Does not apply to Deep Security as a Service

Sizing guidelines for on-premise Deep Security deployments vary by the scale of your network, hardware, and software. (Azure Marketplace sizing and AWS Marketplace (Classic) sizing are different.)

Disk space

The amount of database space required by the Deep Security Manager per computer is a function of the number of logs (events) recorded and how long they are retained. To control settings such as the maximum size of the event log files and the number of log files to retain at any given time, go to the Computers or Policies page, double-click the computer or policy that you want to edit, and then click Settings >Advanced. Similarly, the TCP, UDP, and ICMP tabs on a firewall stateful configuration's Properties window lets you configure how firewall stateful configuration event logging is performed.

These event collection settings can be fine-tuned at the policy and individual computer level (see Policies, inheritance, and overrides).

When logging is left at default levels, an average computer will require approximately 50 MB of Deep Security Manager database disk space. One thousand computers will require 50 GB, 2000 computers will require 100 GB and so on.

At their default settings, the following modules generally consume the most disk space, in descending order: firewall, integrity monitoring, log inspection.

Dedicated servers

Accounting for future growth, if your deployment is not expected to exceed 1000 computers (real or virtual), Deep Security Manager and its database can be installed on the same computer. Otherwise, they should be installed on separate, dedicated servers. It is also important that the database and the Deep Security Manager be co-located to ensure unhindered communication between the two. The same applies to additional Deep Security Manager nodes: dedicated, co-located servers.

It is best practice to run multiple Deep Security manager nodes for redundancy reasons. However, to avoid all Deep Security manager nodes concentrating on a single database we do not recommend that you run more than 3 manager nodes.

Deep Security Virtual Appliance memory heap size

This section applies only if you are running Deep Security Virtual Appliance 9.6 or earlier and its filter driver.

You can protect an unlimited number of virtual machines (VMs) with a Deep Security Virtual Appliance on one VMware ESXi server. To do this, you must set the maximum size of heap memory in the filter driver to the size required by that number of VMs.

The default size of the memory heap for the filter driver is 256 MB. To increase the size, log in to the console and enter the "esxcfg-module" command with the maximum heap size in bytes.

For example, to configure a memory heap for up to 32 VMs, you would calculate the size of the memory heap like this:

<number of VMs> x 3MB + <number of VMs> x 512 Bytes x <UDP connections + TCP connections> + 10MB for vMotion state configuration

So for 50 VMs, and 5000 UDP and 5000 TCP connections:

50x512x10000=256000000 Bytes (or 256 MB)
150M+256MB=10MB=416 MB
416x1048576=436207616 Bytes (estimated heap memory needed)

And the command to set the value is:

% esxcfg-module -s DSAFILTER_HEAP_MAX_SIZE=436207616 dvfilter-dsa

To verify the setting, execute:

% esxcfg-module -g dvfilter-dsa

The setting will not take effect until the driver is reloaded. Reloading will either require a reboot (best option) of the ESXi server or unload/load the driver by executing the commands:

% esxcfg-module -u dvfilter-dsa
% esxcfg-module dvfilter-dsa

The command to unload/load will require all the protected VMs on the ESXi server and the DSVA to shut down.