Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mikael_A
New Contributor II

Fortianalyzer VM Sizing (Information)

Hello all!

Since Fortinet does not provide a sizing guide or anything good for choosing a good base for the VM, I´ll provide some details as well as benchmarks for our new VM host that will act as an Analyzer in hope that it might help someone.

@Fortinet: You should REALLY start to provide some information for sizing the VM host. We can´t even look at the appliances as you do not provide any detail there either.

 

 

So, the host has the following important hardware:

Xeon E5 v3 2630 (8C/16T)

32GB Mem (Cheap so why not)

6x 800GB Intel S3510DC (Important) in Raid 5.

LSI MegaRAID 9361

 

So, why the hardware?

Well, during testing I saw that the FAZ used alot of CPU, probably for decompressing log data when generating reports. So, it loves cores and I think that a minimum should be 6C/12T even if you go for few devices in your FAZ. I ordered a E5 v3 2620 (6C/12T) but got a better one for free.

 

32GB ram was cheap, no need to take less. During testing I´ve found that FAZ does not use much memory.

 

The discs. During testing I´ve seen that it reads data sequentially and probably if any random read occurs it does so with a higher queue dept. Important thing is to select DC drives for features such as surge protection etc. The S3510 is good for 0.3 DW/D and should suit well with the intended usage. I´ve set it with roughly 10% over provisioning to always have maximum performance.

 

Initial benchmarks show a report beeing genereated in 16min with peaks of 60% I/O translated into 1.5GB/s of data transfer. Average during the report was 10-20%.

The same report took 2-3 days on a FAZ 400C.

 

This also means that this setup is scalable as we can add more disc as needed. Performance will scale up with ever added disc in Raid 5.

 

Used the OVF template from Fortinet. No guide on the sizing of the smaller disc. Set it to 20GB, hope that will never become an issue. The bigger one was put to roughly 3TB.

 

If you have any questions, feel free to post below.

 

Hope this helps someone.

10 REPLIES 10
ergotherego
Contributor II

Thanks for sharing this info, as I am looking at building a new FAZ myself and curious what specs to use.

 

How many devices do you have reporting to your FAZ?

Are all devices sending all logs to the FAZ? Or are you sending event stuff to syslog, and just traffic info to the FAZ?

Mikael_A

Hello!

We currently have 242 devices sending all data to the FAZ. Also, we´ve added additional discs to increase the size.

Currently reporting is done really fast and it´s still working great.

The system is mostly running on 2-8% cpu and we´ve downscaled the memory to 24GB for this VM. Running on 20% memory usage. 

 

/Mikael

Aidar
New Contributor

It  is not clear about processor

Am i right understand that perfomance increased after you change E5-2630V3 to E-2620v3 ( it sounds strange) ?

Or you change form 1xE5-2630V3 to  2x2620v3 ?

 

I agree that SSD helps to increased perfomance, hope PCIe SSD willl increased much more.

 

 

Mikael_A
New Contributor II

Ordered:  E5 v3 2620

Received: Xeon E5 v3 2630

 

More cores = better performance since FAZ spawns alot of threads when working with the database.

Frosty

Very helpful info, thanks.  Can I ask about the server?

What hypervisor are you running?  ESXi v?  (free version, or ?)

Mikael_A
New Contributor II

Sure, is running on ESXi 6.0 (Not upgrade to 6.5 yet). Essential license.

The host is running as version v11 (7 is default when installing).

 

/Mikael

emnoc
Esteemed Contributor III

We also found out during a recent upgrade that  FTNT ups the minimum vCPU an vMEM in order to run the latest FAZversion.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
chall_FTNT

Emnoc,

You are right about changes to defaults in more recent firmware though it should not impact an upgrade.

In FAZ & FMG 5.4.3 & 5.6.0, the default configuration for a new install from OVF file was changed to 2 CPU and 4GB memory. 

 

This better aligns with the minimum recommendation as outlined in the VM install guides but is actually a compromise between FAZ & FMG.

 

FMG minimum (per FMG VM install guide): 1 CPU 4G RAM (5.4) 2 CPU 4G RAM (5.6)

FAZ minimum  (per FAZ VM install guide): 2 CPU 8G RAM (5.4 & 5.6)

 

So in the case of FortiAnalyzer, you should increase memory to 8G RAM (above the default).  And depending on device count or log volume, you may need considerably more CPU & memory.

Chris Hall
Fortinet Technical Support
emnoc
Esteemed Contributor III

Thanks

 

I recall seeing some documentation buried somewhere that suggest 2gigs or RAM per CPU or something to that effect as the bare bones. Does FTNT have anything similar word for best tips/practices for the FAZ? Similar to the FMG

 

e.g

http://kb.fortinet.com/kb/viewContent.do?externalId=FD34549

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors