Fortinet white logo
Fortinet white logo

FortiSIEM Reference Architecture Using ClickHouse

Service Provider

Service Provider

When installed in Service Provider mode, FortiSIEM has full multitenancy capabilities, including a multi-tenant aware database and user interface, and an architecture designed to support multi-tenant environments

Service Provider deployments should include the same components as a large enterprise, mainly:

  • One Supervisor node

  • Worker nodes as needed to support the required number of shards and replicas

  • One or three dedicated keeper nodes

  • Collectors

FortiSIEM with ClickHouse can scale to handle very large service provider deployments. Follow the design guidelines for the enterprise solution and design the system from the outset with the number of shards required to handle the maximum anticipated EPS during the life of the solution. In a virtual appliance based solution, the storage disk in the nodes of each shard can be extended in life to increase event storage capacity. An external NFS server can also be used to archive old events.

Service providers should deploy Collectors at their customers’ premises for local log collection and data separation. Collectors will also be required in the service provider core for monitoring core infrastructure and ingesting logs from shared devices such as service provider firewalls. When installed in service provider mode, FortiSIEM includes features for core infrastructure monitoring

  • Super-Local organization for the service provider core infrastructure

  • Multi-tenant Collectors (see below)

  • Event to organization mapping, a mechanism for assigning logs from shared devices such as core firewalls to the relevant organization based on a log attribute such as the VDOM

Load balancers are recommended in large enterprise and medium to large service provider deployments due to the additional flexibility and resilience they can provide. Deploying load balancers between the Collector and Worker nodes allows for fast redirection of traffic in the event of a worker failure, and simplified Collector deployment due to the use of a load balancer virtual IP address as the collector upload target. Deploying load balancers in front of the core Collectors provides additional flexibility and resilience in ingesting logs as described in the following section.

Service Provider

Service Provider

When installed in Service Provider mode, FortiSIEM has full multitenancy capabilities, including a multi-tenant aware database and user interface, and an architecture designed to support multi-tenant environments

Service Provider deployments should include the same components as a large enterprise, mainly:

  • One Supervisor node

  • Worker nodes as needed to support the required number of shards and replicas

  • One or three dedicated keeper nodes

  • Collectors

FortiSIEM with ClickHouse can scale to handle very large service provider deployments. Follow the design guidelines for the enterprise solution and design the system from the outset with the number of shards required to handle the maximum anticipated EPS during the life of the solution. In a virtual appliance based solution, the storage disk in the nodes of each shard can be extended in life to increase event storage capacity. An external NFS server can also be used to archive old events.

Service providers should deploy Collectors at their customers’ premises for local log collection and data separation. Collectors will also be required in the service provider core for monitoring core infrastructure and ingesting logs from shared devices such as service provider firewalls. When installed in service provider mode, FortiSIEM includes features for core infrastructure monitoring

  • Super-Local organization for the service provider core infrastructure

  • Multi-tenant Collectors (see below)

  • Event to organization mapping, a mechanism for assigning logs from shared devices such as core firewalls to the relevant organization based on a log attribute such as the VDOM

Load balancers are recommended in large enterprise and medium to large service provider deployments due to the additional flexibility and resilience they can provide. Deploying load balancers between the Collector and Worker nodes allows for fast redirection of traffic in the event of a worker failure, and simplified Collector deployment due to the use of a load balancer virtual IP address as the collector upload target. Deploying load balancers in front of the core Collectors provides additional flexibility and resilience in ingesting logs as described in the following section.