Release Formats

FMOS Generation III system updates are distributed in signed archive files, called distribution archives. These files end with the extension .tar.gpg. They are cryptographically signed using GnuPG with keys accessible only to us to ensure that third parties cannot tamper with or modify them.

Although we distributes FMOS in various forms for initial deployment (new installations), only distribution archives can be used to update an existing FMOS system.

Build Variants

Every FMOS version is produced in multiple variants. Each variant is designed to serve a specific purpose. When installing FMOS on a new machine, be sure to select the proper variant:

  • Full: This is the default variant. It contains all of the Security Intelligence Platform application components, including the Security Manager server, the data collector, Global Policy Controller, and all supporting software such as PostgreSQL and elastic search.
  • DC Only: This variant only contains the Data Collector application component for the Security Intelligence Platform.
  • Cloud: This variant is intended to be used for Cloud deployments, such as Microsoft Azure or Amazon Web Services. It contains all of the Security Intelligence Platform application components and all supporting software.
Distribution Formats

Each FMOS build variant is distributed in multiple formats. The various formats are designed to support different deployment environments or scenarios:

  • FMOS Distribution Archive (.tar.gpg) [all variants]: This format is used by all FMOS variants for upgrading an existing installation of FMOS to a new version. When upgrading, be sure to use the Distribution Archive for the same variant that is already installed.
  • Virtual Machine Template (.ova) [full, dconly]: This format is used to deploy a new virtual machine, for example using VMware vSphere, Microsoft Hyper-V, or Oracle VirtualBox.
  • Virtual Disk Image (.qcow2) [full, dconly]: This format is used to deploy a new virtual machine, for example using Linux KVM (with libvirt/QEMU) or OpenStack.
  • Physical Hardware Installer (.iso) [full, dconly]: This format is used to install FMOS on a physical machine.
  • Azure Virtual Disk Image (.vhd.zip) [cloud]: This format is used to create a new Virtual Machine Image in Windows Azure.
  • AWS Virtual Disk Image (.vmdk) [cloud]: This format is used to create a new Amazon Machine Image in Amazon Web Services.

Default Update Channel Source

Previously, an update source was the URL of a Yum package repository or the path to a block device or file system image containing a Yum package repository. Now, an update source is a path or URL to an FMOS Distribution Archive.

By default, FMOS will automatically fetch updates from the FireMon User Center, if possible. If a new version of FMOS is available on the User Center, it will be downloaded and used. If multiple versions are available, the one selected is determined by the fmos_update_channel System Configuration Variable. Machines using the latest channel (the default) will always fetch the most recent version from the User Center. Machines using the stable channel will only fetch updates that are marked as stable.

For machines that cannot access the FireMon User Center directly, a distribution archive can be provided manually. This is also useful for updating to a version of FMOS that is not currently available in the User Center.

Using the Command Line

To update an FMOS system using the command line, either via SSH or the local console, use the fmos update command. Without any arguments, the command will use the default update channel source, automatically fetching the distribution archive. Additionally, the fmos update command can take a single positional argument, which refers to the distribution archive to use as the update channel source. The distribution archive can be located on the local file system or on a remote HTTP server. To specify a remote location, pass its URL as the source argument.

The fmos update command will, by default, no longer allow an update to be installed if it is older (by date or by version) than the currently installed image.

For example, to use the default source:

fmos update

Alternatively, using a distribution archive on the local file system:

fmos update /var/tmp/FMOS-2023.1.0.x86_64.tar.gpg

Or using a remote file:

fmos update https://example.com/fmos/FMOS-2023.1.0.x86_64.tar.gpg

When a URL is specified, the remote file will be downloaded to a temporary location on the local machine, and removed when the update process is complete.

Reboot Required

After an FMOS update is installed, the appliance must be rebooted in order for it to take effect. The new software will not be used until the appliance has been rebooted.

When the appliance is first rebooted after installing an update, the FMOS Configuration Policy is applied in the background. During this process, some services provided by the appliance may not be available. For FMOS appliances that hold the AS role, it can take several minutes or hours before the process completes, depending on the amount of data.

The FMOS Health System will report the status of services on the appliance and the deployment process. The fmos health command or the FMOS Control Panel browser application can be used to view the health of the system.