Best Practices

FortiAnalyzer 7.6.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

April 28, 2025

FortiAnalyzer 7.6.0 Best Practices
05-760-1055946-20240723
 TABLE OF CONTENTS

Change Log 4
Overview 5
Additional information 5
Installation 6
Business Continuity 7
General Maintenance 8
Backing up and restoring the configuration 8
Secure password storage 8
Schedule maintenance tasks for off-peak hours 9
Maintain database integrity 9
Replace managed device 9
Add managed device 9
Replace the FortiAnalyzer device 10
Decommissioning FortiAnalyzer 10
ADOM Design 11
ADOM considerations 11
Log Management 12
Set up a log backup strategy 12
Set up redundancy 12
Set disk size and RAID level 12
Set log retention and storage 13
Determine the logs needed to meet business requirements 13
Allocate quota and set log retention policy 13
Use Fetcher Management for log fetching 13
Rebuild SQL database 14
Report Performance 15
Security Best Practices 16
Administrator access best practices 16
Encryption best practices 16
Other security best practices 17
VM Size and License 18
Resizing VM 18

FortiAnalyzer 7.6.0 Best Practices 3

Fortinet Inc.
Change Log

Date Change Description

2024-07-29 Initial release.

2024-11-14 Updated Security Best Practices on page 16.

2024-12-11 Updated Security Best Practices on page 16.

2025-02-21 Updated Backing up and restoring the configuration on page 8

2025-04-28 Added Resizing VM on page 18.

FortiAnalyzer 7.6.0 Best Practices 4

Fortinet Inc.
Overview

This guide is a collection of best practices guidelines for using FortiAnalyzer. Use these best practices to help you get the
most out of your FortiAnalyzer products, maximize performance, and avoid potential problems.

Additional information

For product and feature guides, go to the Fortinet Document Library at https://docs.fortinet.com.
For procedures on how to implement these best practices, see the FortiAnalyzer Administration Guide in the Fortinet
Document Library.
For customer service and support, go to https://support.fortinet.com.
For technical notes, how-to articles, FAQs, and links to the technical forum and technical documentation, go to the
Fortinet Community at https://community.fortinet.com/.

FortiAnalyzer 7.6.0 Best Practices 5

Fortinet Inc.
Installation

Plan your installation carefully and select the FortiAnalyzer model(s) that meet your requirements.
l Plan the size of your installation appropriately. Ensure you plan for future management and logging requirements,
including consideration for:
l The number of connected devices.

l If applicable, log rates and analytic and archive retention periods.

l Ensure you have remote serial console or virtual console access.

l Ensure a local TFTP server is available on a network local to the FortiAnalyzer.

FortiAnalyzer 7.6.0 Best Practices 6

Fortinet Inc.
Business Continuity

l Set up and use High Availability (HA).

l Ensure there is no power interruption. A power loss could cause the loss of a FortiAnalyzer device's database
integrity. See Maintain database integrity on page 9.
l Always shut down or reboot the FortiAnalyzer gracefully. Removing power without a graceful shutdown might
damage FortiAnalyzer databases.
l Ensure the FortiAnalyzer environment has a stable and uninterruptible power supply.
l If an unexpected power loss occurs, revert to a known good backup of the configuration.
l Ensure there are spare parts on site, such as fans, power supplies, and hard disk drives.

FortiAnalyzer 7.6.0 Best Practices 7

Fortinet Inc.
General Maintenance

Perform general maintenance tasks such as backup and restore so you can revert to a previous configuration if
necessary.

Backing up and restoring the configuration

Backing up your configuration:

l Perform regular backups to ensure you have a recent copy of your FortiAnalyzer configuration.
l Verify the backup by comparing the checksum in the log entry with that of the backed up file.
l Set up a backup schedule so you always have a recent backup of the configuration.
See the FortiAnalyzer Administration Guide.
l If your FortiAnalyzer is a virtual machine, you can also use VM snapshots.
If you use ADOMs, a large number of ADOMs can significantly increase the size of configuration files which increases
backup and restore time. See ADOM considerations on page 11.

Restoring your configuration:

l Restoring a configuration must be done on a VM/appliance running the identical firmware version as where the
backup was performed. For example, if you back up a configuration on a FortiAnalyzer with firmware version 7.6.2,
the restore operation should be performed on a FortiAnalyzer running 7.6.2.

Secure password storage

Passwords, as well as the private keys used in certificates, are encrypted using a pre-defined private key when stored on
the FortiAnalyzer, and encoded when displayed in the CLI and configuration file. This ensures that the password cannot
be decrypted unless the private key is known, and the password is not displayed in clear text anywhere.
To further enhance your password security, you should specify your own private key for the encryption process. This
ensures that your key is unique and known only by you. The key is also required on other FortiAnalyzers to restore the
system from a configuration file. In HA clusters, the same key should be used on all of the units.

To enable and enter your own private encryption key:

config system global

set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef
Your private data encryption key is accepted.

FortiAnalyzer 7.6.0 Best Practices 8

Fortinet Inc.
General Maintenance

This is an example. Using 0123456789abcdef0123456789abcdef as your private key is

not recommended.

Schedule maintenance tasks for off-peak hours

Fortinet recommends scheduling maintenance tasks for off-peak hours whenever possible, including tasks such as:
l Configuration backup.
l Log deletion.
l Log rolling and related log upload.
l For FortiAnalyzer devices in Collector mode, log aggregation. Schedule this task after daily log rolling so that
analyzer has the latest rolled logs for that day.

Maintain database integrity

To maintain database integrity, never power off a FortiAnalyzer unit without a graceful shutdown. Removing power
without a proper shutdown can damage FortiAnalyzer databases.
Always use the following CLI command to shutdown the device before removing power:
execute shutdown

Fortinet highly recommends connecting FortiAnalyzer units to an uninterruptible power supply (UPS) to prevent
unexpected power issues that might damage internal databases.

Replace managed device

When you need to replace a standalone FortiGate device or a cluster member, the best practice is to add the new device
as a new member so as to preserve existing logs. Consider adding the old and new FortiGate devices into a group for
reporting purposes.

Add managed device

When Security Fabric is enabled on FortiGate, FortiAnalyzer requires using an administrator account on the FortiGate to
query the FortiGate for Security Fabric-related information.
Fortinet recommends using a dedicated Super_User administrator account on the FortiGate for FortiAnalyzer access.
This ensures that associated log messages are identified as originating from FortiAnalyzer activity. This dedicated

FortiAnalyzer 7.6.0 Best Practices 9

Fortinet Inc.
General Maintenance

Super_User administrator account only needs Read Only access to System Configuration; all other access can be set to
None.

Replace the FortiAnalyzer device

When you need to move logs to a new FortiAnalyzer device, use one of the following methods:
l Use log forwarding in aggregation mode. See Log Forwarding in the FortiAnalyzer Administration Guide.
l Use log fetching (Fetcher Management). See Fetcher Management in the FortiAnalyzer Administration Guide.

Decommissioning FortiAnalyzer

FortiAnalyzer is a required component in a Security Fabric solution.

When decommissioning a FortiAnalyzer included in a Security Fabric, the Security Fabric must be disabled on
connected FortiGates if there is no longer a FortiAnalyzer present.

FortiAnalyzer 7.6.0 Best Practices 10

Fortinet Inc.
ADOM Design

Enable ADOMs to support logs other than FortiGate logs (including Syslog and FortiClient EMS). You do not need to
separate ADOMs by FortiOS versions.

In version 5.4.x, the following applies to version 5.4.4 and higher. In version 5.6.x, it applies to
version 5.6.1 and higher:
When creating, editing, or viewing ADOMs, the version is displayed only if FortiManager
features are enabled.

If your devices have a mix of high-volume and low-volume log rates, put high-volume log rate devices in one ADOM and
low-volume log rate devices in another ADOM. This helps prevent quota enforcement from adversely affecting the low-
volume log devices. For best practices about setting quotas for ADOMs, see Allocate quota and set log retention policy
on page 13.
For more information, see the FortiAnalyzer Administration Guide.

ADOM considerations

A large number of ADOMs can significantly increase the size of configuration files which increases backup and restore
time. Do not create more ADOMs than your business needs.

FortiAnalyzer 7.6.0 Best Practices 11

Fortinet Inc.
Log Management

Set up a log management strategy that gives a good balance of redundancy and performance. Retain logs log enough
for business requirements and archive older logs for better performance.

Set up a log backup strategy

l Set up a backup strategy for logs.

l Set up a schedule to roll and upload logs. You can use the GUI or CLI to set this up. For details, see the System
Settings > Device logs section in the FortiAnalyzer Administration Guide.
l You can also back up logs using the execute backup logs command. For details, see the FortiAnalyzer

CLI Reference.

Set up redundancy

l For log storage redundancy, you can set this up at the disk level by selecting an appropriate RAID level.
l For log delivery redundancy, you can set this up in the following ways:
l Set FortiGates to send logs to multiple devices, provided the FortiGate models support this function.

l Use a hierarchical approach in your network design which includes using FortiAnalyzer devices in Collector

mode and one or more FortiAnalyzer devices in Analyzer mode.

Set disk size and RAID level

Fortinet recommends using the default RAID level specified in the FortiAnalyzer data sheet, that is, RAID 50. If your
configuration does not meet RAID 50 requirements, consider upgrading your hardware.
When planning for disk space requirements, consider future storage needs. Adding disks to an existing RAID array
requires rebuilding the RAID array and restoring backed up logs.
The disk space available for you to set log quotas depends on the RAID level and the reserved space for temporary files.
Temporary files are needed for indexing, reporting, and file management. In your planning, include both the disk space
for the original logs FortiAnalyzer receives (Archive) and the space required to index the logs (Analytics).
Fortinet recommends using the default ratio of Analytics : Archive for most deployments. If you plan to retain archive logs
for a much longer period than your analytical data, you might allocate a higher percentage to Archive.

If you need more disk space for a VM, you can add a virtual disk.

FortiAnalyzer 7.6.0 Best Practices 12

Fortinet Inc.
 Log Management

You can also increase the size of an existing virtual disk. No format is required.
Use the execute lvm extend command to add or extend virtual disks. See the FortiAnalyzer CLI Reference.

Set log retention and storage

Determine the logs needed to meet business requirements

Consider carefully which types of logs to store on FortiAnalyzer. In some cases, you can be more selective about the
type and volume of logs sent from FortiGate to FortiAnalyzer. Reducing the type and volume of logs gives FortiAnalyzer
more resources to process the logs that meet your log storage, forensic, and reporting needs.

Allocate quota and set log retention policy

Ensure your quota settings is sufficient to fulfill your log retention policy. You must keep enough log data to meet your
organization’s reporting requirements. Configure quota settings and the log retention policy to ensure there is enough
time to generate all scheduled reports.
Log View > Storage Statistics shows graphs with trends to help you with this planning.
If you are using ADOMs, ensure the quota is sufficient for every ADOM. Allocating insufficient quota to an ADOM might
cause the following issues:
l Prevent you from meeting your log retention objective.
l Waste CPU resources enforcing quotas with log deletion and database trims.
l Adversely affect reporting when quota enforcement acts on analytical data before a report is complete.
For analytics, ensure the quota is sufficient and the retention period is long enough to complete all scheduled reports.
When reports are generated and the log retention period is past, there is no need to keep analytical data since it can be
regenerated from the original archived log data.

It is recommended that archive data be retained for a longer period than the analytic log data.
The archive data is needed to regenerate analytic data in the event of a rebuild, such as may
occur automatically during firmware upgrade.

Use Fetcher Management for log fetching

To generate a report for a time period not covered by current analytical data:
l Use log fetching (Fetcher Management) to fetch archived logs to generate reports.
l Import log data from an external backup to generate reports.
Log fetching simplifies generating reports from log data for the following reasons:
l Log fetching allows you to specify the devices and time periods to be indexed.
l You can pull indexed logs into an ADOM with quota and log retention settings specifically set up to generate report
on older logs.
l Log fetching helps to avoid duplications that might occur with importing data from an external backup.

FortiAnalyzer 7.6.0 Best Practices 13

Fortinet Inc.
Log Management

For information on Fetcher Management (log fetching) and importing a log file, see the FortiAnalyzer Administration
Guide.

Rebuild SQL database

Some firmware upgrades might change the SQL schema that indexes logs (analytics). If so, FortiAnalyzer automatically
rebuilds the SQL database. During the rebuild, searching and reporting functions are limited.
You rarely need to manually rebuild an SQL database. If you think there might be problems with the SQL database,
contact Customer Service & Support before considering a manual rebuild.
You might consider rebuilding the SQL database in the following situations:
l After moving a device to a new ADOM, you might need to rebuild the SQL database in the new ADOM.
l If disk space is running low, you might rebuild the SQL database to try free up disk space.

FortiAnalyzer 7.6.0 Best Practices 14

Fortinet Inc.
Report Performance

For reports that you run regularly, set up the following:

l Put those reports into a group.
l Schedule those reports. If possible, schedule reports to run at off-peak hours and do not schedule reports to run at
the same time as log maintenance tasks.
l Enable auto-cache for those reports.
Grouping reports has these advantages:
l Reduce the number of hcache tables.
l Improve auto-cache completion time.
l Improve report performance and reduce report completion time.
Consider grouping reports in these conditions:
l If you use the same or a similar report template for different FortiGates in the same ADOM.
l If you regularly use different filters on your reports.
Other ways to improve report performance include:
l Avoid running reports at the same time as log aggregation or log transfer.
l Avoid queries to external sources such as DNS (for name resolution) or LDAP (for obtaining a user list).
For more information, see the FortiAnalyzer Administration Guide.

FortiAnalyzer 7.6.0 Best Practices 15

Fortinet Inc.
Security Best Practices

For stronger security, implement the following security best practices.

Administrator access best practices

l Enable password policy and set requirements for the administrator password. The password policy lets you specify
the administrator's password minimum length, type of characters it must contain, and the number of days to
password expiry.
l Use CLI commands to configure the administrator's password lockout and retry attempts.
For example, to set the lockout duration to two attempts and set a two minute duration before the administrator can
log in again, enter the following CLI commands:
config system global
set admin-lockout-threshold 2
set admin-lockout-duration 120
end
l Set a lower idle timeout so that unattended workstations are logged out.
l Use multi-factor authentication authentication for administrators. For more information, see the FortiAuthenticator
Administration Guide in the Fortinet Document Library.
l Limit administrator access. For example, configure trusted hosts and allowaccess. See Restricting GUI access by
trusted hosts.

Encryption best practices

Set a strong encryption level. Use the SSL protocol version (TLS version) that meets PCI compliance or your
organization’s security requirements. For example:
config system global
set enc-algorithm high
set fgfm-ssl-protocol tlsv1.2
set oftp-ssl-protocol tlsv1.2
set ssl-protocol tlsv1.2
set webservice-proto tlsv1.2
set ssl-low-encryption disable
end

config fmupdate fds-setting

set fds-ssl-protocol tlsv1.2
end

The enc-algorithm setting allows you to specify the security levels for cipher suites.
l set enc-algorithm low uses all OpenSSL ciphers.
l set enc-algorithm medium uses high and medium OpenSSL ciphers.

FortiAnalyzer 7.6.0 Best Practices 16

Fortinet Inc.
Security Best Practices

l set enc-algorithm high (default) uses only high OpenSSL ciphers.

For more information about cipher security levels, see the FortiAnalyzer Administration Guide.

Other security best practices

l Disable unused interfaces.

l Upgrade firmware to the latest version.
l Install physical devices in a restricted area.
l Place the FortiAnalyzer behind a firewall, such as a FortiGate, to limit attempts to access the FortiAnalyzer device.

When FortiAnalyzer is behind a FortiGate, AV and IPS features can be enabled on the
FortiGate to further protect FortiAnalyzer from malware or intrusion attacks. See the
FortiGate Administration Guide.

l Set up NTP. For example:

config system ntp
set status enable
set sync_interval 60
config ntpserver
edit 1
set server {<address_ipv4> | <fqdn_str>}
end
end
end
l For audit purposes:
l Use named accounts wherever possible.

l Send logs to a central log destination.

Do not lose the administrator log in information as there is no password recovery mechanism
in FortiAnalyzer 5.4.0 and later.

FortiAnalyzer 7.6.0 Best Practices 17

Fortinet Inc.
VM Size and License

When using VMs, implement the following:

l Allocate sufficient CPU and memory resources to all VMs based on the number of devices and enabled features.
l Ensure the VM license meets your requirements for daily log rate (GB/day) and log storage capacity.
For details, see the FortiAnalyzer Private Cloud.

Resizing VM

The FortiAnalyzer-VM allows you to add up to fifteen virtual log disks to a deployed instance. You can use the following
CLI command to see how many log disks have been added and how much disk space is available:
execute lvm info

When adding additional disks, use the following CLI command to extend the LVM logical volume:
execute lvm extend

Adding an extra disk or adding space to the current LVM disk will not impact current saved archive logs and analytics
logs. However, VM platforms may automatically restart or prompt you to restart when resizing an active VM. As a
precaution to prevent database corruption and preserve data in FortiAnalyzer, it is best to backup the logs and perform a
graceful shutdown before resizing.
To backup logs prior to resizing, enter the following commands in the FortiAnalyzer CLI:
execute backup logs <device name(s) | all> {ftp | scp | sftp} <ip/fqdn> <username>
<passwd> <directory> [vdlist]
execute backup reports <report schedule name(s) | all> {ftp | scp | sftp} <ip/fqdn>
<username> <passwd> <directory> [vdlist]

To perform a graceful shutdown, enter the following command in the FortiAnalyzer CLI:
execute shutdown

For more details about these commands, see the FortiAnalyzer CLI Reference on the Fortinet Document Library.

FortiAnalyzer 7.6.0 Best Practices 18

Fortinet Inc.
 www.fortinet.com

Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.