Sizing

Sizing guidelines for Deep Security deployments vary by the scale of your network, hardware, and software. See also Sizing for Azure Marketplace.

Deep Security Manager sizing

Sizing recommendations for Deep Security Manager vary by how many agents it will have.

If you'd prefer, you can watch Deep Security 12 - DSM System Requirements and Sizing on YouTube.

For best performance, it's important to allocate enough Java Virtual Machine (JVM) memory to the Deep Security Manager process. See Configure Deep Security Manager memory usage.

Recommendation scans are CPU-intensive for the Deep Security Manager. Consider the performance impact when determining how often to run recommendation scans. See Manage and run recommendation scans.

Resource spikes may occur if a large number of virtual machines are rebooted simultaneously and agents re-establish their connection with Deep Security Manager at the same time.

Multiple server nodes

For better availability and scalability, use a load balancer, and install the same version of Deep Security Manager on 2 servers ("nodes"). Connect them to the same database.

To avoid high load on database servers, don't connect more than two Deep Security Manager nodes to each database server.

Each manager node is capable of all tasks. No node is more important than any of the others. You can log in to any node, and agents, appliances, and relays can connect with any node. If one node fails, other nodes can still provide service, and no data will be lost.

Database sizing

Database CPU, memory, and disk space required varies by:

Minimum disk space = (2 x Deep Security data size) + transaction log

For example, if your database plus transaction log is 40 GB, you must have 80 GB (40 x 2) of free disk space during database schema upgrades.

To free disk space, delete any unnecessary agent packages for unused platforms (see Delete a software package from the Deep Security database), transaction logs, and unnecessary event records.

Event retention is configurable. For security events, retention is configured in the policy, individual computer settings, or both. See Policies, inheritance, and overrides and Log and event storage best practices.

To minimize disk usage due to events:

  • Store events remotely, not locally. If you need to keep events longer (such as for compliance), forward them to a SIEM or Syslog server and then use pruning to delete the local copy. (See Forward Deep Security events to a Syslog or SIEM server.)

    Some Application Control and Integrity Monitoring operations (Rebuild Baseline, Scan for Integrity Changes, and Scan for Inventory Changes) retain all records locally, and are never pruned or forwarded.

  • Patch the protected computer's software before you enable Intrusion Prevention. Recommendation scans assign more IPS rules to protect a vulnerable OS. More security events increase local or remote disk usage.
  • Disable unnecessary security features that log frequently, such as stateful Firewall for TCP, UDP, and ICMP.

High-traffic computers that use Deep Security Firewall or Intrusion Prevention features might record more events per second, requiring a database with better performance. You might also need to adjust local event retention.

If you anticipate many Firewall events, consider disabling "Out of allowed policy" events. (See Firewall settings.)

Database disk space estimates

The table below estimates database disk space with default event retention settings. If the total disk space for the protection modules you enable is more than the "2 or more modules" value, use the smaller estimate. For example, you could deploy 750 agents with Deep Security Anti-Malware, Intrusion Prevention System and Integrity Monitoring. The total of the individual recommendations is 320 GB (20 + 100 + 200) but the "2 or more modules" recommendation is less (300 GB). Therefore, you would estimate 300 GB.

Database disk space also increases with the number of separate Deep Security Agent platforms. For example, if you have 30 agents (maximum 5 versions per agent platform), this increases the database size by approximately 5 GB.

Deep Security Agent and Relay sizing

If you'd prefer, you can watch Deep Security 12 - Agent System Requirements and Sizing on YouTube.

Platform Features enabled Minimum RAM Recommended RAM Minimum disk space
Windows All protection 2 GB 4 GB 1 GB
Windows Relay only 2 GB 4 GB 30 GB
Linux All protection 1 GB 5 GB 1 GB
Linux Relay only 2 GB 4 GB 30 GB
Solaris All protection. Relay not supported 4 GB 4 GB 2 GB
AIX All protection. Relay not supported 4 GB 4 GB 2 GB

Less RAM is required for some OS versions, or if you do not enable all Deep Security features.

If protected computers use VMware vMotion, add 10 GB of disk space to the Deep Security Relay that the agent is connected to, for a total recommendation of 40 GB.

Relays require more disk space if you install Deep Security Agent on many different platforms. (Relays store update packages for each platform.) For details, see Get Deep Security Agent software.