Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiSIEM Discussions
- Fortinet Community
- Community Groups
- FortiSIEM
- Discussions
- Re: FortiSIEM ClickHouse Deployment Architecture: ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiSIEM ClickHouse Deployment Architecture: Supervisor and Worker Node Configuration
We are planning a FortiSIEM ClickHouse deployment with an expected EPS of 15,000, using the following architecture:
1 Supervisor Node (without a dedicated data disk — i.e., no Disk 5)
1 Worker Node (with a data disk, intended to store all event data)
We have a few queries regarding this setup:
Is it possible to install the Supervisor without a data disk, considering that all data will reside on the Worker and the Supervisor will function solely as a Keeper node?
Can we configure the Worker with both “Data” and “Query” roles enabled, and create a ClickHouse cluster with a single shard and one replica without supervisor ?
Could you please recommend the most suitable and supported architecture for this 1 Supervisor + 1 Worker node setup?
@Secusaurus @Anthony_E could you please help here
Solved! Go to Solution.
Labels:
- Labels:
-
Architecture
-
FortiSIEM
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gauravpawar,
For official statements, please follow the official sizing guide: https://docs.fortinet.com/document/fortisiem/7.4.0/sizing-guide-clickhouse/965243/fortisiem-sizing-g...
In my experience, setting up the supervisor without data disk does not work, since you need to have a data disk for initial deployment and lateron for the keeper storage. You cannot connect workers before the initial deployment, therefore the initial ClickHouse setup will use the Supervisor as first node. After going through the full setup, you might probably be able to reduce the disk size - but as far as I understand, still, the defined ClickHouse disk must be available for Keeper activities.
But leaving the fact aside that you will need a (small) disk, you can configure the system to store the data entirely on the Worker(s) and let the Supervisor only be Keeper. This is a very common setup.
One of the main benefits of using Workers is redundancy and data backups as the same data exists on multiple Workers. So, in my opinion, using a single Worker does not really improve the setup compared to a All-In-One deployment. Yes, if you use separate hardware, you can reduce load on the Supervisor. But for 15,000 EPS, the load is not too high that splitting is vital.
Best,
Christian
FCX #003451 | Fortinet Advanced Partner
FCX #003451 | Fortinet Advanced Partner
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gauravpawar,
For official statements, please follow the official sizing guide: https://docs.fortinet.com/document/fortisiem/7.4.0/sizing-guide-clickhouse/965243/fortisiem-sizing-g...
In my experience, setting up the supervisor without data disk does not work, since you need to have a data disk for initial deployment and lateron for the keeper storage. You cannot connect workers before the initial deployment, therefore the initial ClickHouse setup will use the Supervisor as first node. After going through the full setup, you might probably be able to reduce the disk size - but as far as I understand, still, the defined ClickHouse disk must be available for Keeper activities.
But leaving the fact aside that you will need a (small) disk, you can configure the system to store the data entirely on the Worker(s) and let the Supervisor only be Keeper. This is a very common setup.
One of the main benefits of using Workers is redundancy and data backups as the same data exists on multiple Workers. So, in my opinion, using a single Worker does not really improve the setup compared to a All-In-One deployment. Yes, if you use separate hardware, you can reduce load on the Supervisor. But for 15,000 EPS, the load is not too high that splitting is vital.
Best,
Christian
FCX #003451 | Fortinet Advanced Partner
FCX #003451 | Fortinet Advanced Partner
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Christian
Announcements
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
Labels
-
FortiSIEM
166 -
Parsers
7 -
Rules
5 -
ClickHouse
4 -
fortisiem v7.2.0
4 -
FortiSIEM v6.x
4 -
integration
4 -
API
4 -
Agent Linux
3 -
database
3 -
Agent
3 -
FortiSIEM Cloud
3 -
Collector
3 -
External System Integration
3 -
FortiGate
3 -
watchlist
2 -
FortiAnalyzer
2 -
Collector Agent
2 -
Source Code
2 -
lookuptables
2 -
FortiSiem 7.1
2 -
Supervisor
2 -
SAML
2 -
CMDB
2 -
Analytics & Reporting
2 -
GUI
2 -
Incidents
2 -
Rocky Linux 8
1 -
eventdb
1 -
Impact
1 -
Redhat 8
1 -
OPManager
1 -
Oracle Linux 8
1 -
Alma Linux 8
1 -
"FortiSIEM Incidents"
1 -
lookups
1 -
o
1 -
CMMC
1 -
Audit
1 -
RBAC
1 -
User Control
1 -
Audit log
1 -
Reference Files
1 -
Hi
1 -
cisco wsa
1 -
Partnership Inquiry
1 -
Reference Material
1 -
FortiClient
1 -
FortiAuthenticator v5.5
1 -
FortiSIEM HW
1 -
upgrade
1 -
IPsec
1 -
Migration
1 -
External Connectors
1 -
LDAP
1 -
Report
1 -
Microsoft Office365
1 -
Azure
1 -
Cisco
1 -
discovery
1 -
Windows Defender
1 -
Report-Rules-Dashboards
1 -
Notifications
1 -
Expressions
1 -
Architecture
1 -
FortiSASE
1 -
Status
1 -
MySQL
1 -
Internet service database
1 -
Dashboard
1 -
Usage
1 -
Certificate
1 -
enrichement
1
Top Kudoed Authors
| User | Count |
|---|---|
| 72 | |
| 25 | |
| 15 | |
| 10 | |
| 10 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.