Fortinet FortiAnalyzer 1000G Appliance

Fortinet FortiAnalyzer 1000G Appliance (FAZ-1000G)

FortiAnalyzer 1000G is an on-premises log management, analytics, and reporting appliance designed to act as a centralized security data lake and operations consolecollecting logs from Fortinet and third-party systems, correlating events, and supporting incident workflows, automation, and compliance reporting at scale.

---

Key capabilities

1) Centralized log collection and unified visibility

• Aggregates logs/telemetry across network and security devices to provide a single-pane view for NOC/SOC teams.

• Supports common ingestion methods (e.g., syslog and integrations/forwarders depending on environment) and organizes data for fast search and analysis.

2) Advanced analytics, correlation, and detection

• Correlates events across devices to identify threats that may look how signal in isolation (e.g., lateral movement indicators spread across firewall + endpoint + email logs).

• Helps detect advanced threats, vulnerabilities, and indicators of compromise using event/log correlation and enriched context.

3) Incidents and event lifecycle management

• Provides alert/event handling workflows so analysts can triage, investigate, and track incidents with timelines, affected assets, and supporting evidence.

• Enables predefined and custom handlers/filters for monitoring common security domains (e.g., VPN, SD-WAN, IPS, recon activity), depending on your log sources.

4) Automation and orchestration (playbooks)

• Uses playbooks/templates to automate repeatable response actions and enrichment steps (for example: enrich an IOC, identify impacted hosts/users, trigger containment on enforcement points).

• Reduces manual effort and improves response consistency for lean teams.

5) Reporting, dashboards, and compliance support

• Includes a large library of reports/datasets/charts plus customizable dashboards for technical and executive audiences.

• Supports audit-style outputs for security posture and compliance evidence collection (what you'd typically need for internal governance, external audits, or customer assurance).

6) Multi-tenancy and operational separation (ADOMs)

• Built for multi-tenant environments (e.g., MSP/MSSP or multiple business units) with quota management and separation of data/policies by domain (ADOM).

7) Deployment resilience and scale options

• Supports HA designs and scale-out patterns such as Analyzer/Collector modes (Collector offloads log receiving/forwarding so Analyzer can focus on analytics).

• Can forward logs to third-party SIEM/logging tools while retaining a local copy for investigation and reporting.

---

Model-specific capacity and hardware (FAZ-1000G)

Use these when positioning the 1000G versus smaller models:

• Log ingest capacity: up to 660 GB/day

• Sustained performance: 20,000 logs/sec (analytics) and 30,000 logs/sec (collector)

• Supported scale: up to 2,000 devices/VDOMs

• Interfaces: 2 2.5GbE RJ45 + 2 25GbE SFP28

• Storage: 32 TB raw (commonly presented as 8x 4TB) and typically 24 TB usable after RAID

(Exact usable storage depends on RAID configuration and platform specifics; the above is whats typically published for the 1000G class.)

---

Practical use cases

SOC central logging + faster investigations

• Centralize FortiGate + endpoint + email + web security logs, then correlate them into incidents for faster triage and root-cause analysis.

• Use dashboards for today's risk picture" and drill down into raw logs for evidence.

Compliance reporting and audit readiness

• Generate scheduled compliance and executive reports, maintain retention policies, and provide consistent evidence trails for audits and customer assurance requirements.

MSSP / multi-site / multi-business-unit operations

• Run multi-tenant logging with administrative separation and quotas, giving each customer or BU scoped access while keeping centralized oversight.

Threat hunting and IOC-driven response

• Search across historical telemetry to confirm scope of compromise, identify affected hosts/users, and build a repeatable response workflow.

NOC/SOC convergence (operations + security)

• Combine performance/availability visibility with security analytics in one place: useful where network teams also own security outcomes, or where staffing is limited.

Co-existence with an existing SIEM

• Use FortiAnalyzer as the Security Fabric-native analytics and automation layer while forwarding subsets of logs to an enterprise SIEM for long-term correlation or regulatory requirements.

View data sheet: FortiAnalyzer Data Sheet