Fortinet black logo

Sizing Guide

Home FortiSOAR 7.4.1 Sizing Guide
7.4.1
7.4.3
7.4.1
7.4.0
7.3.1
7.2.1
7.0.2
7.0.1
6.4.4

Inputs to the sizing calculator

FortiSOAR Sizing Guide

FortiSOAR Sizing Calculator

The sizing calculator utility associated with this document helps you define your sizing requirements for FortiSOAR. This document explains how to use the sizing calculator and defines parameters such as ingestion rate, number of workflows run per day, workflow and audit purging policies, etc, required to be added in the utility. The sizing calculator utility uses specified parameter values and outputs a recommended configuration for your FortiSOAR instance.

You can download the sizing calculator from: https://help.fortinet.com/fortisoar/Sizing_LVM_Calculator_v2_0_0.xlsx.

Inputs to the sizing calculator

You need to specify the following details in the sizing calculator to calculate your FortiSOAR configuration:

  1. Average number of alerts/day
  2. Average number of playbooks run/day
  3. Playbook logs retention policy in weeks (recommended 52 weeks)
  4. Audit logs retention policy in weeks (recommended 52 weeks)
  5. Whether Threat Intelligence Feeds are enabled (default is Not Enabled).

Other defaults in the sizing calculator

The following additional default details in the sizing calculator need to be specified to calculate your FortiSOAR configuration:

  1. Disk size computation:
    1. Primary Data: For every alert, the calculator considers 1 MB of primary data to be generated. This is an approximate number considering:
      1. 8 indicators extracted
      2. 10 comments added, including one attached file of approximately 0.5 MB.
        Note: If your investigation relies on heavier attachments or screenshots, or primarily relies on email ingestion with large images, you might consider doubling the disk size projections. Refer to the “Test Run” section, which considers an - additional large attachment approximately ~0.5 MB in size that is uploaded as a comment, such that ~1 MB of primary data gets generated in the environment for every alert ingested
    2. Audit Logs: The calculator considers around 7 GB of audit data to be generated weekly.
    3. Workflow Logs: The calculator considers log size of 5KB generated per playbook.
      You can run the following command on your FortiSOAR instance to confirm the database consumptions for your current data and change the inputs to your sizing calculator accordingly:
      csadm db –getsize
      Tooltip

      The above command gives the total database sizes. Size per playbook log could be obtained by dividing the total ‘Workflow Logs’ size from the above output by the total ‘Executed Playbook Logs’ in the UI. To get the size per alert/incident, divide the total ‘Primary Data’ size by total number of alerts in the UI.

    4. Feed Data: The calculator considers feed data for approximately 500,000 feeds as approximately 10 GB.
  2. CPU and Memory based on playbooks run/day used by the Calculator:
    Playbooks run/dayConfiguration
    Up to 10,00016GB RAM, 4 core CPU
    10,000 – 50,00032GB RAM, 8 core CPU

    50,000 – 150,000

    64GB RAM, 16 core CPU

    150,000 – 250,000

    Active/Active HA cluster with 32GB RAM, 8 core CPU

    These sizes are recommended keeping in mind long term sustenance and average workflow execution times of 15 seconds/workflow. Your environment might also have higher or lower scale limits based on the workflows runs.

    Note

    Playbook runs involve frequent disk I/O. Having SSD disks with a higher guaranteed IOPS (2000 or higher) are strongly recommended in the production environment for the best performance.

LVM Sizing Calculator

The LVM sizing calculator utility associated with this document helps you define your sizing requirements for FortiSOAR when you disk size is not as per the standard configuration of 300GB. You can use the LVM sizing calculator to calculate the sizes of partitions to be created according to your disk size.

You can download the sizing calculator from: https://help.fortinet.com/fortisoar/Sizing_LVM_Calculator_v2_0_0.xlsx.

Inputs to the LVM sizing calculator

To calculate the sizes of partitions to be created according to their disk size, users only require to enter the disk size in cell D22 in the 'LVM Sizing Calculator' section of the Sizing Calculator.

Test Run

The following sections help you to further understand the sizing calculation logic with the help of results from a sustenance run. The tests were run on the default recommended hardware configurations and using a common daily ingestion volume seen in customer environments. It shows details of the system utilization over the period of the run. The test results can be used as a reference for deciding on the CPU, memory, and disk of your FortiSOAR instance.

Test Configuration 1

For each of these tests the load varies in terms of the number of alerts ingested per day. The following parameters are common for each of the runs.

Instance Configuration:

FortiSOAR Virtual Appliance Specifications
Component Specifications
CPU 16 CPUs
Memory 30 GB
Storage 300 GB virtual disk, HDD type gp3 with IOPS 3000, attached to an AWS Instance

Instance Type

c4.4xLarge
Operating System Specifications
Operating System Kernel Version
Rocky Linux 8.8 4.18.0-477.13.1.el8_8.x86_64

Load:

  • ~5040 alerts/day (2 schedules are run: one creates 1 alert every minute, and the second creates bursts of 150 alerts every hour)

Default use-cases run per alert (8):

  • SLA Calculation (All applicable SLA Playbooks)
  • Alert Assignment Notification
  • Indicator Extraction
  • Enrichment
  • Triage
  • User Assignment
  • Computing Alert Priority

  • Alert resolved date and assigned date updated

Record sizes:

  • 8 Indicators are created per alert.
  • Each alert has 10 small text comments, 2 comments with a screenshot and a large 500KB File Attachment as a comment. Around 1 MB of primary data gets generated per alert ingested.
  • Sample alert data: You can download this sample alert data from: https://help.fortinet.com/fortisoar/Sizing_Alert.zip.

Audit log and Work log retention

  • Audit log retention: 7 days
  • Workflow log retention: 7 days

Other FortiSOAR Tunables

The following configurations were updated as recommended for the production instance:

  • Workflow workers: 16
    /etc/celery/celeryd.conf: CELERYD_OPTS="--concurrency=16"
  • Postgres shared buffer: 2GB
    /var/lib/pgsql/12/data/postgresql.conf: shared_buffers = 2048MB
  • ElasticSearch Xms and Xmx 8GB:
    /etc/elasticsearch/jvm.options.d/fsr.options:
    -Xms8g
    -Xmx8g

Results

Data Disk Consumption:
  1. Postgres partition consumption: /var/lib/pgsql
  2. Elasticsearch disk consumption: /var/lib/elasticsearch
Time Span Primary Data Size Audit Logs Size Workflow Logs Size Elasticsearch Size Total Disk Size
After 1 week 27GB 8.89GB 9.61GB 2.9GB 48.4GB
After 2 weeks 54GB 17.78GB 19.22GB 5.8GB 96.8GB
After 4 weeks 110GB 35.56GB 38.44GB 11.6GB 195.6GB

After 1 year (projected)

1320GB

426.72GB

 461.28GB

139.2GB

2347.2GB

Note: Total Disk Consumption is calculated as Primary data size + Audit log size + Workflow logs size + Elasticsearch size + Feed data size.

Test Configuration 2

The configuration for this test is the same as Test Configuration 1, apart from the record sizes of the alert ingested.

Record sizes:

Results

Data Disk Consumption:
Time Span Primary Data Size Audit Logs Size Workflow Logs Size Elasticsearch Size Total Disk Size
After 1 week 7.1GB 8.9GB 9.65GB 3.1GB 28.75GB
After 2 weeks 14.2GB 17.8GB 19.3GB 6.2GB 57.5GB
After 4 weeks 28.4GB 35.6GB 38.6GB 12.4GB 115GB

After 1 year (projected)

340.8GB

427.2GB

463.2GB

148.8GB

1380GB

Note: Total Disk Consumption is calculated as Primary data size + Audit log size + Workflow logs size + Elasticsearch size + Feed data size.

Test Configuration 3

Apart from the instance configuration and load, all the other configuration for this test is the same as Test Configuration 1.

Instance Configuration:

  • Same configuration as mentioned in Test Configuration 1 + a cluster of two FortiSOAR machines that are joined in the Active-Active state using the FortiSOAR HA feature.

  • The machines that form the HA cluster must be in the same network subnet.

Load:

  • ~9360 alerts/day (2 schedules are run: one creates 4 alerts every minute, and the second creates bursts of 150 alerts every hour)

Results

Data Disk Consumption:
Time Span Primary Data Size Audit Logs Size Workflow Logs Size Elasticsearch Size Total Disk Size
After 1 week 49GB 15GB 23GB 4.6GB 91.6GB
After 2 weeks 98GB 30GB 46GB 9.2GB 183.2GB
After 4 weeks 196GB 60GB 92GB 18.4GB 366.4GB

After 1 year (projected)

2352GB

720GB

 1104GB

220.8GB

4396.8GB

Note: Total Disk Consumption is calculated as Primary data size + Audit log size + Workflow logs size + Elasticsearch size + Feed data size.

Previous
Next

FortiSOAR Sizing Guide

FortiSOAR Sizing Calculator

The sizing calculator utility associated with this document helps you define your sizing requirements for FortiSOAR. This document explains how to use the sizing calculator and defines parameters such as ingestion rate, number of workflows run per day, workflow and audit purging policies, etc, required to be added in the utility. The sizing calculator utility uses specified parameter values and outputs a recommended configuration for your FortiSOAR instance.

You can download the sizing calculator from: https://help.fortinet.com/fortisoar/Sizing_LVM_Calculator_v2_0_0.xlsx.

Inputs to the sizing calculator

You need to specify the following details in the sizing calculator to calculate your FortiSOAR configuration:

  1. Average number of alerts/day
  2. Average number of playbooks run/day
  3. Playbook logs retention policy in weeks (recommended 52 weeks)
  4. Audit logs retention policy in weeks (recommended 52 weeks)
  5. Whether Threat Intelligence Feeds are enabled (default is Not Enabled).

Other defaults in the sizing calculator

The following additional default details in the sizing calculator need to be specified to calculate your FortiSOAR configuration:

  1. Disk size computation:
    1. Primary Data: For every alert, the calculator considers 1 MB of primary data to be generated. This is an approximate number considering:
      1. 8 indicators extracted
      2. 10 comments added, including one attached file of approximately 0.5 MB.
        Note: If your investigation relies on heavier attachments or screenshots, or primarily relies on email ingestion with large images, you might consider doubling the disk size projections. Refer to the “Test Run” section, which considers an - additional large attachment approximately ~0.5 MB in size that is uploaded as a comment, such that ~1 MB of primary data gets generated in the environment for every alert ingested
    2. Audit Logs: The calculator considers around 7 GB of audit data to be generated weekly.
    3. Workflow Logs: The calculator considers log size of 5KB generated per playbook.
      You can run the following command on your FortiSOAR instance to confirm the database consumptions for your current data and change the inputs to your sizing calculator accordingly:
      csadm db –getsize
      Tooltip

      The above command gives the total database sizes. Size per playbook log could be obtained by dividing the total ‘Workflow Logs’ size from the above output by the total ‘Executed Playbook Logs’ in the UI. To get the size per alert/incident, divide the total ‘Primary Data’ size by total number of alerts in the UI.

    4. Feed Data: The calculator considers feed data for approximately 500,000 feeds as approximately 10 GB.
  2. CPU and Memory based on playbooks run/day used by the Calculator:
    Playbooks run/dayConfiguration
    Up to 10,00016GB RAM, 4 core CPU
    10,000 – 50,00032GB RAM, 8 core CPU

    50,000 – 150,000

    64GB RAM, 16 core CPU

    150,000 – 250,000

    Active/Active HA cluster with 32GB RAM, 8 core CPU

    These sizes are recommended keeping in mind long term sustenance and average workflow execution times of 15 seconds/workflow. Your environment might also have higher or lower scale limits based on the workflows runs.

    Note

    Playbook runs involve frequent disk I/O. Having SSD disks with a higher guaranteed IOPS (2000 or higher) are strongly recommended in the production environment for the best performance.

LVM Sizing Calculator

The LVM sizing calculator utility associated with this document helps you define your sizing requirements for FortiSOAR when you disk size is not as per the standard configuration of 300GB. You can use the LVM sizing calculator to calculate the sizes of partitions to be created according to your disk size.

You can download the sizing calculator from: https://help.fortinet.com/fortisoar/Sizing_LVM_Calculator_v2_0_0.xlsx.

Inputs to the LVM sizing calculator

To calculate the sizes of partitions to be created according to their disk size, users only require to enter the disk size in cell D22 in the 'LVM Sizing Calculator' section of the Sizing Calculator.

Test Run

The following sections help you to further understand the sizing calculation logic with the help of results from a sustenance run. The tests were run on the default recommended hardware configurations and using a common daily ingestion volume seen in customer environments. It shows details of the system utilization over the period of the run. The test results can be used as a reference for deciding on the CPU, memory, and disk of your FortiSOAR instance.

Test Configuration 1

For each of these tests the load varies in terms of the number of alerts ingested per day. The following parameters are common for each of the runs.

Instance Configuration:

FortiSOAR Virtual Appliance Specifications
Component Specifications
CPU 16 CPUs
Memory 30 GB
Storage 300 GB virtual disk, HDD type gp3 with IOPS 3000, attached to an AWS Instance

Instance Type

c4.4xLarge
Operating System Specifications
Operating System Kernel Version
Rocky Linux 8.8 4.18.0-477.13.1.el8_8.x86_64

Load:

  • ~5040 alerts/day (2 schedules are run: one creates 1 alert every minute, and the second creates bursts of 150 alerts every hour)

Default use-cases run per alert (8):

  • SLA Calculation (All applicable SLA Playbooks)
  • Alert Assignment Notification
  • Indicator Extraction
  • Enrichment
  • Triage
  • User Assignment
  • Computing Alert Priority

  • Alert resolved date and assigned date updated

Record sizes:

  • 8 Indicators are created per alert.
  • Each alert has 10 small text comments, 2 comments with a screenshot and a large 500KB File Attachment as a comment. Around 1 MB of primary data gets generated per alert ingested.
  • Sample alert data: You can download this sample alert data from: https://help.fortinet.com/fortisoar/Sizing_Alert.zip.

Audit log and Work log retention

  • Audit log retention: 7 days
  • Workflow log retention: 7 days

Other FortiSOAR Tunables

The following configurations were updated as recommended for the production instance:

  • Workflow workers: 16
    /etc/celery/celeryd.conf: CELERYD_OPTS="--concurrency=16"
  • Postgres shared buffer: 2GB
    /var/lib/pgsql/12/data/postgresql.conf: shared_buffers = 2048MB
  • ElasticSearch Xms and Xmx 8GB:
    /etc/elasticsearch/jvm.options.d/fsr.options:
    -Xms8g
    -Xmx8g

Results

Data Disk Consumption:
  1. Postgres partition consumption: /var/lib/pgsql
  2. Elasticsearch disk consumption: /var/lib/elasticsearch
Time Span Primary Data Size Audit Logs Size Workflow Logs Size Elasticsearch Size Total Disk Size
After 1 week 27GB 8.89GB 9.61GB 2.9GB 48.4GB
After 2 weeks 54GB 17.78GB 19.22GB 5.8GB 96.8GB
After 4 weeks 110GB 35.56GB 38.44GB 11.6GB 195.6GB

After 1 year (projected)

1320GB

426.72GB

 461.28GB

139.2GB

2347.2GB

Note: Total Disk Consumption is calculated as Primary data size + Audit log size + Workflow logs size + Elasticsearch size + Feed data size.

Test Configuration 2

The configuration for this test is the same as Test Configuration 1, apart from the record sizes of the alert ingested.

Record sizes:

Results

Data Disk Consumption:
Time Span Primary Data Size Audit Logs Size Workflow Logs Size Elasticsearch Size Total Disk Size
After 1 week 7.1GB 8.9GB 9.65GB 3.1GB 28.75GB
After 2 weeks 14.2GB 17.8GB 19.3GB 6.2GB 57.5GB
After 4 weeks 28.4GB 35.6GB 38.6GB 12.4GB 115GB

After 1 year (projected)

340.8GB

427.2GB

463.2GB

148.8GB

1380GB

Note: Total Disk Consumption is calculated as Primary data size + Audit log size + Workflow logs size + Elasticsearch size + Feed data size.

Test Configuration 3

Apart from the instance configuration and load, all the other configuration for this test is the same as Test Configuration 1.

Instance Configuration:

  • Same configuration as mentioned in Test Configuration 1 + a cluster of two FortiSOAR machines that are joined in the Active-Active state using the FortiSOAR HA feature.

  • The machines that form the HA cluster must be in the same network subnet.

Load:

  • ~9360 alerts/day (2 schedules are run: one creates 4 alerts every minute, and the second creates bursts of 150 alerts every hour)

Results

Data Disk Consumption:
Time Span Primary Data Size Audit Logs Size Workflow Logs Size Elasticsearch Size Total Disk Size
After 1 week 49GB 15GB 23GB 4.6GB 91.6GB
After 2 weeks 98GB 30GB 46GB 9.2GB 183.2GB
After 4 weeks 196GB 60GB 92GB 18.4GB 366.4GB

After 1 year (projected)

2352GB

720GB

 1104GB

220.8GB

4396.8GB

Note: Total Disk Consumption is calculated as Primary data size + Audit log size + Workflow logs size + Elasticsearch size + Feed data size.

Previous
Next