Sizing

Sizing guidelines for on-premise Deep Security deployments vary by the scale of your network, hardware, and software. See also Sizing for Deep Security Relays.

Guidelines vary by system component:

Database disk space

Several variables affect database disk space requirements:

  • Number of computers
  • Number of events (logs) recorded per second
  • How long events are retained

Event retention settings can be configured in the policy, the individual computer settings, or both. (See Policies, inheritance, and overrides.) To configure disk space usage, see Limit log file sizes, including which events are logged for stateful firewall of TCP, UDP, and ICMP. See also Deep Security Manager performance features.

The database sizes in the following tables are suggestions for use with the default settings for log and event retention (7 days). Follow these steps to estimate sizing for your database:

  1. Identify the security features you are enabling and the number of agents that you are deploying.
  2. Add the individual recommendations for each security feature to estimate the database size.
  3. Compare this value with the Full Policy recommendation and provision the lesser of the two

For example, you are deploying 750 agents with Anti-Malware, Intrusion Prevention System and Integrity Monitoring. The total of the individual recommendations is 320 GB (20 + 100 + 200). However, the Full Policy recommendation is 300 GB. Therefore, you should provision 300 GB.

Disk space estimates

Number of
agents		 Anti‑Malware Web
Reputation
Service		 Log
Inspection		 Firewall Intrusion
Prevention
System		 Application
Control		 Integrity
Monitoring		 Full
Policy
1-99 10 GB 15 GB 20 GB 20 GB 40 GB 50 GB 50 GB 100 GB
100-499 10 GB 15 GB 20 GB 20 GB 40 GB 100 GB 100 GB 200 GB
500-999 20 GB 30 GB 50 GB 50 GB 100 GB 200 GB 200 GB 300 GB
1000-9999 50 GB 60 GB 100 GB 100 GB 200 GB 500 GB 400 GB 600 GB
10,000-20,000 100 GB 120 GB 200 GB 200 GB 500 GB 750 GB

750 GB

 1 TB

Database sizing considerations

  • By default, data pruning is not performed on system events, which have a large impact on the database size. Adjust pruning settings according to your compliance requirements. (See Log and event storage best practices.)
  • If you require long retention requirements for system events, use SIEM or Syslog servers for event forwarding. You can also use SEIM or Syslog servers for Security Control event forwarding. (See Forward Deep Security events to an external syslog or SIEM server .)

    When system events and Security Control events are forwarded to SIEM or Syslog severs, they are not deleted from the database. To delete these events use data pruning.

  • To conserve disk space, delete all agent configuration packages for each platform that are are not in use. If you need to keep the configuration packages, add disk space accordingly. To help with estimating disk space requirements, consider a newly-installed Deep Security Manager with co-located relay that is assigned a policy that protects a Manager computer. When 29 agents (maximum 5 versions per agent platform) are added, the database size grows approximately 5 GB.
  • The Rebuild Baseline, Scan for Integrity Changes, and Scan for Inventory Changes operations retain all records in the database and are never pruned or forwarded to external Syslog or SIEM systems. The Application Control and Integrity Monitoring security modules use these operations and therefore require more storage space than other security modules. Other types of operations, such as system or security events, are pruned or forwarded to external Syslog or SIEM systems.
  • High-traffic environments that use the firewall and intrusion prevention system modules can cause a large number of related events. Factors that influence the number of events are the number of applied intrusion prevention system rules, system vulnerability, and firewall rule configuration. Because these events can require significant database storage, you should monitor these security events and use suitable data pruning.
  • If you anticipate a significant number of firewall events, consider disabling “Out of allowed policy” events. (See the Advanced section in Firewall settings.)

Deep Security Manager sizing

The sizing recommendations for the Deep Security Manager computer depends on the number of agents that are being managed:

Number of agents Number of CPUs RAM JVM process memory Number of manager nodes
< 100028 GB4 GB2
1000 to 5000412 GB8 GB2
5000 to 10000816 GB12 GB2
10000 to 20000824 GB16 GB2

Two manager nodes or more are recommended to provide redundancy and ensure the availability of the manager services. To ensure adequate performance during concurrent operations, you should install Deep Security Manager and the database on separate, dedicated servers in the same physical location.

Multiple server nodes

For better availability and scalability in larger deployments, use a load balancer, and install the same version of Deep Security Manager on multiple servers ("nodes"). Connect them to the same database storage.

To avoid high load on database servers, don't connect more than 3 Deep Security Manager nodes to each database server.

Each manager node is capable of all tasks. No node is more important than any of the others. You can log in to any node, and agents, appliances, and relays can connect with any node. If one node fails, other nodes can still provide service, and no data will be lost.

Deep Security Virtual Appliance sizing

By default, the Deep Security Virtual Appliance has only 4 GB of memory. The number of virtual machines that a Deep Security Virtual Appliance is protecting determines the hardware requirements of the appliance. The following table lists the minimum number of vCPUs and amount of memory to allocate based on the number of protected virtual machines.

Number of protected virtual machines Number of vCPUs RAM
1-25 2 6 GB
26-50 2 8 GB
51-100 2 10 GB
101-150 4 12 GB
151-200 4 16 GB
201-250 6 20 GB
251-300 6 24 GB

Recommendations for 251-300 virtual machines assumes that the integrity monitoring module is not used.

To allocate memory for virtual appliances, see Deep Security Virtual Appliance memory allocation.