Expanding storage for FortiAnalyzer 5.2.x units

This example illustrates how to expand storage capacity to over 16 TB for a FortiAnalyzer 5.2.x VM or device. 

You can use the Log Aggregation feature in aggregation mode to temporarily forward logs from one FortiAnalyzer unit to a temporary FortiAnalyzer unit while you increase the storage capacity of the FortiAnalyzer unit to over 16 TB.

You should also reconfigure FortiGate to send logs to the temporary FortiAnalyzer unit to avoid losing any logs while you increase storage capacity of your FortiAnalyzer unit.

After you increase storage capacity, you can use the Log Aggregation feature to return the logs from the temporary FortiAnalyzer unit to the FortiAnalyzer unit that now has increased storage capacity. Don’t forget to reconfigure FortiGate to send logs to the FortiAnalyzer unit again. 

You can use this procedure when upgrading the default 12 HDD (hard disk drive) for FAZ-4000B or FAZ-3500E to the maximum 24 HDD.

1. (Server) Configuring the temporary FortiAnalyzer unit to receive logs 

Ensure that you have configured an administrator account with a Super_User profile. You can use the default admin account, which is assigned the Super_User profile. Alternately, you can create a custom administrator account by going to System Settings > Admin > Administrator. The client will need to provide the login credentials of this Administrator account to get authenticated by the server.

 Administrator profiles

Add the FortiAnalyzer for which you want to increase storage capacity to the temporary FortiAnalyzer by going to Device Manager > Add Device. The Add Device wizard is displayed. Follow the wizard to add the device.

 Add Device wizard

Enable the log aggregation service by going to System Settings > Dashboard.  In the CLI Console widget, enter the following CLI commands:

config system aggregation-service
    set accept-aggregation enable
end

get system aggregation-service
accept-aggregation  : enable
aggregation-disk-quota: 20000
password            : *   <-- set for password

config system interface
edit port<number> 
set ip <ip address> <netmask>
set allowaccess ping https ssh snmp telnet http webservice aggregator fgfm
end

 CLI Console widget

2. (Client) Configuring log forwarding on the FortiAnalyzer unit for which you want to increase storage capacity.

Configure log forwarding in aggregation mode by going to System Settings > Dashboard.  In the CLI Console widget, enter the following CLI commands:

config system aggregation-client
    edit 1
        set mode aggregation
        set server-ip <ip address>
        set agg-password <password>

 

3. Reconfigure FortiGate to send logs to the temporary FortiAnalyzer unit.

4. Increase storage capacity for the FortiAnalyzer unit.

Add new hard disks with a total size greater than 16 TB to FortiAnalyzer.

Format the FortiAnalyzer disks to have more than 16TB of storage capacity.

5. Return logs to the FortiAnalyzer unit with increased storage capacity.

Set up log forwarding as follows to return the logs to the FortiAnalyzer:

  • Configure the FortiAnalyzer unit with the new storage capacity as the log-forwarding server.
  • Configure the temporary FortiAnalyzer as the log-forwarding client.

The log-forwarding client sends all of the logs to the log-forwarding server. As a result, the log-forwarding feature returns all of the logs to the FortiAnalyzer unit with increased storage capacity.

6. Reconfigure FortiGate to send logs to the FortiAnalyzer unit with increased storage capacity.

7. Results

FortiAnalyzer has increased storage capacity and is receiving logs from FortiGate again.

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.