The re-image process will restore the entire hard disks and install new firmware from a bootable USB stick, all the data on the hard drives will be erased.

This article describes the process for re-imaging a FortiSIEM appliance of any model to firmware version 7.1.0 or later.

Re-imaging can be useful for moving to later firmware versions more quickly or for troubleshooting a failed deployment. Firmware downgrading is not recommended with this process, for example, if FortiSIEM is at version 7.2.4 it is not possible to restore reimage to 7.1.0.

Note: It is necessary to understand how Rocky Linux works for a successful installation. It is also necessary to understand how partitions work to use them properly during deployment.

It is necessary to identify the appliance and its ports.

The following link provides hardware and performance information for each model:

Hardware - FortiSIEM product page.

Select the model (in this example, a 2000G will be used).

In the document, identify the diagram section of the front and back of the device.

Identify the VGA, Console and USB ports (example a 2000 G).

Once the ports have been identified, prepare the image for boot and confirm which image is necessary and appropriate for the appliance.

Important: Each device is different, and it is important to consider the available USB ports. It is recommended to use a console cable (preferably) to connect the USB ports to storage devices.

How to select the correct image:

• Identify the device model and version.
• Consult the Fortinet firmware database.
• Validate Product Life Cycle Information on Fortinet products (see Technical Tip: Product Life Cycle Information on Fortinet products).
• Evaluate compatibility with other systems

To validate compatibility with versions, devices, and other systems, see the FortiSIEM version compatibility matrix. 

Create a Bootable Linux Image:

1. From a Laptop, download rufus (Bootable USB drives) from the official site.
2. Download the Ubuntu image at the official site (in this activity the latest available version of Ubuntu 24.04.1 was used)
3. Connect a USB drive from up to 4 GB to the laptop.
4. Open Rufus.
5. Configure the following settings:
   1. Device: Select the USB drive.
   2. Boot selection: Select the Ubuntu image.
   3. Partition scheme and target system type: MBR and BIOS or UEFI.
   4. File system: FAT32 (Default).
   5. Cluster size: 16 kilobytes (Default).
   6. Select Start and choose Write in ISO image mode (recommended).

Copy the FortiSIEM Appliance image to a USB stick.

1. Download the FortiSIEM image (from https://support.fortinet.com under Downloads -> Firmware Images -> FortiSIEM  v7.X -> 7.X -> 7.X.X FortiSIEM-RAW-Hardware-7.X.X.0000.zip).
2. Unzip the image with a zip extractor of preference. The file FortiSIEM-RAW-Hardware-7.X.X.0000.img will be extracted.
3. Connect a 32GB USB drive to the system (desktop or laptop). Open Windows Explorer -> right-click Drive -> Select Format.

Select the following options:

• File system: NTFS
• Allocation unit size: 4096 bytes
• Quick Format: Enable

4. Using winrar, unzip and extract the image (FortiSIEM-xxx-xxx-version.img) to a 32GB USB drive. The size of the USB drive must be at least the size of the image.

Note: It is important to do this activity before starting the process, so as not to increase the time taken.

Prepare the Appliance (Option A & Option B).

Option A:

1. Start the system and connect via console as shown below:
   1. Speed(default):9600
   2. Data bits: 8
   3. Stop bits: 1
   4. Parity: None
   5. Flow control: None

2. Log in with the root user and password.
3. Run the following command to remove the FortiSIEM application: 

execute fsm-clean

Deletes the disks and opt

This cleans up entire data of the system(y/n) y

Review the FortiSIEM task result. If any error appears, check the log file /var/log/fsm-clean.log for more details.

4. Format the disks and shutdown:

execute format disk

This operation will clear RAID configuration and reconfigure RAID!

All previous data (if any) on RAID disks may be lost!

Do you want to continue? (y/n) y

execute shutdown

Option B:

1. Start the system and connect via VGA port.
2. Connect keyboard and mouse via USB.
3. Log in with the root user and password.
4. Run the following command to Remove the FortiSIEM application: 

execute fsm-clean

Deletes the disks and opt

This cleans up entire data of the system(y/n) y

Review the FortiSIEM task result. If any error appears, check the log file /var/log/fsm-clean.log for more details.

5. Format the disks and shutdown:

execute format disk

This operation will clear RAID configuration and reconfigure RAID!

All previous data (if any) on RAID disks may be lost!

Do you want to continue? (y/n) y

execute shutdown

Configure BIOS to Boot into USB Drive:

1. Connect port1 Ethernet cable to a live network with internet access.
2. Connect a Keyboard to the USB port available in the rear of the system.
3. Connect a VGA monitor to the VGA labeled port.
4. Connect the USB Stick containing the Ubuntu image to the second USB port.
5. Start the system and press the 'F11, F12, or ESC' key, depending on the device type, in the boot options menu. (Important: Look at the monitor and determine which key to press.)
6. Enter the password to access the BIOS.
7. From the main menu scroll to 'Boot' and change the boot option #1 from the Hard disk to the USB Stick.

8. Press F4 to Save and Exit.

Note: Frequently, after selecting F4, the device sends an error message stating that it cannot restart. In this case, it will be necessary to physically restart the appliance and wait for it to boot with the configured option.

Re-image the system.

1. The boot menu will be displayed. Select 'Try or Install Ubuntu'.

2. On the GUI Desktop, assign a temporary IP address with internet access from Show Applications -> Settings -> Network.
3. Open a terminal and configure an SSH server:

sudo su -

apt update

4. Plug the USB stick with the SIEM image to the other USB port.
5. Use the GUI with file explorer and identify the USB media that contains the SIEM image, this will perform a mount and verify activity at the same time.
6. Check the disks partitions and identify the boot disk (29 GB), use lsblk -f:

Note: It is important to understand which partitions are available to mount and copy to the correct partition.

In this example, the sdd partition was used, so in step 10, the image was copied to the /dev/sdd partition.

lsblk -f

NAME        FSTYPE      LABEL UUID                                   MOUNTPOINT

sda

├─sda1      xfs               5de8cd6f-c3aa-4a8b-9f34-90dfdb0a0263   /boot

└─sda2      LVM2_member       wtts3h-XJN5-kEfy-s4Di-RgIo-IA4G-dWsRCh

  ├─rl-swap swap              d54e1abc-4675-44d1-8b45-cb64cc02c1da   [SWAP]

  └─rl-root xfs               1558a9aa-dab5-4dea-abfa-c2b7dd676f78   /

sdb

└─sdb1      xfs               d9ea9b8c-617a-4f75-b36a-fab728ed3e21   /svn

sdc

└─sdc1      xfs               ad418f0a-6ad4-4533-8c33-6eb61e7cb865   /cmdb

sdd

├─sdd1      swap              81a48a7d-29b5-4507-8ca8-bde9d1fd932e   [SWAP]

└─sdd2      xfs               3e84aad5-4811-497e-add1-5adb6cd4b75f   /opt

sde         xfs               0e695745-8a68-40cc-9a78-1735b54edf83   /data

lsblk

NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT

loop0         7:0    0    2G  1 loop /rofs

loop1         7:1    0 55.4M  1 loop /snap/core18/2128

loop2         7:2    0  219M  1 loop /snap/gnome-3-34-1804/72

loop3         7:3    0 32.3M  1 loop /snap/snapd/12704

loop4         7:4    0 65.1M  1 loop /snap/gtk-common-themes/1515

loop5         7:5    0   51M  1 loop /snap/snap-store/547

sda           8:0    0 10.5T  0 disk

sdb           8:16   0 65.5T  0 disk

sdc           8:32   0 29.8G  0 disk

sdd           8:48   0 29.8G  0 disk  <----- Boot disk.

├─sdd1        8:49   0    1G  0 part

└─sdd2        8:50   0   24G  0 part

  ├─rl-swap 253:0    0  2.5G  0 lvm 

  └─rl-root 253:1    0 21.5G  0 lvm 

sde           8:64   1 14.7G  0 disk

└─sde1        8:65   1 14.7G  0 part /cdrom

sr0          11:0    1 1024M  0 rom 

fdisk -l

Disk /dev/sdd: 29.84 GiB, 32017047552 bytes, 62533296 sectors

Disk model: 32GB SATA Flash

Units: sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disklabel type: dos

Disk identifier: 0x7a762449

Device     Boot 1m  Start 0m 1m     End0m 1m Sectors 0m 1mSize 0m 1mId 0m 1mType 0m

/dev/sdd1  *       2048  2099199  2097152   1G 83 Linux

/dev/sdd2       2099200 52428799 50329600  24G 8e Linux LVM

7. Remove device mappers.

lvremove /dev/mapper/rl-*

/dev/sdf: open failed: No medium found

  /dev/sdg: open failed: No medium found

  /dev/sdf: open failed: No medium found

  /dev/sdg: open failed: No medium found

Do you really want to remove and DISCARD active logical volume rl/swap? [y/n]: y

  Logical volume "swap" successfully removed

Do you really want to remove and DISCARD active logical volume rl/root? [y/n]: y

  Logical volume "root" successfully removed

8. Erase file system signatures /dev/sdd:

wipefs --all /dev/sdd

/dev/sdd: 2 bytes were erased at offset 0x000001fe (dos): 55 aa

/dev/sdd: calling ioctl to re-read partition table: Success

9. Check that no LVM device mapper entries still exist.

lvdisplay

  /dev/sdf: open failed: No medium found

  /dev/sdg: open failed: No medium found

  /dev/sdf: open failed: No medium found

  /dev/sdg: open failed: No medium found

  /dev/sdf: open failed: No medium found

  /dev/sdg: open failed: No medium found

dmsetup -C info

No devices found

10. Copy the image from the USB stick to the boot partition (/dev/sdd):

Note: In this example, the SDD was the available disk space where the image was copied. It is important to verify the partition where the image will be transferred.

cd /media/ubuntu/hg

dd if=./FortiSIEM-RAW-Hardware-7.X.X.0000.img of=/dev/sdd bs=128k status=progress

[]26843545600 bytes (27 GB, 25 GiB) copied, 423.157 s, 63.4 MB/s

11. Reboot the system.

• In the Ubuntu GUI, perform a complete power off.
• In the top right, select Power off.

At the end of the shutdown process, the device will be completely off and it will be necessary to remove the USBs.

Configure BIOS to Boot into the HDD Drive.

1. Connect port1 Ethernet cable to a live network with internet access.
2. Connect a Keyboard to the USB port available in the rear of the system.
3. Connect a VGA monitor to the VGA labeled port.
4. Press the power button on the appliance.
5. Start the system and press the 'F11, F12, or ESC' key, depending on the device type, in the boot options menu. (Important: Look at the monitor and determine which key to press).
6. Type the password to access the BIOS.
7. From the main menu scroll to 'Boot' and change the boot option #1 from the USB stick to the Hard disk.

8. Select F4 to Save and Exit.

Select firmware and hardware.

Refer to the FortiSIEM 7.1 product page, select the firmware version, and locate the hardware mode:

Follow the instructions based on the type of configuration required, choosing either All-in-one Installation or Cluster Installation:

See the FortiSIEM 2000G Hardware Configuration Guide for more information.

Reinstall FortiSIEM application:

1. Access the system through the console with the default user and password (root/ProspectHills).
2. Define a temporary password.
3. Remove the application and reinstall.

execute fsm-clean

execute factoryreset

execute reboot

4. Access the system through the console with the default user and password (root/ProspectHills).
5. Define a definitive password for root.
6. Complete the initial configuration executing the script:

configFSM.sh

Check if all the jobs are successful on the FortiSIEM task result. The system will reboot automatically.

7. At this point, the system may be accessible through the web Management interface.
8. Install the system license and select the type of storage.
9. Finally, review the health of the system with the commands below:

get system status

phstatus

get-fsm-health.py --local

diagnose system disks health

diagnose hardware info

Related article:

Technical Tip: How to reimage a FortiSIEM