Planning deployment
This page contains information for estimating data storage for file analysis throughput (File scanning) and NDR deployment based on an average network.
Retention can vary depending on throughput. The following information is provided as a guide for estimation only. |
Storage by model
-
FNR-1000F supports 2 x 7.68TB SSD storage in RAID 1 configuration, this is not expandable.
-
FNR-3500F uses 8 X 3 8TB SSD in RAID1 and comes with the option to purchase additional SSD HDDs (up to 16 SSDs max)
- FAI-3500F (gen 1 & 2) uses 2 X 3.8TB SSD in RAID1 and comes with the option to purchase additional SSD HDDs.This model will support RAID 10 if 2 x (or more) additional SSD are purchased.
- FortiNDR-VM Standalone and Sensor comes with four different sizes of disk images.
-
FortiNDR-VMCM (VM Center Management) comes with two additional different sized disk images
The following table provides guidance on disk storage requirements for FortiNDR, used for malware scanning and NDR events, based on an average 10Gbps network.
Model | Total disk size | Storage retention |
---|---|---|
FortiNDR-1000F 2 SSD (not expandable) |
2 x 7.68 TB (RAID 1) |
66 days |
FNDR-3500F 4 SSD |
6.6 TB |
66 days |
FNDR-3500F 2 SSD |
3.3 TB |
33 days |
FNDR-3500 8 SSD |
13.2 TB |
132 days |
FNDR-3500 16 SSD | 26.4 TB | 264 days |
FNDR-VM Standalone, Sensor, CM | 1024 GB | 10 days |
FNDR-VM Standalone, Sensor, CM | 2048 GB | 20 days |
FNDR-VM Standalone, Sensor, CM | 4096 GB | 40 days |
FNDR-VM Standalone, Sensor, CM | 8192 GB | 73 days |
FNDR-VMCM |
15TB |
115 days |
FNDR-VMCM |
30TB |
264 days |
While the above table documents the estimated retention days for different models (for file analysis + NDR events based on 10Gbps network tested), the following CLI controls the software retention for different tables (NDR events and file analysis table).
execute center-retention-setting
For more information, see the FortiNDR CLI Reference Guide.
The default Time To Live (TTL) for all the log tables are 264 days, meaning logs are retained for this duration. If FortiNDR reaches physical hard disk limits before software limits are hit, the NDR will
- Stop processing files events (i.e. malware scanning will stop).
- Stop inserting entries for NDR events.
Therefore it is practical to understand the deployment and set software limits to avoid physical hard disk being full.
For the latest performance related specs, please refer to the FortiNDR datasheet. |
* The max. process rate depends on the average size and composition of file types. NDR disk storage depends on a few factors such as:
- Size of data disk allocated in VM
- Number of disks inserted into hardware model
- Throughput of network e.g. with sniffer
-
Whether unit is used for NDR and/or pure file analysis only
Please refer to disk management section under system for more information.
Additional SSD
FNR (gen3 hardware) supports RAID 10 configuration. 4 x 3.84 TB harddisk are shipped by default (max up to 16).
FAI (gen1 & 2 hardware) supports RAID 1 configuration. 2 x 3.84 TB harddisk are shipped by default (max up to 16).
Additional disks should be ordered in pairs to increase capacity. Increasing disk capacity will also improve the system input/output operations per second (IOPS) speed. |
Total SSDs in FNR-3500F | 4 (ship by default by FNR-3500F) 4 x 3.84TB | 6 | 8 | 10 | 12 | 14 | 16 |
Total usable capacity (TB) (RAID 10 configuration) | 7.7 | 11.52 | 15.36 | 19.2 | 23.04 | 26.88 | 30.72 |
To add additional SSD to FortiNDR 3500F:
- Backup all configurations. Adding additional SSD will wipe all data.
- Insert the extra SSDs in the available slots when the system is ON.
- Log in to the CLI or console and run the following CLI command:
exec raidlevel 10
After the command is executed and rebooted, the device will create the RAID including the new SSDs.
To check the new SSD capacity with the GUI:
Go to Dashboard > System Status, and check the System Information widget.
To check the new SSD capacity with the CLI:
Get system raid-status
Sample output:
FortiNDR-3500F # get system raid-status
Controller Model Firware Driver
---------------------------------------------------
a0 PERC H350 Ada 5.190.01-3614 07.714.04.00-
+---- Unit Status Level Part Of Size (GB)
| u0 OK LEVEL 10 a0 14304
+---- Port Status Part Of Size (GB)
| 64:0 OK u0 3575
| 64:1 OK u0 3575
| 64:2 OK u0 3575
| 64:3 OK u0 3575
| 64:4 OK u0 3575
| 64:5 OK u0 3575
| 64:6 OK u0 3575
| 64:7 OK u0 3575
Preparing the virtual environment
Install VMware ESXi version 6.7 U2 or above on a physical server with enough resources to support FortiNDR and all other VMs deployed on that platform.
Memory is particularly important to guarantee no packet loss when it comes to sniffer operation, and also to load the ANN and operate correctly. While demo mode (and lab instances) can run with less resources. This is also a TAC support requirement. For lab instances running with less than required resources, there is a possibility that scanning operations such as sniffer will not operate correctly.
vCPU |
Reserved CPU GHz |
Reserved Memory |
Minimum Host‘s Disk Sequential (Read/Write) |
Minimum Host's Disk 4KB Random (Read/Write) |
Recommend Host‘s Disk Sequential (Read/Write) |
Recommend Host's Disk 4KB Random (Read/Write) |
|
---|---|---|---|---|---|---|---|
VM16 |
16 |
32GHz | 128GB | 4000 MBps / 1500 MBps | 92000/31000 IOPS | 6200 MBps / 2350 MBps | 1,000,000 / 60,000 IOPS |
VM32 |
32 |
64GHz | 256GB | 4000 MBps / 1500 MBps | 92000/31000 IOPS | 6200 MBps / 2350 MBps | 1,000,000 / 60,000 IOPS |
VM Center mode |
48 |
90GHz |
384GB |
4000 MBps /1500 MBps |
92000/31000 IOPS | 6200 MBps / 2350 MBps | 1,000,000 / 60,000 IOPS |
The minimum hardware footprint does not guarantee the maximum performance of the VM. |