Best Practices

FortiAnalyzer 7.6.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

June 19, 2025

FortiAnalyzer 7.6.0 Best Practices
05-760-1055946-20240723
 TABLE OF CONTENTS
Change Log 4
Overview 5
Additional information 5
Installation 6
Business Continuity 7
General Maintenance 8
Backing up and restoring the configuration 8
Secure password storage 8
Schedule maintenance tasks for off-peak hours 9
Maintain database integrity 9
Replace managed device 10
Add managed device 10
Replace the FortiAnalyzer device 10
Decommissioning FortiAnalyzer 10
ADOM Design 11
ADOM considerations 11
Log Management 12
Set up a log backup strategy 12
Set up redundancy 12
Create snapshots of FortiAnalyzer-VM 12
Snapshots for a FortiAnalyzer-VM HA cluster 12
Set disk size and RAID level 13
Set log retention and storage 14
Determine the logs needed to meet business requirements 14
Allocate quota and set log retention policy 14
Use Fetcher Management for log fetching 14
Rebuild SQL database 15
Report Performance 16
Security Best Practices 17
Administrator access best practices 17
Encryption best practices 17
Other security best practices 18
VM Size and License 19
Resizing VM 19

FortiAnalyzer 7.6.0 Best Practices 3

Fortinet Inc.
Change Log

Date Change Description

2024-07-29 Initial release.

2024-11-14 Updated Security Best Practices on page 17.

2024-12-11 Updated Security Best Practices on page 17.

2025-02-21 Updated Backing up and restoring the configuration on page 8

2025-04-28 Added Resizing VM on page 19.

2025-06-16 Updated Resizing VM on page 19.

Updated Secure password storage on page 8.

2025-06-23 Added Create snapshots of FortiAnalyzer-VM on page 12.

FortiAnalyzer 7.6.0 Best Practices 4

Fortinet Inc.
Overview
This guide is a collection of best practices guidelines for using FortiAnalyzer. Use these best practices to help
you get the most out of your FortiAnalyzer products, maximize performance, and avoid potential problems.

Additional information
For product and feature guides, go to the Fortinet Document Library at https://docs.fortinet.com.
For procedures on how to implement these best practices, see the FortiAnalyzer Administration Guide in the
Fortinet Document Library.
For customer service and support, go to https://support.fortinet.com.
For technical notes, how-to articles, FAQs, and links to the technical forum and technical documentation, go to
the Fortinet Community at https://community.fortinet.com/.

FortiAnalyzer 7.6.0 Best Practices 5

Fortinet Inc.
Installation
Plan your installation carefully and select the FortiAnalyzer model(s) that meet your requirements.
l Plan the size of your installation appropriately. Ensure you plan for future management and logging
requirements, including consideration for:
l The number of connected devices.
l If applicable, log rates and analytic and archive retention periods.
l Ensure you have remote serial console or virtual console access.
l Ensure a local TFTP server is available on a network local to the FortiAnalyzer.

FortiAnalyzer 7.6.0 Best Practices 6

Fortinet Inc.
Business Continuity
l Set up and use High Availability (HA).
l Ensure there is no power interruption. A power loss could cause the loss of a FortiAnalyzer device's
database integrity. See Maintain database integrity on page 9.
l Always shut down or reboot the FortiAnalyzer gracefully. Removing power without a graceful shutdown
might damage FortiAnalyzer databases.
l Ensure the FortiAnalyzer environment has a stable and uninterruptible power supply.
l If an unexpected power loss occurs, revert to a known good backup of the configuration.
l Ensure there are spare parts on site, such as fans, power supplies, and hard disk drives.

FortiAnalyzer 7.6.0 Best Practices 7

Fortinet Inc.
General Maintenance
Perform general maintenance tasks such as backup and restore so you can revert to a previous configuration if
necessary.

Backing up and restoring the configuration

Backing up your configuration:

l Perform regular backups to ensure you have a recent copy of your FortiAnalyzer configuration.
l Verify the backup by comparing the checksum in the log entry with that of the backed up file.
l Set up a backup schedule so you always have a recent backup of the configuration.
See the FortiAnalyzer Administration Guide.
l If your FortiAnalyzer is a virtual machine, you can also use VM snapshots.
If you use ADOMs, a large number of ADOMs can significantly increase the size of configuration files which
increases backup and restore time. See ADOM considerations on page 11.

Restoring your configuration:

l Restoring a configuration must be done on a VM/appliance running the identical firmware version as where
the backup was performed. For example, if you back up a configuration on a FortiAnalyzer with firmware
version 7.6.2, the restore operation should be performed on a FortiAnalyzer running 7.6.2.

Secure password storage

Passwords, as well as the private keys used in certificates, are encrypted using a pre-defined private key when
stored on the FortiAnalyzer, and encoded when displayed in the CLI and configuration file. This ensures that the
password cannot be decrypted unless the private key is known, and the password is not displayed in clear text
anywhere.
Stored passwords are encrypted with AES-128. To further enhance your password security, you should specify
your own private key for the encryption process. This ensures that your key is unique and known only by you.
The key is also required on other FortiAnalyzers to restore the system from a configuration file. In HA clusters,
the same key should be used on all of the units.

To enable and enter your own private encryption key:

config system global

set private-data-encryption enable
end

FortiAnalyzer 7.6.0 Best Practices 8

Fortinet Inc.
General Maintenance

Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef
Your private data encryption key is accepted.

This is an example. Using 0123456789abcdef0123456789abcdef as your private key is

not recommended.

Schedule maintenance tasks for off-peak hours

Fortinet recommends scheduling maintenance tasks for off-peak hours whenever possible, including tasks such
as:
l Configuration backup.
l Log deletion.
l Log rolling and related log upload.
l For FortiAnalyzer devices in Collector mode, log aggregation. Schedule this task after daily log rolling so
that analyzer has the latest rolled logs for that day.

Maintain database integrity

To maintain database integrity, never power off a FortiAnalyzer unit without a graceful shutdown. Removing
power without a proper shutdown can damage FortiAnalyzer databases.
Always use the following CLI command to shutdown the device before removing power:
execute shutdown

Fortinet highly recommends connecting FortiAnalyzer units to an uninterruptible power supply (UPS) to prevent
unexpected power issues that might damage internal databases.

FortiAnalyzer 7.6.0 Best Practices 9

Fortinet Inc.
General Maintenance

Replace managed device

When you need to replace a standalone FortiGate device or a cluster member, the best practice is to add the
new device as a new member so as to preserve existing logs. Consider adding the old and new FortiGate
devices into a group for reporting purposes.

Add managed device

When Security Fabric is enabled on FortiGate, FortiAnalyzer requires using an administrator account on the
FortiGate to query the FortiGate for Security Fabric-related information.
Fortinet recommends using a dedicated Super_User administrator account on the FortiGate for FortiAnalyzer
access. This ensures that associated log messages are identified as originating from FortiAnalyzer activity. This
dedicated Super_User administrator account only needs Read Only access to System Configuration; all other
access can be set to None.

Replace the FortiAnalyzer device

When you need to move logs to a new FortiAnalyzer device, use one of the following methods:
l Use log forwarding in aggregation mode. See Log Forwarding in the FortiAnalyzer Administration Guide.
l Use log fetching (Fetcher Management). See Fetcher Management in the FortiAnalyzer Administration
Guide.

Decommissioning FortiAnalyzer
FortiAnalyzer is a required component in a Security Fabric solution.
When decommissioning a FortiAnalyzer included in a Security Fabric, the Security Fabric must be disabled on
connected FortiGates if there is no longer a FortiAnalyzer present.

FortiAnalyzer 7.6.0 Best Practices 10

Fortinet Inc.
ADOM Design
Enable ADOMs to support logs other than FortiGate logs (including Syslog and FortiClient EMS). You do not
need to separate ADOMs by FortiOS versions.

In version 5.4.x, the following applies to version 5.4.4 and higher. In version 5.6.x, it
applies to version 5.6.1 and higher:
When creating, editing, or viewing ADOMs, the version is displayed only if FortiManager
features are enabled.

If your devices have a mix of high-volume and low-volume log rates, put high-volume log rate devices in one
ADOM and low-volume log rate devices in another ADOM. This helps prevent quota enforcement from adversely
affecting the low-volume log devices. For best practices about setting quotas for ADOMs, see Allocate quota
and set log retention policy on page 14.
For more information, see the FortiAnalyzer Administration Guide.

ADOM considerations
A large number of ADOMs can significantly increase the size of configuration files which increases backup and
restore time. Do not create more ADOMs than your business needs.

FortiAnalyzer 7.6.0 Best Practices 11

Fortinet Inc.
Log Management
Set up a log management strategy that gives a good balance of redundancy and performance. Retain logs log
enough for business requirements and archive older logs for better performance.

Set up a log backup strategy

l Set up a backup strategy for logs.
l Set up a schedule to roll and upload logs. You can use the GUI or CLI to set this up. For details, see the
System Settings > Device logs section in the FortiAnalyzer Administration Guide.
l You can also back up logs using the execute backup logs command. For details, see the FortiAnalyzer
CLI Reference.

Set up redundancy
l For log storage redundancy, you can set this up at the disk level by selecting an appropriate RAID level.
l For log delivery redundancy, you can set this up in the following ways:
l Set FortiGates to send logs to multiple devices, provided the FortiGate models support this function.
l Use a hierarchical approach in your network design which includes using FortiAnalyzer devices in
Collector mode and one or more FortiAnalyzer devices in Analyzer mode.

Create snapshots of FortiAnalyzer-VM

Prior to upgrading a FortiAnalyzer-VM, take a snapshot as a precaution to preserve log data. VM snapshots can
also be used to backup the configuration as part of general maintenance.
It is recommended to stop the VM prior to taking a snapshot.

Snapshots for a FortiAnalyzer-VM HA cluster

Prior to shutting down and taking a snapshot of an active FortiAnalyzer-VM in an HA cluster, use a failover to
maintain log continuity to another unit in the cluster during the process.
When using an Active-Passive FortiAnalyzer cluster, confirm the cluster is In Sync and use a manual failover
prior to shutting down a FortiAnalyzer-VM to take a snapshot.

FortiAnalyzer 7.6.0 Best Practices 12

Fortinet Inc.
Log Management

When using an Active-Active FortiAnalyzer cluster:

l If the FortiGates sending logs to the cluster are v7.4.1 or later, you can set an alternate FortiAnalyzer using
the FortiGate CLI. This allows for automatic failover to the other active FortiAnalyzer during the process. For
more information, see the FortiGate Administration Guide.
l If the FortiGates sending logs to the cluster are v7.4.0 or earlier, you cannot set an alternate FortiAnalyzer
for failover. In this case, it is better to manually failover to the other active FortiAnalyzer prior to shutting
down and taking the snapshot.
l If there is no route for the FortiGates to log directly to the other HA node, there is no workaround to
avoid interrupting operation during a backup or an upgrade.

To take a snapshot in a FortiAnalyzer-VM HA cluster:

1. Confirm the cluster is In Sync.

2. Prior to shutdown, perform a manual failover.
In some cases for Active-Active clusters, you may use a automatic failover instead. See When using an
Active-Active FortiAnalyzer cluster: above.
3. Shutdown the secondary.
4. Take the VM snapshot of the secondary.
If you are taking the snapshot as part of an upgrade, see the FortiAnalyzer Upgrade Guide for more information.

Set disk size and RAID level

Fortinet recommends using the default RAID level specified in the FortiAnalyzer data sheet, that is, RAID 50. If
your configuration does not meet RAID 50 requirements, consider upgrading your hardware.
When planning for disk space requirements, consider future storage needs. Adding disks to an existing RAID
array requires rebuilding the RAID array and restoring backed up logs.
The disk space available for you to set log quotas depends on the RAID level and the reserved space for
temporary files. Temporary files are needed for indexing, reporting, and file management. In your planning,
include both the disk space for the original logs FortiAnalyzer receives (Archive) and the space required to index
the logs (Analytics).
Fortinet recommends using the default ratio of Analytics : Archive for most deployments. If you plan to retain
archive logs for a much longer period than your analytical data, you might allocate a higher percentage to
Archive.

If you need more disk space for a VM, you can add a virtual disk.
You can also increase the size of an existing virtual disk. No format is required.
Use the execute lvm extend command to add or extend virtual disks. See the FortiAnalyzer CLI Reference.

FortiAnalyzer 7.6.0 Best Practices 13

Fortinet Inc.
Log Management

Set log retention and storage

Determine the logs needed to meet business

requirements
Consider carefully which types of logs to store on FortiAnalyzer. In some cases, you can be more selective
about the type and volume of logs sent from FortiGate to FortiAnalyzer. Reducing the type and volume of logs
gives FortiAnalyzer more resources to process the logs that meet your log storage, forensic, and reporting
needs.

Allocate quota and set log retention policy

Ensure your quota settings is sufficient to fulfill your log retention policy. You must keep enough log data to
meet your organization’s reporting requirements. Configure quota settings and the log retention policy to ensure
there is enough time to generate all scheduled reports.
Log View > Storage Statistics shows graphs with trends to help you with this planning.
If you are using ADOMs, ensure the quota is sufficient for every ADOM. Allocating insufficient quota to an ADOM
might cause the following issues:
l Prevent you from meeting your log retention objective.
l Waste CPU resources enforcing quotas with log deletion and database trims.
l Adversely affect reporting when quota enforcement acts on analytical data before a report is complete.
For analytics, ensure the quota is sufficient and the retention period is long enough to complete all scheduled
reports. When reports are generated and the log retention period is past, there is no need to keep analytical
data since it can be regenerated from the original archived log data.

It is recommended that archive data be retained for a longer period than the analytic log
data. The archive data is needed to regenerate analytic data in the event of a rebuild,
such as may occur automatically during firmware upgrade.

Use Fetcher Management for log fetching

To generate a report for a time period not covered by current analytical data:
l Use log fetching (Fetcher Management) to fetch archived logs to generate reports.
l Import log data from an external backup to generate reports.
Log fetching simplifies generating reports from log data for the following reasons:
l Log fetching allows you to specify the devices and time periods to be indexed.
l You can pull indexed logs into an ADOM with quota and log retention settings specifically set up to generate

FortiAnalyzer 7.6.0 Best Practices 14

Fortinet Inc.
Log Management

report on older logs.

l Log fetching helps to avoid duplications that might occur with importing data from an external backup.
For information on Fetcher Management (log fetching) and importing a log file, see the FortiAnalyzer
Administration Guide.

Rebuild SQL database

Some firmware upgrades might change the SQL schema that indexes logs (analytics). If so, FortiAnalyzer
automatically rebuilds the SQL database. During the rebuild, searching and reporting functions are limited.
You rarely need to manually rebuild an SQL database. If you think there might be problems with the SQL
database, contact Customer Service & Support before considering a manual rebuild.
You might consider rebuilding the SQL database in the following situations:
l After moving a device to a new ADOM, you might need to rebuild the SQL database in the new ADOM.
l If disk space is running low, you might rebuild the SQL database to try free up disk space.

FortiAnalyzer 7.6.0 Best Practices 15

Fortinet Inc.
Report Performance
For reports that you run regularly, set up the following:
l Put those reports into a group.
l Schedule those reports. If possible, schedule reports to run at off-peak hours and do not schedule reports
to run at the same time as log maintenance tasks.
l Enable auto-cache for those reports.
Grouping reports has these advantages:
l Reduce the number of hcache tables.
l Improve auto-cache completion time.
l Improve report performance and reduce report completion time.
Consider grouping reports in these conditions:
l If you use the same or a similar report template for different FortiGates in the same ADOM.
l If you regularly use different filters on your reports.
Other ways to improve report performance include:
l Avoid running reports at the same time as log aggregation or log transfer.
l Avoid queries to external sources such as DNS (for name resolution) or LDAP (for obtaining a user list).
For more information, see the FortiAnalyzer Administration Guide.

FortiAnalyzer 7.6.0 Best Practices 16

Fortinet Inc.
Security Best Practices
For stronger security, implement the following security best practices.

Administrator access best practices

l Enable password policy and set requirements for the administrator password. The password policy lets you
specify the administrator's password minimum length, type of characters it must contain, and the number of
days to password expiry.
l Use CLI commands to configure the administrator's password lockout and retry attempts.
For example, to set the lockout duration to two attempts and set a two minute duration before the
administrator can log in again, enter the following CLI commands:
config system global
set admin-lockout-threshold 2
set admin-lockout-duration 120
end
l Set a lower idle timeout so that unattended workstations are logged out.
l Use multi-factor authentication authentication for administrators. For more information, see the
FortiAuthenticator Administration Guide in the Fortinet Document Library.
l Limit administrator access. For example, configure trusted hosts and allowaccess. See Restricting
GUI access by trusted hosts.

Encryption best practices

Set a strong encryption level. Use the SSL protocol version (TLS version) that meets PCI compliance or your
organization’s security requirements. For example:
config system global
set enc-algorithm high
set fgfm-ssl-protocol tlsv1.2
set oftp-ssl-protocol tlsv1.2
set ssl-protocol tlsv1.2
set webservice-proto tlsv1.2
set ssl-low-encryption disable
end

config fmupdate fds-setting

set fds-ssl-protocol tlsv1.2
end

The enc-algorithm setting allows you to specify the security levels for cipher suites.

FortiAnalyzer 7.6.0 Best Practices 17

Fortinet Inc.
Security Best Practices

l set enc-algorithm low uses all OpenSSL ciphers.

l set enc-algorithm medium uses high and medium OpenSSL ciphers.
l set enc-algorithm high (default) uses only high OpenSSL ciphers.
For more information about cipher security levels, see the FortiAnalyzer Administration Guide.

Other security best practices

l Disable unused interfaces.
l Upgrade firmware to the latest version.
l Install physical devices in a restricted area.
l Place the FortiAnalyzer behind a firewall, such as a FortiGate, to limit attempts to access the FortiAnalyzer
device.

When FortiAnalyzer is behind a FortiGate, AV and IPS features can be enabled on

the FortiGate to further protect FortiAnalyzer from malware or intrusion attacks. See
the FortiGate Administration Guide.

l Set up NTP. For example:

config system ntp
set status enable
set sync_interval 60
config ntpserver
edit 1
set server {<address_ipv4> | <fqdn_str>}
end
end
end
l For audit purposes:
l Use named accounts wherever possible.
l Send logs to a central log destination.

Do not lose the administrator log in information as there is no password recovery

mechanism in FortiAnalyzer 5.4.0 and later.

FortiAnalyzer 7.6.0 Best Practices 18

Fortinet Inc.
VM Size and License
When using VMs, implement the following:
l Allocate sufficient CPU and memory resources to all VMs based on the number of devices and enabled
features.
l Ensure the VM license meets your requirements for daily log rate (GB/day) and log storage capacity.
For details, see the FortiAnalyzer Private Cloud.

Resizing VM
Because resizing a VM may require reformatting the disk and restarting the VM, it is important to plan ahead for
expansion when possible. By including extra space in your initial deployment, you can potentially avoid resizing
an active VM in the future, which would require downtime to safely backup the data and configuration as part of
the process.
The FortiAnalyzer-VM allows you to add up to fifteen virtual log disks to a deployed instance. You can use the
following CLI command to see how many log disks have been added and how much disk space is available:
execute lvm info

When adding additional disks, use the following CLI command to extend the LVM logical volume:
execute lvm extend

The execute lvm info command will also display the file-system size, which will not expand beyond the
boundary limit until the disk is reformatted.
l The FortiAnalyzer VM platform file system ext4 boundary limit is 64TB.
l The FortiAnalyzer VM platform file system ext3 boundary limit is 16TB.
If you are resizing beyond the boundary limit for the file system, you must reformat the disk using the following
command:
execute format <disk | disk-ext3 | disk-ext4>

Executing this command will erase all device settings/images, databases, and log data on the FortiAnalyzer
system’s hard drive. The FortiAnalyzer device’s IP address, and routing information will be preserved. If
reformatting an active VM, it is important to backup logs and config beforehand.
Adding an extra disk or adding space to the current LVM disk will not impact current saved archive logs and
analytics logs. However, VM platforms may automatically restart or prompt you to restart when resizing an
active VM. As a precaution to prevent database corruption and preserve data in FortiAnalyzer, it is best to
backup the logs and perform a graceful shutdown before resizing.
To backup logs prior to resizing, enter the following commands in the FortiAnalyzer CLI:
execute backup logs <device name(s) | all> {ftp | scp | sftp} <ip/fqdn> <username> <passwd>
<directory> [vdlist]
execute backup reports <report schedule name(s) | all> {ftp | scp | sftp} <ip/fqdn> <username>
<passwd> <directory> [vdlist]

FortiAnalyzer 7.6.0 Best Practices 19

Fortinet Inc.
VM Size and License

To perform a graceful shutdown, enter the following command in the FortiAnalyzer CLI:
execute shutdown

For more details about these commands, see the FortiAnalyzer CLI Reference on the Fortinet Document Library.

FortiAnalyzer 7.6.0 Best Practices 20

Fortinet Inc.
 www.fortinet.com

Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet
names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other
metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and
other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to
the extent Fortinet enters a binding written contract, signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to
certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet.
For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations,
and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current
version of the publication shall be applicable.