FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
kwernecke
Staff
Staff
Article Id 200165

 

Description This article describes how to burn FortiEDR Collector as an image
Scope FortiEDR
Solution

Question: Planning to make FortiEDR a standard for all new workstations.

Can we burn the FortiEDR collector into the image (which might create a duplicate FortiEDR collector ID on each endpoint if there is a FortiEDR collector ID)?

Or it has to install after the OS is up and provisioned (GUID is updated)?
 

 

Answer: 

  • It is possible to install on the image. If, after the image is deployed each device gets its own MAC address and hostname, the collectors will not be duplicates.
  • It is also possible to install on the image and then clean it to the level it does not have an id. In the image, leaving only the Aggregator address and the registration password (ERP) in the bootstrap.
  • If installing on the image and do not want the Collector to connect to the Aggregator, it will also be in a clean state.

Steps:

  • Install the collector on the image and let it register to see the configuration is OK.
  • Then stop the collector:
  • In the command prompt as Admin Run: /Program Files/Fortinet/FortiEDR/FortiEDRCollectorService.exe --stop
  • Then run in cmp prompt: /Program Files/Fortinet/FortiEDR/FortiEDRCollectorService.exe --clean
  • This will remove all the configurations it received when it was registered and running.
  • Then can make the image (without starting the collector again)
Contributors