Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
rkatmor
Staff
Staff

Created on ‎05-25-2022 09:48 PM Edited on ‎05-30-2022 12:22 AM By Community Manager

Article Id 213083

Technical Tip: Best Practices in Pursuing HA/DR Options

Description

This article lists best practices to pursue HA/DR deployment options.

 

DISCLAIMER – Installing mirrored VMSs or any other accommodating on-premises management controls DO NOT fall under FortiEDR deployment service, responsibility or liability in general.

The best practices below should be treated as guidelines and any associated implementations are the sole responsibility of the customer.
Scope FortiEDR on-premises deployment. 
Solution

HA/DR best practices:

 

rkatmor_1-1653534979679.png

 

1) Infrastructure:

 

  • Console Manager (CM).
  •  Threat hunting (TH).
  • Aggregator/s.
  • Core/s.

2) Recovery – Replicated snapshots are the preferred option.

 

3) Network – DR site is preferred to be connected via L2 so the same IP structure will be applied to simplify the deployment.

 

4) Console Manager – CM have no effect on protection if it is down for some time until recovered.  As the CM forces the license, ensure that the MAC are statically assigned (used on snapshot) in order to retain the same InstallationID and have no issues with licensing for the replicated CM image.

 

5) Core - Cores have the active-active type of balancing, hence no further configuration or load balancer (not supported) are required. The recommendation for Core deployment is to deploy Core redundancy allowing the collectors to use the shortest route Core available. It is required to set the Core to connect to the aggregator via DNS.

 

6) Aggregators - Aggregators are used to reduce load from the manager with only transient data at that component. For example, CM sends configuration to the aggregators and aggregators handle sending it to all collectors and Cores.  If an aggregator is down for some time, it has no effect on protection until it is recovered. For DR, if an aggregator is lost, it is enough to bring up a new aggregator with the same address/domain name (DNS is highly advised).

 

7) Threat hunting – If the TH consists of one VM (one machine), the snapshot will work, but if the TH consists of several nodes (2K+ seats it will probably be) then the customer is advised to setup a shared storage (NFS is preferred) where the backup data is saved so the DR TH will see the data when it is called to duty.

 

Labels:
750
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.