This article describes how to update IP addresses with on-premise FortiEDR components.
Scope
FortiEDR v5.2 and above.
Solution
These steps will be required to update IP addresses with on-premise FortiEDR components (Central Manager, Aggregator, Core, and Threat Hunting servers).
Note:
It is strongly recommended to create backup/snapshot of each component before any changes. If there are collectors installed and using IP it will lose Collector connectivity. In this case, reinstalling Collector requires.
Central Manager:
SSH into the Central Manager server.
Run vi /etc/sysconfig/network-scripts/<interface>
Update IPADDR, GATEWAY and PREFIX.
Run vi /opt/FortiEDR/webapp/application-customer.properties
Check if it has an old IP (This might be related to SMTP settings and change it to the correct setting).
Run systemctl restart network
Run fortiedr restart to restart the Central Manager.
Aggregator :(Optional when Aggregator is separated from Central Manager).
SSH into the Aggregator server.
Run vi /etc/sysconfig/network-scripts/<interface>
Update IPADDR, GATEWAY, and PREFIX.
Run vi /opt/FortiEDR/aggregator/conf-customer.properties
Change to the new manager IP 'management-host = IP'.
Run systemctl restart network
Run fortiedr restart to restart the Aggregator.
Core:
SSH into the Core server.
Run fortiedr config and update to the new IP address.
Threat Hunting:
Changing TH server IP address after the installation is not supported. The current option is to install a new Threat Hunting server with the new IP address and connect to the Central Manager. This means it will lose the current data in the old Threat Hunting server.
