Sizing guidelines for on-premise Deep Security deployments vary by the scale of your network, hardware, and software. See also the Determine the number of relays to use.
Guidelines vary by system component:
- Database disk space
- Deep Security Manager sizing
- Multiple server nodes
- Deep Security Virtual Appliance sizing
Several variables affect database disk space requirements:
- Number of computers
- Number of events (logs) recorded per second
- How long events are retained
Event retention settings can be configured in the policy, the individual computer settings, or both. (See Policies, inheritance, and overrides.)
The database sizes in the following tables are suggestions for use with the default settings for log and event retention (7 days). Follow these steps to estimate sizing for your database:
- Identify the security features you are enabling and the number of agents that you are deploying.
- Add the individual recommendations for each security feature to estimate the database size.
- Compare this value with the Full Policy recommendation and provision the lesser of the two
For example, you are deploying 750 agents with Anti-Malware, Intrusion Prevention System and Integrity Monitoring. The total of the individual recommendations is 320 GB (20 + 100 + 200). However, the Full Policy recommendation is 300 GB. Therefore, you should provision 300 GB.
|1-99||10 GB||15 GB||20 GB||20 GB||40 GB||50 GB||50 GB||100 GB|
|100-499||10 GB||15 GB||20 GB||20 GB||40 GB||100 GB||100 GB||200 GB|
|500-999||20 GB||30 GB||50 GB||50 GB||100 GB||200 GB||200 GB||300 GB|
|1000-9999||50 GB||60 GB||100 GB||100 GB||200 GB||500 GB||400 GB||600 GB|
|10,000-20,000||100 GB||120 GB||200 GB||200 GB||500 GB||750 GB||
- By default, data pruning is not performed on system events, which have a large impact on the database size. Adjust pruning settings according to your compliance requirements.
(See Log and event storage best practices.)
- If you require long retention requirements for system events, use SIEM or Syslog servers for event forwarding. You can also use SEIM or Syslog servers for Security Control event forwarding. (See Forward Deep Security events to an external syslog or SIEM server .)
When system events and Security Control events are forwarded to SIEM or Syslog severs, they are not deleted from the database. To delete these events use data pruning.
- To conserve disk space, delete all agent configuration packages for each platform that are are not in use. If you need to keep the configuration packages, add disk space accordingly. To help with estimating disk space requirements, consider a newly-installed Deep Security Manager with co-located relay that is assigned a policy that protects a Manager computer. When 29 agents (maximum 5 versions per agent platform) are added, the database size grows approximately 5 GB.
- The Rebuild Baseline, Scan for Integrity Changes, and Scan for Inventory Changes operations retain all records in the database and are never pruned or forwarded to external Syslog or SIEM systems. The Application Control and Integrity Monitoring security modules use these operations and therefore require more storage space than other security modules. Other types of operations, such as system or security events, are pruned or forwarded to external Syslog or SIEM systems.
- High-traffic environments that use the firewall and intrusion prevention system modules can cause a large number of related events. Factors that influence the number of events are the number of applied intrusion prevention system rules, system vulnerability, and firewall rule configuration. Because these events can require significant database storage, you should monitor these security events and use suitable data pruning.
- If you anticipate a significant number of firewall events, consider disabling “Out of allowed policy” events. (See the Advanced section in Firewall settings.)
The sizing recommendations for the Deep Security Manager computer depends on the number of agents that are being managed:
|Number of agents||Number of CPUs||RAM||JVM process memory||Number of manager nodes|
|< 1000||2||8 GB||4 GB||2|
|1000 to 5000||4||12 GB||8 GB||2|
|5000 to 10000||8||16 GB||12 GB||2|
|10000 to 20000||8||24 GB||16 GB||2|
Two manager nodes or more are recommended to provide redundancy and ensure the availability of the manager services. To ensure adequate performance during concurrent operations, you should install Deep Security Manager and the database on separate, dedicated servers in the same physical location.
For better availability and scalability in larger deployments, use a load balancer, and install the same version of Deep Security Manager on multiple servers ("nodes"). Connect them to the same database storage.
Each manager node is capable of all tasks. No node is more important than any of the others. You can log in to any node, and agents, appliances, and relays can connect with any node. If one node fails, other nodes can still provide service, and no data will be lost.
By default, the Deep Security Virtual Appliance has only 4 GB of memory. The number of virtual machines that a Deep Security Virtual Appliance is protecting determines the hardware requirements of the appliance. The following table lists the minimum number of vCPUs and amount of memory to allocate based on the number of protected virtual machines.
|Number of protected virtual machines||Number of vCPUs||RAM|
Recommendations for 251-300 virtual machines assumes that the integrity monitoring module is not used.
To allocate memory for virtual appliances, see Deep Security Virtual Appliance memory allocation.