Fortinet FortiAnalyzer VM Appliance
Security-Driven Analytics & Log Management

Overview:

FortiAnalyzer is a powerful log management, analytics and reporting platform, providing organizations with Single-Pane Orchestration, Automation, and Response for simplified security operations, proactive identification and remediation of risks, and complete visibility of the entire attack surface.

FortiAnalyzer, integrated with Fortinet’s Security Fabric, provides advanced threat detection capabilities, centralized security analytics, and complete end-to-end security posture awareness and control, helping security teams identify and eliminate threats before a breach can occur.

Orchestrate security tools, people and process for streamlined execution of tasks and workflows, incident analysis and response, and rapidly expedite threat detection, case creation & investigation, and mitigation and response.

Automate workflows and trigger actions with fabric connectors, playbooks and event handlers to accelerate your network security team’s ability to respond to critical alerts and events, as well as SLA’s for regulation and compliance.

Respond in real-time to network security attacks, vulnerabilities and warnings of potential compromises, with threat intelligence, event correlation, monitoring, alerts and reporting for immediate tactical response and remediation.

Key Features

• Security Fabric Analytics with event correlation and real-time detection across all logs, with Indicators of Compromise (IOC) service and detection of advanced threats
• Fortinet Security Fabric integration with FortiGates, FortiClient, FortiSandbox, FortiWeb, FortiMail, and others for deeper visibility and critical network insights
• Enterprise-grade High Availability to automatically back-up FortiAnalyzer databases (up to four node cluster), which can be geographically dispersed for disaster recovery
• Security Automation to reduce complexity, leveraging REST API, scripts, connectors, and automation stitches to expedite security response and reduce time-to-detect
• Multi-Tenancy solution with quota management, leveraging (ADOMs) to separate customer data and manage domains for operational effectiveness and compliance
• Flexible deployment options as appliance, VM, hosted, or public cloud. Use AWS, Azure, or Google for cloud secondary archival storage

Virtual Offerings-FortiAnalyzer VM

FortiAnalyzer Virtual Machines are a virtual version of the hardware appliance and are designed to run on many virtualization platforms, offering all the latest features of the FortiAnalyzer appliance. They allow organizations to simplify their centralized log management and analytics solution, automate workflows and help NOC and SOC teams identify and respond to threats. FortiAnalyzer VMs are available in both a subscription and perpetual offering.

Highlights:

Incident Detection and Response

Event Management

FortiAnalyzer’s Event Manager enables security teams to monitor and manage alerts and events from logs. Events are processed and correlated in an easily readable format that analysts can understand for immediate response. Analysts can use the Event Monitor for investigative searches into alerts, and use the predefined or custom event handlers for NOC and SOC, with customizable filters to generate realtime notifications for around-the-clock monitoring, including handlers for SD-WAN, VPN SSL, wireless, network operations, FortiClient, and more.

Centralized NOC/SOC Visibility for the Attack Surface

The FortiSOC view helps teams in the security operations center (SOC) and network operations center (NOC) protect networks with access to real-time log and threat data in the form of actionable views with deep drill-down capabilities, notifications & reports, and predefined or customized dashboards for single-pane visibility and awareness. Analysts can utilize FortiAnalyzer’s workflow automation for simplified orchestration of security operations, management of threats and vulnerabilities, and responding to security incidents, or investigate proactively by looking for anomalies and threats in SIEM normalized logs in the Threat Hunting view.

Incident Management

The Incidents component in FortiSOC enables security operations teams to manage incident handling and life cycle with incidents created from events to show affected assets, endpoints and users. Analysts can assign incidents, view and drill down on event details, incident timelines, add analysis comments, attach reports and artifacts, and review playbook execution details for complete audit history.

Integrate with FortiSOAR for further incident investigation and threat eradication including support to export incident data to FortiSOAR through the FortiAnalyzer fabric connector (enabled on FortiSOAR with API Admin setup).

Playbook Automation

FortiAnalyzer Playbooks boost an organization’s security team’s abilities to simplify investigation efforts through automated incident response, freeing up resources and allowing analysts to focus on thats that are more critical.

Out of the box playbook templates enable SOC analysts to quickly customize their use cases, including playbooks for investigation of compromised hosts, infections and critical incidents, data enrichment for Fabric View Assets & Identity views, blocking of malware, C&C IPs, and more. Security teams can define custom processes, edit playbooks and tasks in the visual playbook editor, utilize the Playbook monitor to review task execution details, import or export playbooks, and use built-in connectors for allowing playbooks to interact with other Security Fabric devices like FortiOS and EMS. The new connector health check provides an indicator for verifying that connectors are always up and working.

Security Services

Include the FortiSOC subscription to enable further automation for incident response with enhanced alert monitoring and escalation, built-in incident management workflows, connectors, and many more FortiSOC playbooks. The FortiGuard Indicators of Compromise subscription empowers security teams with forensic data from 500,000 IOCs daily, used in combination with FortiAnalyzer analytics to identify suspicious usage and artifacts observed on the network or in an operations system, that have been determined with high confidence to be malicious infections or intrusions, and historical rescan of logs for threat hunting.

Security Fabric Analytics

Analytics and Reporting

Security teams are empowered with FortiAnalyzer’s automation driven analytics and reports providing full visibility of network devices, systems, and users. FortiAnalyzer delivers correlated log data with threat intelligence for analysis of real-time and historical events, providing context and meaning to network activity, risks, and vulnerabilities, attack attempts, operational anomalies, and continuous monitoring of sanctioned and unsanctioned user activity and investigation of Shadow IT

Assets and Identity

FortiAnalyzer’s Fabric View with Asset and Identity monitoring provides full SOC visibility of users and devices, including analytics of the attack surface and enables analysts to view and manage detailed UEBA information collected from logs and fabric devices, with filters and custom views for refining results. The Assets & Identity views provide security teams with elevated visibility into an organization’s endpoints and users with correlated user and device information, vulnerability detections, and EMS tagging and asset classifications through telemetry with EMS, NAC, and Fortinet Fabric Agent.

FortiAnlayzer Reports

FortiAnalyzer provides over 60 report templates, 800+ datasets and 750+ charts that are ready-to-use with sample reports, including reports for Secure SDWAN, VPN monitoring, Threat Assessments, 360 Security Reviews, Situational Awareness, Self-harm and Risk Indicators, Bandwidth and Applications, FortiClient, FortiMail, FortiSandbox, FortiDeceptor, compliance, and many others.

Analysts can easily customize, clone and modify Reports to their needs with filters by device, subnets and type to deliver specific business metrics to target stakeholders. Schedule reports to run at non-peak hours or run on demand; define output profiles for notifications and deliver reports in flexible viewing formats including PDF, HTML, CSV, and XML.

Deployments

Deploying FortiAnalyzer

FortiAnalyzer plays a pivotal role in Fortinet’s Security Fabric and can be deployed in a variety of configurations to best support the needs of any organization for analytics, back-ups, disaster recovery and storage, availability and redundancy as well as log collection and log forwarding for high-volume networks with sizeable generation of event logs.

FortiAnalyzer High Availability (HA)

FortiAnalyzer HA provides real-time redundancy to protect organizations by ensuring continuous operational availability. In the event that the primary (active) FortiAnalyzer fails, a secondary (passive) FortiAnalyzer (up to four-node cluster) will immediately take over, providing log and data reliability and eliminating the risk of having a single point of failure.

Multi-Tenancy with Flexible Quota Management

FortiAnalyzer provides the ability to manage multiple subaccounts with each account having its own administrators and users. The time-based archive/analytic log data policy, per Administrative Domain (ADOM), allows automated quota management based on the defined policy, with trending graphs to guide policy configuration and usage monitoring.

Analyzer-Collector Mode

FortiAnalyzer provides two operation modes: Analyzer and Collector. In Collector mode, the primary task is forwarding logs of the connected devices to an Analyzer and archiving the logs. This configuration greatly benefits organizations with increasing log rates, as the resource intensive logreceiving task is off-loaded to the Collector so that the Analyzer can focus on generating analytics and reports. Network Operations teams can deploy multiple FortiAnalyzers in Collector and Analyzer modes to work together to improve the overall performance of log receiving and processing increased log volumes, providing log storage and redundancy, and rapid delivery of critical network and threat information.

Log Forwarding for Third-Party Integration

Forward logs from one FortiAnalyzer to another FortiAnalyzer unit, a syslog server, or (CEF) server. In addition to forwarding logs to another unit or server, the client FortiAnalyzer retains a local copy of the logs, which are subject to the data policy settings for archived logs. Logs are forwarded in real-time or near real-time as they are received from network devices.

Cloud Services

FortiAnalyzer Cloud

FortiAnalyzer Cloud offers customers a PaaS based delivery option for automation-driven, single pane analytics, providing log management, analytics and reporting for Fortinet NGFW and SD-WAN with an easily accessible cloud-based solution.

FortiAnalyzer Cloud delivers reliable real-time insights into network activity with extensive reporting and monitoring for clear, consistent visibility of an organizations security posture.

With the FortiCloud Premium subscription customers can easily enable the FortiAnalyzer Cloud service with the 360 Protection bundle or by purchasing it a-la-carte, producing analytics for Fortinet Security Fabric devices and users. Customers and Partners can easily access their FortiAnalyzer Cloud from their FortiCloud Single-Sign-On Portal.

Specifications:

FORTIANALYZER VIRTUAL APPLIANCES	FAZ-VM-GB1	FAZ-VM-GB5	FAZ-VM-GB25	FAZ-VM-GB100	FAZ-VM-GB500	FAZ-VM-GB2000
Capacity
GB/Day of Logs	+1	+5	+25	+100	+500	+2000
Storage Capacity	+500GB	+3 TB	+10 TB	+24 TB	+48 TB	+100 TB
Devices/VDOMs Maximum	10,000	10,000	10,000	10,000	10,000	10,000
Chassis Management	✅	✅	✅	✅	✅	✅
Virtual Machine
FortiGuard Indicator of Compromise (IOC)	✅	✅	✅	✅	✅	✅
SOC Subscription	✅	✅	✅	✅	✅	✅
Virtual Machine
Hypervisor Support	Up-to-date hypervisor support can be found in the release note for each FortiAnalyzer version.
vCPU Support (Minimum / Maximum)	4 / Unlimited
Network Interface Support (Min / Max)	1 / 4
Memory Support (Minimum / Maximum)	8 GB / Unlimited for 64-bit

Documentation:

Download the Fortinet FortiAnalyzer Series Datasheet (PDF).