is for client only.
Use this setting to allow the SSH client to connect to servers that use weak or outdated
cryptographic algorithms.
To set the client to allow weak SSH algorithms, complete the following steps.
1. On the toolbar, click OS > SSH.
2. Enable the Allow weak SSH algorit hms field.
3. Select t rue or false from the list.
158 |
FMOS v9.8
FMOS Syslog
On the OS> Syslog page, you can add a remote syslog configuration. This setting is used to setup
an external source to listen on events using syslog from FMOS.
External sources can listen over ports 514 or 6514 for either UDP or TCP.
To set a remote syslog configuration, complete the following steps.
1. On the toolbar, click OS > Syslog.
2. Click the Add icon .
3. In the Host field, enter the FQDN for the remote logging host.
4. Enable the M ode field to select the protocol to use to connect to the host.
5. Enable the Port field to select the port to use to connect to the remote logging host.
6. Enable the Use TLS field and select True if you will use TLS with TCP.
159 |
FMOS v9.8
SecMgr
Not e: Information icons are available for each entry field to provide more information about the
type of data that can be entered into the field.
To activate a field for editing, click the Status key to the enabled position. A blue key indicates
that it is enabled.
The SecMgr (Security Manager) page is used to access configuration settings for application servers,
database servers and data collectors.
On the SecMgr page, you can access:
l AS (Application Servers)
o Apache
o NdExec
o SecMgr
o Workflow
l DB (Database) - settings specific to the database role and its functions
l DC (Data Collector) - settings specific to the data collector role and its functions
l ES (Enterprise Search) - settings specific to the elastic search functions
Application Server
Apache
On the Apache HTTPD page are settings to use to set requirements. Each field has an info icon that
explains its use.
NdExec
On the Normalization Worker page are settings to use to set requirements. Each field has an info
icon that explains its use.
160 |
FMOS v9.8
SecM gr
On the FireMon SecMgr page are settings to use to set requirements. Each field has an info icon
that explains its use.
Workflow
On the Workflow page are settings to use to set requirements. Each field has an info icon that
explains its use.
Enable TCP Syslog

On the DC (FireMon Data Collector) page, there is a setting to Enable TCP Syslog. This setting is
used by the DC for change and usage syslog messages.
We support both UDP and TCP. The UDP port is 514 and TCP port is 1470 (the default port often
used for Cisco devices).
The default setting is false (off). When you enable the field box and change the setting to true, the
DC will begin listening on TCP port 1470 in addition to UDP port 514. There is no way to change the
port number. The DC will always also listen on the UDP port.
Scheduled Configuration Deployment

The FMOS configuration policy is applied automatically on a scheduled basis. Additionally, in a
distributed ecosystem, configuration data is refreshed from each machine's superior, including CA
and service certificates. This process is required for automatic certificate renewal.
The deployment schedule can be customized using the Server Control Panel, under the SecMgr
section. The process must run once a week, and the Aut o Refresh Schedule: Hour, M inut e, and
Weekday fields can control precisely when.
By default, the process runs at 02:16 UTC on Sundays.
161 |
FMOS v9.8
Not e: If any changes to the configuration are made using the Server Control Panel but have not
been applied, they will be applied by the scheduled deployment.
To schedule an automatic certificate renewal, complete the following steps.
1. On the toolbar, click SecM gr > SecM gr.
2. Enable the Aut o Refresh Schedule: Hour field, and then select an hour.
3. Enable the Aut o Refresh Schedule: M inut e field, and then select a minute.
4. Enable the Aut o Refresh Schedule: Weekday field, and then select an day.
Not e: The value is expressed as a number between 0 and 7, where both 0 and 7 refer to
Sunday.
162 |
FMOS v9.8
Disk Cleanup Utility

About Disk Cleanup Utility
The Disk Cleanup Utility can be used to remove old files from the file system that are no longer
needed. This utility is designed to help administrators reclaim disk space.
The disk clean-up utility can be used from the command line using the fmos disk-cleanup
command, or using the FMOS Server Control Panel. The utility has two operational modes: analyze
and clean.
l In Analyze M ode, the disk clean-up utility scans for files identified by the specified selection
profiles and estimates the amount of disk space that would be reclaimed by removing them.
In this mode, no files are actually removed from the file system.
l In Clean M ode, the disk clean-up utility will remove any files identified by the specified selec-
tion profiles. When it is finished, it will report on the number of files removed and the
amount of disk space that was reclaimed by removing them.
The disk clean-up utility includes several predefined selection profiles to classify files on the file
system. When run in either analyze or clean mode, the utility takes a set of selection profiles and
searches for files matching the properties specified by those profiles.
When using the CLI, the list of available selection profiles can be viewed by using the --list -profiles
or -L argument.
The CLI accepts one or more selection profiles as positional arguments. Additionally, a pseudo-
profile all can be used to select all available profiles. When using the all selection, it may be
necessary to exclude one or more profiles, which can be indicated by prefixing the profile key with
a hyphen-minus symbol.
In addition to selection profiles, the files to remove can be further restricted by their age. The age
of a file refers to how much time has elapsed since the file was last modified. By default, the
command-line interface restricts both analyze and clean mode to files that are older than 30 days.
To specify a different age, use the --age or -a argument.
Examples
l Run analyze mode on the default selection: fmos disk-cleanup
l Run analyze mode on all available profiles: fmos disk-cleanup all
l Run clean mode on all profiles, except for log files: fmos disk-cleanup --clean -- all -logs
163 |
FMOS v9.8
Not e: When specifying an exclusion using the hyphen-minus syntax, the double hyphen-minus is
required. This is a limitation of the command-line argument parser used by the FMOS command;
it is needed to distinguish the exclusion from short-form optional arguments.
Example
Run clean mode on all crash dumps older than one day: fmos disk-cleanup - -clean - -age 1 crash-
dumps
164 |
FMOS v9.8
Troubleshooting
Log Files
When an error of "See log file details." is received, these are the log files to review. FMOS provides a
command for quickly viewing the most commonly-used log files: fmos logview. This command
allows users with the FireMon Administrator (privileged user) assigned to view the contents of the
system log (i.e. /var/log/messages), as well as any log file generated by FireMon software, without
explicitly requesting elevated privileges.
Not e: Log files can contain sensitive information, and are not accessible by unprivileged users.
To view a log file using fmos logview, simply invoke the command, passing the path to the log file
as a command-line argument. For example, the following command would display the contents of
the current SecMgr log file:
fmos logview /var/log/firemon/sm/secmgr.log
Not e: If no file name is given, / var/ log/ messages will be displayed. Only log files inside
/ var/ log/ firemon, / var/ log/ fmos, and / var/ log/ messages can be viewed using the fmos
logview command.
Notable FMOS log files include:
Log Files
Name Location
FireMon SecMgr /var/log/firemon/sm/secmgr.log
FireMon Server Metrics /var/log/firemon/sm/secmgr-metrics.log
FireMon Data Collector /var/log/firemon/dc/DataCollector.log
FireMon SecMgr Collector /var/log/firemon/collector/collector.log
165 |
FMOS v9.8
Support Diagnostic Package
Not e: Creating a support diagnostic package can also be done from FMOS Server Control Panel
and within the Administration module (Administration > Tools > Support Diagnostic > Export).
FMOS provides a feature called diagnostic packages that can be used to troubleshoot system issues,
including crashes, errors, and unexpected behavior. These packages can be created on any FMOS
installation and transferred to FireMon support for analysis.
Diagnostic packages are XZ-compressed tape archives (“tarballs”) encrypted with GPG using the
fmos-diag key. This allows them to be transferred and stored securely without having to manage
and exchange shared keys. The fmos-diag key has a lifetime of 5 years, and the public key is
distributed in the fmos-util package. As long as you keep your machine up-to-date within a margin of
a few years, there should never be any need to worry about keys.
Create a Diagnostic Package

To create a diagnostic package, complete the following steps.
1. Use the command: fmos mkdiagpkg
2. At the prompt, to enter a ticket number to help associate the package with an open support
case. The value is free form, so any input will be accepted.
Not e: If you do not have an open case enter your organization's name.
Upon completion, a file named fmos-diag_timestamp.hostname.ticket.tar.xz.gpg will be created in

the current working directory. This file is encrypted and can only be opened by FireMon staff.
166 |
FMOS v9.8
Rescue Console - Reset User Password

The FMOS Rescue Console is a tool that can be used to recover an inaccessible system. It is only
available using the virtual terminal, and thus requires physical access to the system in order to be
used.
Access the Rescue Console

To access the rescue console, a directly attached keyboard and display are required. For virtual
appliances, the “virtual console” or “graphical console” is typically equivalent.
Not e: The rescue console is not available on appliances that do not have a directly attached
terminal.
l To activate the rescue console, press Alt +F9 on the keyboard.
l This will change the active terminal to tty9, where the rescue console is attached.
l Once the rescue console is displayed, press Ent er to activate it.
Because the rescue console provides access to sensitive system configuration, it is protected from
malicious activity by requiring an “unlock code” before allowing any changes to be made. The
unlock code is derived from information about the system and is thus unique for every appliance. It
is also time-based.
You must contact FireMon Support to receive the unlock code.
Please contact FireMon Support to request and receive the unlock code with the following
information:
l FQDN of the server (case sensitive)
l Username of the account (This must be accurate and is case sensitive.)
l FMOS version
Caut ion! The rescue console will unconditionally exit 5 minutes after it has been unlocked.
Reset User Passwords

The FMOS Rescue Console can reset forgotten passwords for local users.
1. After activating the rescue console and unlocking it with the correct code, select Reset User
Password.
2. Enter the user name of the user whose password is to be reset and confirm the request.
3. Enter a new password twice (to confirm it was typed correctly).
167 |
FMOS v9.8
Not e: You must enter a strong 8 character password at the prompt using upper and
lowercase letters, numbers, and symbols.
4. Press Ent er to complete the process.
5. To return to the display after using the rescue console, press Alt +F1.
Not e: The FMOS rescue console can only reset passwords for local operating system users. It
cannot be used to reset the password for Security Manager accounts or for users in external
authentication systems (e.g. LDAP, RADIUS, etc.)
168 |
FMOS v9.8
Cloud Password Recovery

The FMOS Rescue Console currently implements the password recovery process for FMOS. Its
security relies on the fact that to access it, one must have direct physical access to the machine (in
order to hit Alt+F9 and open tty9). Since there is no graphical console for cloud instances in either
of the officially-supported cloud platforms (AWS and Azure), the Rescue Console is inaccessible
there. As such, there is no way to recover lost passwords for FMOS users in cloud deployments.
Not e: It is recommended that all machines have at least two accounts with the
FMOS Administrator privilege assigned to it.
169 |
FMOS v9.8
FMOS CLI Commands for Troubleshooting

CLI Commands
fmos update -y --reboot run command to update VM and reboot automatically
fmos -h run command to display help list
fmos health run command to see health of the VM
fmos logview run command to show the contents of a log file
run command to create an FMOS diagnostic package or

fmos mkdiagpkg
troubleshooting and support
fmos restart all run command to restart all FireMon services
fmos reboot run command to reboot the VM
170 |
FMOS v9.8
Next Steps
After completing an FMOS deplyment, you'll log in to the Security Intelligence Platform and open
the Administration module to upload your Security Manager license (and other licenses), add users
and user groups, set permissions, add devices, and a variety of other SIP-related tasks.
171 | Next Steps

FMOS Installation and Configuration Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FMOS Installation and Configuration Guide

Uploaded by

Copyright:

Available Formats

Copyright Notice

About FMOS Generation III 14

FireMon (FM) Appliance 15

Database Server (DB) 19

Application Server (AS) 19

Data Collector (DC) 19

Planning the Ecosystem 22

Which Ecosystem Deployment is Right for Your Organization? 23

Download the FireMon Operating System 24

Download the Installation Files 25

Initial Configuration Wizard 26

Host and Network Configuration 28

Installation for Cloud Deployments 32

Initial FMOS Setup for Cloud Deployments 32

Access the Setup UI 32

FMOS Admin User 33

Initial Deployment Process 34

Amazon Web Services 35

Step 1: Launch the AMI 36

To launch from AWS Marketplace 36

To launch from the EC2 Dashboard 37

Step 2: FMOS Initial Setup Authentication for AMI 38

Initial User Account 38

Step 3: FMOS Initial Setup Completion for AMI 39

FMOS Administrative User 39

Launch the CloudFormation Template 41

To launch from CloudFormation 41

Step 1: Launch Azure Marketplace VMI 43

To launch from Azure Marketplace 43

Step 2: FMOS Initial Setup Authentication for Azure 43

Initial User Account 43

Step 3: FMOS Initial Setup Completion for Azure 44

FMOS Administrative User 45

Aft er Deployment Topics 47

Additional Installation and Configuration Topics 47

Access the Console After Initial Installation 47

Multiple Database Servers 47

Fully Distributed Ecosystem 47

Superior / Subordinate Servers 48

Step 2: AS Machine: Enter Maintenance Mode 50

Step 3: CA Machine: Enable Multi-DB Mode 50

Step 4: Standby DB Machine: Join the Ecosystem 50

Step 5: CA Machine: Finish Deployment 51

Step 6: AS Machine: Exit Maintenance Mode 51

Reconfigure AS and DB Machines 51

Reprovision Original Primary 53

Additional Application Servers 54

Load Balancing Solutions 54

Deploying Multiple Application Servers 54

Using a F5 BIG-IP as a Load Balancer for Application Servers 55

Step 1: Back up the Database 58

Step 2: Back up the Server Certificate 59

Step 3: Install FMOS 60

Step 4: Restore Database Backup 60

Step 5: Restore Server Certificate 61

Step 6: Join Ecosystem as AS 61

Step 7: Distribute Server Certificate to Data Collectors 63

Step 1: Generate a New Certificate 64

Step 2: Sign the Certificate 64

Step 3: Use an External CA 65

Step 3: Use the FMOS CA 65

Step 4: Verify the Certificate 65

Step 5: Import the New Certificate 66

Step 6: Join the Ecosystem 66