Sizing

Sizing guidelines for Deep Security deployments vary by the scale of your network, hardware, and software.

Deep Security Manager sizing

Sizing recommendations for Deep Security Manager vary by how many agents it will have.

If you'd prefer, you can watch Deep Security 12 - DSM System Requirements and Sizing on YouTube.

Number of agents Number of CPUs RAM JVM process memory Number of manager nodes Recommended disk space
<500 2 8 GB 4 GB 2 200 GB
500-1000 4 8 GB 4 GB 2 200 GB
1000-5000 4 12 GB 8 GB 2 200 GB
5000-10000 8 16 GB 12 GB 2 200 GB
10000-20000 8 24 GB 16 GB 2 200 GB

For best performance, it's important to allocate enough Java Virtual Machine (JVM) memory to the Deep Security Manager process. See Configure Deep Security Manager memory usage.

Recommendation scans are CPU-intensive for the Deep Security Manager. Consider the performance impact when determining how often to run recommendation scans. See Manage and run recommendation scans.

Resource spikes may occur if a large number of virtual machines are rebooted simultaneously and agents re-establish their connection with Deep Security Manager at the same time.

Multiple server nodes

For better availability and scalability, use a load balancer, and install the same version of Deep Security Manager on 2 servers ("nodes"). Connect them to the same database.

To avoid high load on database servers, don't connect more than two Deep Security Manager nodes to each database server.

Each manager node is capable of all tasks. No node is more important than any of the others. You can log in to any node, and agents, appliances, and relays can connect with any node. If one node fails, other nodes can still provide service, and no data will be lost.

Database sizing

Database CPU, memory, and disk space required varies by:

  • Number of protected computers
  • Number of platforms where you install Deep Security Agent
  • Number of events (logs) recorded per second (related to which security features are enabled)
  • How long events are retained
  • Size of the database transaction log

Minimum disk space = (2 x Deep Security data size) + transaction log

For example, if your database plus transaction log is 40 GB, you must have 80 GB (40 x 2) of free disk space during database schema upgrades.

To free disk space, delete any unnecessary agent packages for unused platforms (see Delete a software package from the Deep Security database), transaction logs, and unnecessary event records.

Event retention is configurable. For security events, retention is configured in the policy, individual computer settings, or both. See Policies, inheritance, and overrides and Log and event storage best practices.

To minimize disk usage due to events:

  • Store events remotely, not locally. If you need to keep events longer (such as for compliance), forward them to a SIEM or Syslog server and then use pruning to delete the local copy. (See Forward Deep Security events to a Syslog or SIEM server.)

    Some Application Control and Integrity Monitoring operations (Rebuild Baseline, Scan for Integrity Changes, and Scan for Inventory Changes) retain all records locally, and are never pruned or forwarded.

  • Patch the protected computer's software before you enable Intrusion Prevention. Recommendation scans assign more IPS rules to protect a vulnerable OS. More security events increase local or remote disk usage.
  • Disable unnecessary security features that log frequently, such as stateful Firewall for TCP, UDP, and ICMP.

High-traffic computers that use Deep Security Firewall or Intrusion Prevention features might record more events per second, requiring a database with better performance. You might also need to adjust local event retention.

If you anticipate many Firewall events, consider disabling "Out of allowed policy" events. (See Firewall settings.)

See also Deep Security Manager performance features.

Database disk space estimates

The table below estimates database disk space with default event retention settings. If the total disk space for the protection modules you enable is more than the "2 or more modules" value, use the smaller estimate. For example, you could deploy 750 agents with Deep Security Anti-Malware, Intrusion Prevention System and Integrity Monitoring. The total of the individual recommendations is 320 GB (20 + 100 + 200) but the "2 or more modules" recommendation is less (300 GB). Therefore, you would estimate 300 GB.

Number of
agents
Anti-Malware Web
Reputation
Service
Log
Inspection
Firewall Intrusion
Prevention
System
Application
Control
Integrity
Monitoring
2 or more modules
1-99 10 GB 15 GB 20 GB 20 GB 40 GB 50 GB 50 GB 100 GB
100-499 10 GB 15 GB 20 GB 20 GB 40 GB 100 GB 100 GB 200 GB
500-999 20 GB 30 GB 50 GB 50 GB 100 GB 200 GB 200 GB 300 GB
1000-9999 50 GB 60 GB 100 GB 100 GB 200 GB 500 GB 400 GB 600 GB
10,000-20,000 100 GB 120 GB 200 GB 200 GB 500 GB 750 GB 750 GB 1 TB

Database disk space also increases with the number of separate Deep Security Agent platforms. For example, if you have 30 agents (maximum 5 versions per agent platform), this increases the database size by approximately 5 GB.

Deep Security Agent and Relay sizing

If you'd prefer, you can watch Deep Security 12 - Agent System Requirements and Sizing on YouTube.

Platform Features enabled Minimum RAM Recommended RAM Minimum disk space
Windows All protection 2 GB 4 GB 1 GB
Windows Relay only 2 GB 4 GB 30 GB
Linux All protection 1 GB 5 GB 1 GB
Linux Relay only 2 GB 4 GB 30 GB
Solaris All protection. Relay not supported 4 GB 4 GB 2 GB
AIX All protection. Relay not supported 4 GB 4 GB 2 GB

Less RAM is required for some OS versions, or if you do not enable all Deep Security features.

If protected computers use VMware vMotion, add 10 GB of disk space to the Deep Security Relay that the agent is connected to, for a total recommendation of 40 GB.

Relays require more disk space if you install Deep Security Agent on many different platforms. (Relays store update packages for each platform.) For details, see Get Deep Security Agent software. To determine how many relays you need, see Distribute security and software updates with relays.

Deep Security Virtual Appliance sizing

By default, the Deep Security Virtual Appliance is allocated only 4 GB of memory. Appliances protect virtual machines (VMs) that are on the same ESXi server. The minimum number of vCPUs and amount of memory you should allocate to the appliance varies by the number of protected virtual machines, and how many Intrusion Prevention (IPS) rules are assigned. Requirements in the table below assume 350-400 IPS rules per VM. See also Deep Security Virtual Appliance memory allocation.

Protected virtual machines Minimum vCPUs Minimum vRAM Minimum disk space
1-25 2 6 GB 20 GB
26-50 2 8 GB 20 GB
51-100 2 10 GB 20 GB
101-150 4 12 GB 20 GB
151-200 4 16 GB 20 GB
201-250 6 20 GB 20 GB
251-300 6 24 GB 20 GB

Requirements above can vary by feature:

Patch the protected computer's software before you enable Intrusion Prevention. Recommendation scans assign more IPS rules to protect a vulnerable OS. This increases the appliance's memory usage. For example, the table below shows how vRAM usage can increase by the number of IPS rules on 300 VMs (full, linked or instant clones as virtual desktop infrastructure (VDI)).

Number of Intrusion Prevention rules Appliance vRAM usage
350-400 24 GB
500-600 30 GB
600-700 40 GB
700+ 50 GB+

If the appliance is protecting a large number of VMs, and recommendation scans fail due to timeout errors, see Manage and run recommendation scans to increase timeout values.