Technical Tip: Creating a threat hunting virtual machine in Proxmox for FortiEDR Deployment on K3OS

Description

This article describes how to configure a Threat Hunting virtual machine in Proxmox for FortiEDR deployment.

Proxmox is an open-source enterprise-grade hypervisor that uses KVM as a backend for virtualization.

Scope

This setup applies to FortiEDR version 6.2 and later, running on Proxmox Virtual Environment 8.4.0.

Solution

Uploading ISO Images to Proxmox:

To make ISO images available for use in Proxmox, upload them using either of the following methods:

Option 1: Web Interface.

1. Navigate to Storage -> ISO Images.

2. Select the Upload button to add the desired ISO file.

Option 2: Direct Upload via File System.

1. Upload the ISO file directly to the following directory on the Proxmox host:

/var/lib/vz/template/iso/

Note:
Ensure sufficient storage is available. A temporary file is created during the upload in /var/tmp on the Proxmox host.

Creating a Virtual Machine:

Step 1: Start VM Creation.

1. Right-click on the node or use the top toolbar, and select Create VM.

2. Specify a name for the virtual machine.

VM Naming Convention:

vm-<VMID>-<NAME>.<FORMAT>

Example: k3os-prod-th-6.2.

Step 2: Select ISO and OS Type.

1. Select Type as Linux.

2. Select the ISO: FortiEDR_Repository_OSInstaller.

VM Configuration:

System:

• Graphics Card: Select VirtIO-GPU (compatible with Linux machines).

• Use VirtIO SCSI or VirtIO Block controller for improved performance and better maintenance.

Optional: Install the qemu-guest-agent in the guest OS to enable better interaction between host and VM.
For more info: Qemu Guest Agent - Proxmox Wiki.

Disk Settings:

Refer to the System Requirements article and select the appropriate FortiEDR version for your deployment.

OS Disk

• scsi0 = /dev/sda
• Size: 100 GB

Ensure that SSD emulation is enabled for this disk.

Data Disk

• Select Add to attach a data disk.
• scsi1 = /dev/sdb
• size: 1.5 TB

Ensure that SSD emulation is enabled.

CPU and Memory Settings:

• CPU: Specify the number of cores according to the number of seats

• Memory: Specify desired RAM.

Refer to the System Requirements article and select the appropriate FortiEDR version for your deployment.

Note:
Ballooning is a memory management technique that dynamically adjusts a VM’s memory usage by reclaiming unused memory and returning it to the host. Improper configuration may cause performance degradation or OOM (Out of Memory) errors.

Network Configuration.

• Select the Bridge network ID.

• Ensure that Firewall is unchecked.

Note: In Proxmox VE, enabling the firewall at the VM level without defining rules may block all network traffic by default. To avoid unintended connectivity issues, make sure the Firewall option is unchecked when creating or configuring VMs, unless specific firewall rules are intentionally applied.

For more information, refer to the official documentation: https://pve.proxmox.com/wiki/Firewall

Finalization:

1. Verify all configurations.

2. Select Confirm to complete the VM creation.

3. After completing the K3OS installation followed by this guide , switch the ISO to RepositoryInstaller_MW.

   Select the Threat Hunting virtual machine -> Hardware -> CD/DVD Drive ->
   Select RepositoryInstaller_MW ISO from the storage.