Minimum system requirements
The whole FortiAnalyzer-BigData cluster VM system needs at least 6 VMs.
Each VM requires two network interfaces:
- A dedicated VLAN subnet as Network Adapter 1 for internal network for the FortiAnalyzer-BigData cluster. Avoid sharing this network with other VM hosts,
- An external subnet as Network Adapter 2 to expose the FortiAnalyzer-BigData to external networks for log traffic and management
Each VM requires three disks:
- Hard Disk 1: OS root disk with a minimal size of 128GB and recommended size of 256GB
- Hard Disk 2: data disk used for log storage, and query engine cache and scratch space
- Hard Disk 3: data disk used for log and metadata storage
It is highly recommended to use identical disk specification (in terms of size and IOPS) for both data disks. See the storage requirements below for your data retention needs.
The following table lists the system requirements for each of the FortiAnalyzer-BigData host VMs hardware, based on your VM's analytic sustained rate:
Analytic sustained rate (logs/sec) |
VM hardware requirements |
|||
---|---|---|---|---|
VM Hosts |
CPU cores |
RAM (GB) |
IOPS |
|
75,000 |
6 |
20 |
32GB |
5,000 |
150,000 |
8 |
20 |
64GB |
10,000 |
300,000 |
10 |
30 |
128GB |
20,000 |
400,000 |
14 |
32 |
128GB |
50,000 |
500,000 |
18 |
32 |
128GB |
100,000 |
The above IOPS requirement is specific to the data disks (Hard Disk 2 and Hard Disk 3). For OS root disk (Hard Disk 1), we recommend an IOPS of 500 or higher. |
The following table lists the storage requirements for each of the FortiAnalyzer-BigData host VMs hardware, based on your VM's analytic sustained rate and data retention period:
Log Rate |
Retention Days |
|||
---|---|---|---|---|
Storage per Day |
30 days |
90 days |
180 days |
|
75,000 | 2TB |
60TB = HD1 5TB + HD2 5TB x 6 VM Hosts |
180TB = HD1 7.5TB + HD2 7.5TB x 12 VM Hosts |
360TB = HD1 7.5TB + HD2 7.5TB x 24 VM Hosts |
150,000 | 4TB |
120TB = HD1 7.5TB + HD2 7.5TB x 8 VM Hosts |
360TB = HD1 7.5TB + HD2 7.5TB x 24 VM Hosts |
720TB = HD1 7.5TB + HD2 7.5TB x 48 VM Hosts |
300,000 | 8TB |
240TB = HD1 7.5TB + HD2 7.5TB x 16 VM Hosts |
720TB = HD1 7.5TB + HD2 7.5TB x 48 VM Hosts |
1.5PB = HD1 7.5TB + HD2 7.5TB x 100 VM Hosts |
400,000 | 10TB |
300TB = HD1 7.5TB + HD2 7.5TB x 20 VM Hosts |
900TB = HD1 7.5TB + HD2 7.5TB x 60 VM Hosts |
1.8PB = HD1 7.5TB + HD2 7.5TB x 120 VM Hosts |
500,000 | 13TB |
390TB = HD1 7.5TB + HD2 7.5TB x 26 VM Hosts |
1.2PB = HD1 7.5TB + HD2 7.5TB x 80 VM Hosts |
2.4PB = HD1 7.5TB + HD2 7.5TB x 160 VM Hosts |
Each log in FortiAnalyzer-BigData storage is roughly 180-320 bytes post replication (with a replication factor of 3) and compression. This varies based on the device types and log types. The above calculation is based on a log size of 300 bytes. |
You can calculate the collector sustained rate by multiplying the analytic sustained rate by 1.5. |
This table does not take into account other hardware specifications, such as bus speed, CPU model, or storage type. |