Fortinet white logo
Fortinet white logo

FortiSIEM Reference Architecture Using ClickHouse

FortiSIEM Hardware Appliances

FortiSIEM Hardware Appliances

FortiSIEM hardware appliances provide a Fortinet supplied alternative deployment platform for customers that prefer a combined hardware and software solution. Both Supervisor / Worker and Collector appliances are available, a hardware appliance-based solution can be a single all-in-one system, or a scalable distributed deployment.

The hardware appliance contains all necessary components for an all-in-one solution, CPU, memory and storage for the event database on an internal disk array. When deploying hardware appliances as an all-in-one system choose an appliance that will meet the lifetime scalability requirements of the solution.

When deploying hardware appliances in a scalable distributed FortiSIEM deployment consisting of Supervisor and Worker, the internal storage of the appliance is used to store the event data in the ClickHouse database. Unlike a virtual solution, the disk array cannot be extended in the appliance. Either build additional shards into the solution from the outset to provide greater storage capacity, or plan to archive data to an external NFS server if the appliances run out of storage space.

Deployments can use a combination of hardware appliance models and virtual appliances as required.

  • For maximum scalability, purchase a large appliance as the supervisor node.

  • Smaller appliances can be deployed as worker nodes. Appliances of the same type should be used within a shard to provide similar performance and storage capacity across all nodes.

  • Deploy the dedicated FortiSIEM Collector appliance, or virtual collectors in the Collector role.

FortiSIEM Hardware Appliances

FortiSIEM Hardware Appliances

FortiSIEM hardware appliances provide a Fortinet supplied alternative deployment platform for customers that prefer a combined hardware and software solution. Both Supervisor / Worker and Collector appliances are available, a hardware appliance-based solution can be a single all-in-one system, or a scalable distributed deployment.

The hardware appliance contains all necessary components for an all-in-one solution, CPU, memory and storage for the event database on an internal disk array. When deploying hardware appliances as an all-in-one system choose an appliance that will meet the lifetime scalability requirements of the solution.

When deploying hardware appliances in a scalable distributed FortiSIEM deployment consisting of Supervisor and Worker, the internal storage of the appliance is used to store the event data in the ClickHouse database. Unlike a virtual solution, the disk array cannot be extended in the appliance. Either build additional shards into the solution from the outset to provide greater storage capacity, or plan to archive data to an external NFS server if the appliances run out of storage space.

Deployments can use a combination of hardware appliance models and virtual appliances as required.

  • For maximum scalability, purchase a large appliance as the supervisor node.

  • Smaller appliances can be deployed as worker nodes. Appliances of the same type should be used within a shard to provide similar performance and storage capacity across all nodes.

  • Deploy the dedicated FortiSIEM Collector appliance, or virtual collectors in the Collector role.