This example illustrates how to expand storage capacity to over 16 TB for a FortiAnalyzer 5.2.x VM or device.
You can use the Log Aggregation feature in aggregation mode to temporarily forward logs from one FortiAnalyzer unit to a temporary FortiAnalyzer unit while you increase the storage capacity of the FortiAnalyzer unit to over 16 TB.
You should also reconfigure FortiGate to send logs to the temporary FortiAnalyzer unit to avoid losing any logs while you increase storage capacity of your FortiAnalyzer unit.
After you increase storage capacity, you can use the Log Aggregation feature to return the logs from the temporary FortiAnalyzer unit to the FortiAnalyzer unit that now has increased storage capacity. Don’t forget to reconfigure FortiGate to send logs to the FortiAnalyzer unit again.
You can use this procedure when upgrading the default 12 HDD (hard disk drive) for FAZ-4000B or FAZ-3500E to the maximum 24 HDD.
1. (Server) Configuring the temporary FortiAnalyzer unit to receive logs |
|
|
Ensure that you have configured an administrator account with a Super_User profile. You can use the default admin account, which is assigned the Super_User profile. Alternately, you can create a custom administrator account by going to System Settings > Admin > Administrator. The client will need to provide the login credentials of this Administrator account to get authenticated by the server. |
 |
|
Add the FortiAnalyzer for which you want to increase storage capacity to the temporary FortiAnalyzer by going to Device Manager > Add Device. The Add Device wizard is displayed. Follow the wizard to add the device. |
 |
|
Enable the log aggregation service by going to System Settings > Dashboard. In the CLI Console widget, enter the following CLI commands:
|
|
2. (Client) Configuring log forwarding on the FortiAnalyzer unit for which you want to increase storage capacity. |
|
|
Configure log forwarding in aggregation mode by going to System Settings > Dashboard. In the CLI Console widget, enter the following CLI commands:
|
|
3. Reconfigure FortiGate to send logs to the temporary FortiAnalyzer unit. |
|
4. Increase storage capacity for the FortiAnalyzer unit. |
|
|
Add new hard disks with a total size greater than 16 TB to FortiAnalyzer. Format the FortiAnalyzer disks to have more than 16TB of storage capacity. |
|
5. Return logs to the FortiAnalyzer unit with increased storage capacity. |
|
|
Set up log forwarding as follows to return the logs to the FortiAnalyzer:
The log-forwarding client sends all of the logs to the log-forwarding server. As a result, the log-forwarding feature returns all of the logs to the FortiAnalyzer unit with increased storage capacity. |
|
6. Reconfigure FortiGate to send logs to the FortiAnalyzer unit with increased storage capacity. |
|
7. Results |
|
| FortiAnalyzer has increased storage capacity and is receiving logs from FortiGate again. | |
The post Expanding storage for FortiAnalyzer 5.2.x units appeared first on Fortinet Cookbook.