Since Fortinet does not provide a sizing guide or anything good for choosing a good base for the VM, I´ll provide some details as well as benchmarks for our new VM host that will act as an Analyzer in hope that it might help someone.
@Fortinet: You should REALLY start to provide some information for sizing the VM host. We can´t even look at the appliances as you do not provide any detail there either.
So, the host has the following important hardware:
Xeon E5 v3 2630 (8C/16T)
32GB Mem (Cheap so why not)
6x 800GB Intel S3510DC (Important) in Raid 5.
LSI MegaRAID 9361
So, why the hardware?
Well, during testing I saw that the FAZ used alot of CPU, probably for decompressing log data when generating reports. So, it loves cores and I think that a minimum should be 6C/12T even if you go for few devices in your FAZ. I ordered a E5 v3 2620 (6C/12T) but got a better one for free.
32GB ram was cheap, no need to take less. During testing I´ve found that FAZ does not use much memory.
The discs. During testing I´ve seen that it reads data sequentially and probably if any random read occurs it does so with a higher queue dept. Important thing is to select DC drives for features such as surge protection etc. The S3510 is good for 0.3 DW/D and should suit well with the intended usage. I´ve set it with roughly 10% over provisioning to always have maximum performance.
Initial benchmarks show a report beeing genereated in 16min with peaks of 60% I/O translated into 1.5GB/s of data transfer. Average during the report was 10-20%.
The same report took 2-3 days on a FAZ 400C.
This also means that this setup is scalable as we can add more disc as needed. Performance will scale up with ever added disc in Raid 5.
Used the OVF template from Fortinet. No guide on the sizing of the smaller disc. Set it to 20GB, hope that will never become an issue. The bigger one was put to roughly 3TB.
If you have any questions, feel free to post below.
Hope this helps someone.