Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiSIEM Discussions
- Fortinet Community
- Community Groups
- FortiSIEM
- Discussions
- FortiSIEM ClickHouse Deployment Architecture
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiSIEM ClickHouse Deployment Architecture
Hello everyone,
I’m currently working on the design of a FortiSIEM deployment expected to handle 10,000 EPS, and I’d like to get some insights or recommendations from the community.
Planned architecture
1 Supervisor
1 Worker
Collectors at each site (multiple sites)
ClickHouse for event storage
Before finalizing the architecture, I have a few questions about the design choices and database placement.
1. Architecture benefits
What are the main advantages of separating the Supervisor and Worker compared to using an all-in-one Supervisor setup (for a 10K EPS environment)?
Does it provide noticeable performance or scalability improvements in real-world deployments? or would be an all in one supervisor good enough (to optimize resources usage).
2. ClickHouse placement
Where should ClickHouse ideally be installed — on the Supervisor or on the Worker?
My initial preference is to host ClickHouse on the Worker to reduce load on the Supervisor, but I’d like to confirm if that’s a recommended or supported approach.
3. Installing ClickHouse on the Worker
If ClickHouse can (or should) reside on the Worker, how can I install and configure it there instead of the Supervisor?
If anyone has an official Fortinet KB or deployment guide covering this scenario, please share the reference.
I’d really appreciate feedback from anyone who has implemented or benchmarked a similar setup — especially around event storage design, deployment best practices, and operational lessons learned.
Thanks in advance for your help!
AEH.
AEH.
Labels:
- « Previous
-
- 1
- 2
- Next »
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear @Secusaurus ,
Thanks a lot for your reponse . We have decided to go with the recommended fortinet architecture (1 super + 1 worker + collectors). My concern now is storage requirements. In the provided formulas by fortinet, i dont know if i should include the compression rate and what compression rate to include (since the administrator has no control over it) and this applies to the 2 replicas and the collector cache.
Your support would be appreciated on this matter.
Best regards.
AEH.
AEH.
- « Previous
-
- 1
- 2
- Next »
Announcements
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
Labels
-
FortiSIEM
179 -
Parsers
7 -
ClickHouse
5 -
fortisiem v7.2.0
5 -
Rules
5 -
FortiGate
4 -
FortiSIEM v6.x
4 -
integration
4 -
API
4 -
Collector
4 -
Agent Linux
3 -
Supervisor
3 -
database
3 -
Agent
3 -
FortiSIEM Cloud
3 -
External System Integration
3 -
FortiAnalyzer
2 -
watchlist
2 -
FortiSiem 7.1
2 -
Collector Agent
2 -
lookuptables
2 -
Source Code
2 -
SAML
2 -
Architecture
2 -
Analytics & Reporting
2 -
GUI
2 -
Incidents
2 -
CMDB
2 -
eventdb
1 -
o
1 -
Impact
1 -
Redhat 8
1 -
Rocky Linux 8
1 -
Oracle Linux 8
1 -
lookups
1 -
Alma Linux 8
1 -
"FortiSIEM Incidents"
1 -
CMMC
1 -
cisco wsa
1 -
Reference Files
1 -
OPManager
1 -
RBAC
1 -
User Control
1 -
Audit log
1 -
Hi
1 -
Partnership Inquiry
1 -
Audit
1 -
Reference Material
1 -
FortiClient
1 -
FortiAuthenticator v5.5
1 -
FortiSIEM HW
1 -
Upgrade
1 -
IPsec
1 -
Migration
1 -
External Connectors
1 -
LDAP
1 -
Report
1 -
Microsoft Office365
1 -
Azure
1 -
Cisco
1 -
discovery
1 -
Windows Defender
1 -
Report-Rules-Dashboards
1 -
Notifications
1 -
Expressions
1 -
FortiSASE
1 -
Status
1 -
Worker
1 -
MySQL
1 -
Internet service database
1 -
Dashboard
1 -
Usage
1 -
Certificate
1 -
enrichement
1
Top Kudoed Authors
| User | Count |
|---|---|
| 77 | |
| 25 | |
| 15 | |
| 10 | |
| 10 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.