Fortinet black logo

FortiSIEM Reference Architecture Using ClickHouse

Home FortiSIEM 6.7.0 FortiSIEM Reference Architecture Using ClickHouse
6.7.0
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2
6.7.1
6.7.0

3rd Party Hypervisor

3rd Party Hypervisor

Deploying FortiSIEM virtual appliance images on 3rd party hypervisor platforms such as VMware ESXi, KVM, or Microsoft Hyper-V provides a flexible and scalable solution for most deployment scenarios from a small single all-in-one deployment, to a large distributed system consisting of many workers and collectors.

Consider the following when designing a FortiSIEM virtual appliance solution on a 3rd party hypervisor:

  • Host resources and resilience features

  • Storage capacity and throughput

  • Scalability

  • Connectivity

The FortiSIEM cluster hardware requirements (CPU, memory and disk) must be met by the hypervisor. Resources should be dedicated to the FortiSIEM nodes, and not shared with other hypervisor guests. All storage should be enterprise grade. Hot storage should ideally be SSD.

FortiSIEM with ClickHouse stores event data on disks distributed across FortiSIEM nodes. Each data node in the cluster must have an additional high-performance disk allocated for data storage. The disk should be of a sufficient size to at least meet the mid-term storage requirements of the shard of which it is a member. The storage architecture should be designed in a resilient and scalable way so that (1) it can scale VM disks to meet long term storage needs, and (2) it is resilient and doesn’t store multiple replicas of the same data in a way that leaves the organization vulnerable to data loss through hardware component failure.

Remote site Collectors and remote FortiSIEM agents must have connectivity to the central cluster. Consider the location of the hypervisor platform, the connectivity between the remote nodes and main cluster, and the organizational security policy, and ensure that the required connectivity will be permitted.

Previous
Next

3rd Party Hypervisor

Deploying FortiSIEM virtual appliance images on 3rd party hypervisor platforms such as VMware ESXi, KVM, or Microsoft Hyper-V provides a flexible and scalable solution for most deployment scenarios from a small single all-in-one deployment, to a large distributed system consisting of many workers and collectors.

Consider the following when designing a FortiSIEM virtual appliance solution on a 3rd party hypervisor:

  • Host resources and resilience features

  • Storage capacity and throughput

  • Scalability

  • Connectivity

The FortiSIEM cluster hardware requirements (CPU, memory and disk) must be met by the hypervisor. Resources should be dedicated to the FortiSIEM nodes, and not shared with other hypervisor guests. All storage should be enterprise grade. Hot storage should ideally be SSD.

FortiSIEM with ClickHouse stores event data on disks distributed across FortiSIEM nodes. Each data node in the cluster must have an additional high-performance disk allocated for data storage. The disk should be of a sufficient size to at least meet the mid-term storage requirements of the shard of which it is a member. The storage architecture should be designed in a resilient and scalable way so that (1) it can scale VM disks to meet long term storage needs, and (2) it is resilient and doesn’t store multiple replicas of the same data in a way that leaves the organization vulnerable to data loss through hardware component failure.

Remote site Collectors and remote FortiSIEM agents must have connectivity to the central cluster. Consider the location of the hypervisor platform, the connectivity between the remote nodes and main cluster, and the organizational security policy, and ensure that the required connectivity will be permitted.

Previous
Next