ADOMs, sizing, log storage, scaling, and enforcement
FortiAnalyzer is the central log correlation engine for many Fortinet technologies, including SD-Branch (FortiGate, FortiSwitch, FortiAP), FortiClient, FortiSandbox, FortiMail, and others providing a centralized intelligence center with each of these components sending logs to FortiAnalyzer. FortiAnalyzer is responsible for log indexing (online logs) and archival (compressed logs), which can all be specified on a per-customer (ADOM) basis.
When deploying a multitenant FortiAnalyzer, MSPs should standardize on maximum log analytics (60 days in the below example) and archival periods (365 days in the below example) for each ADOM. With FortiAnalyzer being licensed based on GB of logs per day (a system-wide limit) and ADOMs (when using the FortiAnalyzer subscription license), this standardization ensures MSPs know the maximum number of customer tenants accommodated by the shared platform.
Furthermore, the MSP should also factor in the maximum number of recommended ADOMs, based on the deployed license and minimum server specification. FortiAnalyzer minimum system requirements are available at docs.fortinet.com.
The above image shows the creation of an ADOM called MSP_SD-Branch_CustomerA, where parameters such as analytics, log archival, and disk space are defined on a per-customer basis.
When standardizing on a multitenant platform, the MSP should ensure the parameters detailed above are then written into the overall service level agreement between MSP and end-customer.
This standardization ensures platform sizing and scalability are tested and documented, and avoids situations where non-standard target customers could impact others on the shared platform. For example, imagine a shared FortiAnalyzer whereby one tenant (ADOM) manages a 20-site SD-WAN deployment. Each branch site caters to 20 concurrent users, which is representative of a typical customer on the multitenant platform. Suppose a non-standard customer requires a 2,000-branch SD-WAN solution, with each branch having 100 concurrent users. In that case, they will consume a disproportionate amount of the shared platform resource, causing performance and bottleneck issues for the remaining tenants. Subsequently, this large tenant should be deemed as non-standard and therefore not placed on the shared platform.
FortiAnalyzer logs are sized based on analytic and archival logs. Analytic logs are classified as indexed/non-compressed, active, and available for log querying through FortiView and reporting. These analytics logs are sized at 400 bytes per log. Archived/compressed logs are offline and sized at 40 bytes. Therefore, these log size variables should be added into a common equation across all ADOMs when sizing the multitenant FortiAnalyzer.
Fortinet Partners have access to the FortiAnalyzer sizing tool hosted on Fortinet Developer Network (FNDN). It can aid in estimating logging rates inclusive of storage on a per-customer basis. The partner can use known logging rates or estimates based on known customer parameters, such as the number of users, sessions per second, and office hours. Furthermore, the sizing tool can also add layered security service logging, such as application control and web filtering, into the overall calculation.