FortiSIEM - Sizing Guide

Version 6.1.1
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

09/02/2020
FortiSIEM 6.1.1 Sizing Guide
 TABLE OF CONTENTS

Change Log 4
FortiSIEM Sizing Information 5
Minimum Requirements 5
Internal Scalability Tests 6
Test Setup 6
Test Success Criteria 6
Hardware Appliance EPS Test 7
Virtual Appliance EPS Test with FortiSIEM Event Database 7
Virtual Appliance EPS Test with Elasticsearch Database 8
Recommended Sizing for FortiSIEM Event DB Based Deployment 9
Processing Requirement 9
Storage Requirement for FortiSIEM EventDB 10
Recommended Sizing for Elasticsearch Based Deployment 11
Processing Requirement 12
Storage Requirement for Elasticsearch 12

FortiSIEM 6.1.1 Sizing Guide 3

Fortinet Technologies Inc.
Change Log

Date Change Description

03/30/2018 Initial release of FortiSIEM Sizing Guide.

04/12/2018 Revision 2 with updates to Storage Requirements for FortiSIEM EventDB and
Elasticsearch Data Nodes sections.

11/20/2019 Sizing Guide released for 5.2.6.

03/30/2020 Sizing Guide release for 5.3.0

09/08/2020 Sizing Guide release for 6.1.0

FortiSIEM 6.1.1 Sizing Guide 4

Fortinet Technologies Inc.
FortiSIEM Sizing Information

This document provides information about the following topics:

l Minimum Requirements
l Internal Scalability Tests
l Hardware Appliance EPS Test
l Virtual Appliance EPS Test with FortiSIEM Event Database
l Virtual Appliance EPS Test with Elasticsearch Database
l Recommended Sizing for FortiSIEM Event DB Based Deployment
l Recommended Sizing for Elasticsearch Based Deployment

Minimum Requirements

Browser Display

FortiSIEM, like most monitoring, SIEM and analytics tools, shows a lot of information on the screen at once. FortiSIEM
HTML GUI has chosen a bigger font for legibility reasons. Hence, we recommend that users have a minimum
1680x1050 desktop display resolution.

Hardware

Minimum hardware requirements for FortiSIEM nodes are as follows.

Node vCPU RAM Local Disks

Supervisor (All Minimum – 16 Minimum OS – 25GB

in one) Recommended - 32 l without UEBA – 24GB OPT – 100GB
l with UEBA - 64GB CMDB – 60GB
Recommended SVN – 60GB
l without UEBA – 32GB
Local Event database – based on
l with UEBA - 64GB
need

Supervisor Minimum – 16 Minimum OS – 25GB

(Cluster) Recommended - 32 l without UEBA – 24GB OPT – 100GB
l with UEBA - 64GB CMDB – 60GB
Recommended SVN – 60GB
l without UEBA – 32GB
l with UEBA - 64GB

Workers Minimum – 8 Minimum – 16GB OS – 25GB

Recommended - 8 Recommended – 24GB OPT – 100GB

FortiSIEM 6.1.1 Sizing Guide 5

Fortinet Technologies Inc.
 FortiSIEM Sizing Information

Node vCPU RAM Local Disks

Collector Minimum – 4 Minimum – 4GB OS – 25GB

Recommended – 8 ( based Recommended – 8GB OPT – 100GB
on load)

l Supervisor VA needs more memory since it hosts many heavy-duty components such as Application Server (Java),
PostGreSQL Database Server and Rule Master.
l With Elasticsearch, Supervisor VA also hosts the Java Query Server component for communicating with
Elasticsearch – hence the need for additional 8 GB memory.
Note that these are only the minimum requirements. The performance may improve by increasing vCPUs and RAM in
certain situations. External storage depends on your EPS mix and the number of days of log storage needs. To provide
more meaningful guidance, scalability tests were conducted as described below.

Internal Scalability Tests

FortiSIEM team performed several scalability tests described below.

Test Setup

l A specific set of events were sent repeatedly to achieve the target EPS.
l The target EPS was constant over time.
l A set of Linux servers were monitored via SNMP and performance monitoring data was collected.
l Events triggered many incidents.

Test Success Criteria

The following success criteria should be met on testing:

l Incoming EPS must be sustained without any event loss.
l Summary dashboards should be up to date and not fall behind.
l Widget dashboards should show data indicating that inline reporting is keeping up.
l Incidents should be up to date.
l Real-time search should show current data and trend chart should reflect incoming EPS.
l GUI navigation should be smooth.
l CPU, memory and IOPS are not maxed out. Load average must be less than the number of cores.
The tests were run for three cases:
l All-in-one FSM Hardware Appliance: FSM-2000F and FSM-3500F with collectors FSM-500F sending events.
l FSM Virtual Appliance with FortiSIEM EventDB as the data store.
l FSM Virtual Appliance with Elasticsearch as the data store.

FortiSIEM 6.1.1 Sizing Guide 6

Fortinet Technologies Inc.
FortiSIEM Sizing Information

Hardware Appliance EPS Test

The test beds were as follows:

The results are shown below:

Event Sender

FortiSIEM HW Collector Model Count EPS/Collector Sustained

Appliance EPS
without
Loss

FSM-2000F FSM-500F 3 5K 15K

FSM-3500F FSM-500F 4 8K 30K

Virtual Appliance EPS Test with FortiSIEM Event Database

All tests were done in AWS. The following hardware was used.

Type AWS Instance Type Hardware Spec

Collector c4.xlarge 4vCPU, 7 GB RAM

Worker c4.2xlarge 8vCPU, 15 GB RAM

Super m4.4xlarge 16vCPU, 64 GB RAM, CMDB Disk 10K IOPS

NFS Server c4.2xlarge 8vCPU, 16 GB RAM, 10K IOPS

The test bed is as follows:

FortiSIEM 6.1.1 Sizing Guide 7

Fortinet Technologies Inc.
FortiSIEM Sizing Information

The following result shows 10K EPS sustained per Worker with over 20K CMDB Devices.

Event Sender Event Handler

Collector EPS/Collector Monitored Super Workers Orgs CMDB Sustained

Count Device/Collector Device EPS without
Loss

150 200 150 1 3 150 22,500 30K

Virtual Appliance EPS Test with Elasticsearch Database

All tests were done in AWS. The following hardware was used.

Type AWS Instance Hardware Spec

Type

Collector c4.xlarge 4vCPU, 7 GB RAM

Worker c4.2xlarge 8vCPU, 15 GB RAM

Super m4.4xlarge 16vCPU, 64 GB RAM, CMDB Disk 10K IOPS

Elastic Search Master Node c3.2xlarge 8vCPU, 16 GB RAM with 8 GB JVM

Elastic Search Coordinating m5.4xlarge 16vCPU, 64 GB RAM with 30 GB JVM allocation

Node

Elastic Search Data Node i3.4xlarge 16vCPU, 122 GB RAM, 1.9TBx2 NVMe SSD Instance-store
Volumes, 30 GB JVM

The test bed was as follows:

FortiSIEM 6.1.1 Sizing Guide 8

Fortinet Technologies Inc.
 FortiSIEM Sizing Information

The following result shows 5K EPS sustained per Data Node with over 20K CMDB Devices.

Event Sender Event Handler

Collector EPS/ Monitored Super Workers Elastic Orgs CMDB Sustained

Count Collector Device/ (M/CO/DN/ Device EPS without
Collector Shards)* Loss

150 200 150 1 3 1/1/5/10 150 22,500 30K

* M = Elasticsearch Master, CO = Elasticsearch Co-ordinator, DN = Elasticsearch Data Node

Recommended Sizing for FortiSIEM Event DB Based Deployment

Processing Requirement

Requirement Recommendation

EPS Deployment HW Model SW Configuration

Nodes HW Per Node NFS IOPS

(vCPU, RAM)

Up to 5K Hardware FSM-2000F

Up to 5K Software All-in-one 16,24GB

5K – 10K Hardware FSM-2000F

FortiSIEM 6.1.1 Sizing Guide 9

Fortinet Technologies Inc.
 FortiSIEM Sizing Information

Requirement Recommendation

EPS Deployment HW Model SW Configuration

Nodes HW Per Node NFS IOPS

(vCPU, RAM)

5K – 10K Software Supervisor 16,24GB

1 Worker 8,16GB 2000

10K – 15K Hardware FSM-3500F

10K – 15K Software Supervisor 16,24GB

2 Workers 8,16GB 3000

15K – 25K Hardware FSM-3500F

15K – 25K Software Supervisor 16,24GB

3 Workers 16,16GB 5000

25K – 35K Software Supervisor 16,24GB

4 Workers 16,16GB 7000

Add 10K EPS Software Add 1 16,16GB Add 2000 IOPS

Worker

Storage Requirement for FortiSIEM EventDB

FortiSIEM storage requirement depends on three factors:

l EPS
l Bytes/log mix in your environment
l Compression ratio (8:1)
You are likely licensed for Peak EPS. Typically, EPS peaks during morning hours on weekdays and goes down
dramatically after 2 pm on weekdays and also remains low on weekends. So the average EPS should be used to
calculate storage needs.
For calculating Bytes/log, consider the following aspects:
l Network devices and Linux servers tend to send shorter logs (150-200 bytes/log) while Windows Security logs tend
to be much larger (500-1000 bytes/log).
l Busy corporate firewalls and domain controllers tend to send much higher log volumes (higher EPS) than other
systems, assuming they are sending all logs.
l Database indices built on logs for efficient searching consumes significant storage as well.
l ASCII text (syslog) compresses much better than binary (for example, Netflow)
Therefore, it is difficult to properly assume a specific Bytes/log mix in your environment without measurement. Our
experience from sampling of 5 large customers has shown that Bytes/log is between 100-150 including all factors –
device mix, log mix, indexing cost and compression. We calculated this by dividing the total FortiSIEM event file size (in
\data) over one day by the total number of events on that day, and then averaging over a few days.

FortiSIEM 6.1.1 Sizing Guide 10

Fortinet Technologies Inc.
FortiSIEM Sizing Information

It is important to provision the NFS server with enough IOPS and network bandwidth for read and write of event data
and where possible cater for peaks in EPS. It is recommended that NFS is provisioned with 10Gbit interfaces or higher
and the FortiSIEM Super and Worker nodes to also be provisioned with 10Gbit interfaces to the NFS storage network.
The table below shows two scenarios – Worst case and Average case for NFS storage. In Worst case, Peak EPS and
150 Bytes/log is used. In the Average case, 0.5 Peak EPS and 100 Bytes/log is used.

Peak EPS Storage (Months) NFS Storage (TB)*

Worst case Average case

1000 12 5 1.66

1000 24 9 3

1000 36 14 4.66

2000 12 9 3

2000 24 19 6.33

2000 36 28 9.33

5000 12 23 7.66

5000 24 47 15.66

5000 36 70 23.33

10000 12 47 15.66

10000 24 93 31

10000 36 140 46.66

NFS Storage (TB):

l Worst case = (Peak EPS*150*86400*30*Storage(Months))/10^12
l Average case = (0.5*Peak EPS*100*86400*30*Storage(Months))/10^12

Recommended Sizing for Elasticsearch Based Deployment

Adding or moving shards is easy but splitting is not possible. Plan ahead for shard sizing is
very important.

FortiSIEM 6.1.1 Sizing Guide 11

Fortinet Technologies Inc.
 FortiSIEM Sizing Information

Processing Requirement

Requirement Recommendation

EPS ES Configuration Hardware per Elastic JVM Shards Replica

node (vCPU, RAM
RAM)

Up to 1K - without All-in-one (8,16GB) 8GB 5 0

Replica

Up to 1K - with Replica 3 node cluster (8,16GB) 8GB 5 1

1K-5K - with Replica 3 node cluster (8,64GB) 30GB 5 1

5K-10K - with Replica Coordinating and Master (8,32GB) 16GB

Node

3 Data Nodes (8,64GB) 30GB 5 1

10K-15K - with Replica Coordinating Node (16,32GB) 16GB

Master Node (8,16GB) 8GB

3 Data Nodes (16,64GB) 30GB 10 1

15K-25K - with Replica Coordinating Node (16,64GB) 30GB

Master Node (8,16GB) 8GB

5 Data Nodes (16,64GB) 30GB 15 1

25K-35K - with Replica Coordinating Node (16,64GB) 30GB

Master Node (8,16GB) 8GB

7 Data Nodes (16,64GB) 30GB 20 1

35K-45K - with Replica Coordinating Node (16,64GB) 30GB

Master Node (8,16GB) 8GB

9 Data Nodes (16,64GB) 30GB 25 1

Add 5K EPS - with Add 1 Data Node (16,64GB) 30GB Add 3 1

Replica Shards

Storage Requirement for Elasticsearch

Elasticsearch consumes more storage than NFS because it indexes the data more heavily than FortiSIEM event
database.
FortiSIEM Elasticsearch storage requirement depends on two factors:
l EPS
l Bytes/log mix in your environment

FortiSIEM 6.1.1 Sizing Guide 12

Fortinet Technologies Inc.
FortiSIEM Sizing Information

You are likely licensed for Peak EPS. Typically, EPS peaks during morning hours on weekdays and goes down
dramatically after 2 pm on weekdays and also remains low on weekends. So the average EPS should be used to
calculate storage needs.
For calculating Bytes/log, consider the following aspects:
l Network devices and Linux servers tend to send shorter logs (150-200 bytes/log) while Windows Security logs tend
to be much larger (500-1000 bytes/log).
l Busy corporate firewalls and domain controllers tend to send much higher log volumes (higher EPS) than other
systems, assuming they are sending all logs.
l Database indices built on logs for efficient searching consumes significant storage as well.
l ASCII text (syslog) compresses much better than binary (for example, Netflow)
Therefore, it is difficult to properly assume a specific Bytes/log mix in your environment without measurement. Our
internal scalability test environment shows Bytes/log is around 1000 including all factors – device mix, log mix, indexing
cost and compression. We calculated this by dividing the total Elasticsearch database file size (in \data) over one day by
the total number of events on that day, and then averaging over a few days.
The table below shows two scenarios – Worst case and Average case for Storage/Cluster. In Worst case, Peak EPS and
1000 Bytes/log is used. In the average case, 0.5 Peak EPS is used. As we gather experience with more customers, we
will publish average Bytes/log and update the Average storage requirements.

Peak EPS Replica Storage (Months) Storage/Cluster (TB)

Worst case Average case

1000 0 12 31 15.5

1000 1 12 62 31

2000 1 12 124 62

5000 1 12 311 155.5

10000 1 6 311 155.5

15000 1 6 467 233.5

25000 1 3 389 194.5

50000 1 3 778 389

Storage per Cluster (TB):

l Worst case = (Peak EPS*1000*86400*Storage(Month)*30*(Replica+1))/10^12
l Average case = (0.5*Peak EPS*1000*86400*Storage(Month)*30*(Replica+1))/10^12

FortiSIEM 6.1.1 Sizing Guide 13

Fortinet Technologies Inc.
Copyright© (Undefined variable: FortinetVariables.Copyright Year) Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other
marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of
Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests
under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a
binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-
identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment
related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in
full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable.