Help
FortiSOAR Discussions
malayamanas_FTNT
Staff
Staff

Created on ‎11-19-2023 07:27 PM Edited on ‎11-19-2023 07:56 PM

FortiSOAR vertical scaling requirement

Hello FortiSOAR SMEs.

 

I am trying to implement enrichment of indicators in a time bound manner, below is the usecase details.

 

FortiSOAR VM has below configuration.

FSR Version: v7.4.2 ENT License without any SME and Agents.

vCPU# : 16

RAM: 64GB

HA: Active / Active

 

Use-case - On-Create event triggered enrichment of 1000 numbers indicators such as IPv4, URL, FQDN, SHA1, SHA256 and MD5 hashes within 30 minutes, where each indicator takes 2 minutes to get enriched by 3rd party threat intelligence platforms (VirusTotal, InfoBlox,..etc)

 

Below tunables are configured.

 

1.

  • Workflow workers: 16
    /etc/celery/celeryd.conf: CELERYD_OPTS="--concurrency=16"
  • Postgres shared buffer: 2GB
    /var/lib/pgsql/12/data/postgresql.conf: shared_buffers = 2048MB
  • ElasticSearch Xms and Xmx 8GB:
    /etc/elasticsearch/jvm.options.d/fsr.options:
    -Xms8g
    -Xmx8g
  • "max connection" defaults to 200 in Postgresql.

2. Playbook where enrichment happens, runs parallelly and asynchronously for each Indicator through "On-Create" event trigger.

 

Observing error: 

 

 

 

 

too many database connections

 

 

 

 

 

Batch processing is not an option as enrichment is triggered with "On-Create" event in Indicator module. 

 

Kindly suggest this usecase solution.

 

 

 

 

MALAYA MANAS PANDA
Professional Services Consultant
1488
0 Kudos
8 REPLIES 8
Anonymous
Not applicable

Created on ‎11-19-2023 10:02 PM

If there is enough memory and CPU available on the machine during the max workload, you could increase the PG max connections to 300

1415
0 Kudos
malayamanas_FTNT
Staff
Staff
In response to Anonymous

Created on ‎11-19-2023 10:06 PM

Thanks.

 

But what is the number that defines "enough memory and CPU" ?

Is there specification available from benchmarking within a timelimit and numbers of indicators for enrichment ?

 

Use-case - On-Create event triggered enrichment of 1000 numbers indicators such as IPv4, URL, FQDN, SHA1, SHA256 and MD5 hashes within 30 minuteswhere each indicator takes 2 minutes to get enriched by 3rd party threat intelligence platforms (VirusTotal, InfoBlox,..etc)

MALAYA MANAS PANDA
Professional Services Consultant
1413
0 Kudos
Anonymous
Not applicable

Created on ‎11-19-2023 10:09 PM

Please check the output of top command for memory in use and the CPU load average.  Should be less than max memory and the number of cores respectively. Then you can increase the max connections and monitor the CPU and memory usage again

1412
0 Kudos
malayamanas_FTNT
Staff
Staff
In response to Anonymous

Created on ‎11-19-2023 10:14 PM

With above bruteforce approach of benchmarking at customer end, it is extremely difficult to pursuade customer do run a benchmarking test. Customer asks for benchmark and we do not have specification. Your answer is not helpful.

 

MALAYA MANAS PANDA
Professional Services Consultant
1410
0 Kudos
Anonymous
Not applicable

Created on ‎11-19-2023 10:15 PM

For benchmarking, please refer to test run results at https://docs.fortinet.com/document/fortisoar/7.4.2/performance-benchmarking/989364/fortisoar-perform...

1409
0 Kudos
malayamanas_FTNT
Staff
Staff
In response to Anonymous

Created on ‎11-19-2023 10:35 PM Edited on ‎11-19-2023 10:38 PM

How to import below sample playbook soultion ?

 

zip file is not supported as an import while inside Automation >> Playbook >> Import.

Then, I tried to unzip and then import info.json which was failed.

 

2023-11-20 11_55_13-Pre-test conditions on both the standalone FortiSOAR system and the FortiSOAR Hi.png

2023-11-20 11_58_25-Testcase3_Ingest_Extract_Enrichment.png

2023-11-20 12_02_02-0000 - test _ Collections _ Playbooks — Mozilla Firefox.png

 

Then tried to import through configuration import wizard, that was also failed.

2023-11-20 12_03_48-Import Wizard _ Application Editor — Mozilla Firefox.png

 

Kindly reply - How to import this test playbook to further understand it.

MALAYA MANAS PANDA
Professional Services Consultant
1406
0 Kudos
malayamanas_FTNT
Staff
Staff
In response to malayamanas_FTNT

Created on ‎11-20-2023 06:58 PM

Hello FortiSOAR SMEs, 

Anyone out there to help me !

MALAYA MANAS PANDA
Professional Services Consultant
1362
0 Kudos
aghutke
Staff
Staff
In response to malayamanas_FTNT

Created on ‎11-22-2023 11:24 PM

Hi, 

We have updated the attachments, please check them now

 

Thank You

1327
Announcements

Welcome to your new FortiSOAR Community!

View More

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.