Sizing

Sizing guidelines for Deep Security deployments vary by the scale of your network, hardware, and software.

Deep Security Manager sizing

Sizing recommendations for Deep Security Manager vary by how many agents it will have.

Number of agents Number of CPUs RAM JVM process memory Number of manager nodes Recommended disk space
<500 2 16 GB 8 GB 2 200 GB
500-1000 4 16 GB 8 GB 2 200 GB
1000-5000 4 16 GB 8 GB 2 200 GB
5000-10000 8 16 GB 12 GB 2 200 GB
10000-20000 8 24 GB 16 GB 2 200 GB

For best performance, it's important to allocate enough Java Virtual Machine (JVM) memory to the Deep Security Manager process. See Configure Deep Security Manager memory usage.

Recommendation scans are CPU-intensive for the Deep Security Manager. Consider the performance impact when determining how often to run recommendation scans. See Manage and run recommendation scans.

Resource spikes may occur if a large number of virtual machines are rebooted simultaneously and agents re-establish their connection with Deep Security Manager at the same time.

Multiple server nodes

For better availability and scalability, use a load balancer, and install the same version of Deep Security Manager on 2 servers ("nodes"). Connect them to the same database.

To avoid high load on database servers, don't connect more than two Deep Security Manager nodes to each database server.

Each manager node is capable of all tasks. No node is more important than any of the others. You can log in to any node, and agents, appliances, and relays can connect with any node. If one node fails, other nodes can still provide service, and no data will be lost.

Database sizing

Database CPU, memory, and disk space required varies by:

  • Number of protected computers
  • Number of platforms where you install Deep Security Agent
  • Number of events (logs) recorded per second (related to which security features are enabled)
  • How long events are retained
  • Size of the database transaction log

Minimum disk space = (2 x Deep Security data size) + transaction log

For example, if your database plus transaction log is 40 GB, you must have 80 GB (40 x 2) of free disk space during database schema upgrades.

To free disk space, delete any unnecessary agent packages for unused platforms (see Delete a software package from the Deep Security database), transaction logs, and unnecessary event records.

Event retention is configurable. For security events, retention is configured in the policy, individual computer settings, or both. See Policies, inheritance, and overrides and Log and event storage best practices.

To minimize disk usage due to events:

  • Store events remotely, not locally. If you need to keep events longer (such as for compliance), forward them to a SIEM or Syslog server and then use pruning to delete the local copy. (See Forward Deep Security events to a Syslog or SIEM server.)

    Some Application Control and Integrity Monitoring operations (Rebuild Baseline, Scan for Integrity Changes, and Scan for Inventory Changes) retain all records locally, and are never pruned or forwarded.

  • Patch the protected computer's software before you enable Intrusion Prevention. Recommendation scans assign more IPS rules to protect a vulnerable OS. More security events increase local or remote disk usage.
  • Disable unnecessary security features that log frequently, such as stateful Firewall for TCP, UDP, and ICMP.

High-traffic computers that use Deep Security Firewall or Intrusion Prevention features might record more events per second, requiring a database with better performance. You might also need to adjust local event retention.

If you anticipate many Firewall events, consider disabling "Out of allowed policy" events. (See Firewall settings.)

See also Deep Security Manager performance features.

Database disk space estimates

The table below estimates database disk space with default event retention settings. If the total disk space for the protection modules you enable is more than the "2 or more modules" value, use the smaller estimate. For example, you could deploy 750 agents with Deep Security Anti-Malware, Intrusion Prevention System and Integrity Monitoring. The total of the individual recommendations is 320 GB (20 + 100 + 200) but the "2 or more modules" recommendation is less (300 GB). Therefore, you would estimate 300 GB.

Number of
agents
Anti-Malware Web
Reputation
Service
Log
Inspection
Firewall Intrusion
Prevention
System
Application
Control
Integrity
Monitoring
2 or more modules
1-99 10 GB 15 GB 20 GB 20 GB 40 GB 50 GB 50 GB 100 GB
100-499 10 GB 15 GB 20 GB 20 GB 40 GB 100 GB 100 GB 200 GB
500-999 20 GB 30 GB 50 GB 50 GB 100 GB 200 GB 200 GB 300 GB
1000-9999 50 GB 60 GB 100 GB 100 GB 200 GB 500 GB 400 GB 600 GB
10,000-20,000 100 GB 120 GB 200 GB 200 GB 500 GB 750 GB 750 GB 1 TB

Database disk space also increases with the number of separate Deep Security Agent platforms. For example, if you have 30 agents (maximum 5 versions per agent platform), this increases the database size by approximately 5 GB.

Deep Security Agent and Relay sizing

Guidance for processor, memory and disk space allocation has been moved to system requirements.

Estimated Agent resource consumption

The tables below show the estimated resource consumption for deployments using commonly used feature combinations.

Windows Agent

Modules enabled RAM
Anti-Malware Web Reputation Service Activity Monitoring Application Control Integrity Monitoring Log Inspection Firewall Intrusion Prevention
156 MB
148 MB
150 MB
308 MB
280 MB
390 MB
361 MB

Linux Agent

Modules enabled RAM
Anti-Malware Web Reputation Service Activity Monitoring Application Control Integrity Monitoring Log Inspection Firewall Intrusion Prevention
315 MB
172 MB
399 MB
312 MB
448 MB
413 MB
492 MB
538 MB

Deep Security Virtual Appliance sizing

The Deep Security Virtual Appliance software is delivered as a series of OVF files, with each one being allocated a different set of resources for different deployment sizes and types. You'll need to choose the OVF file that supports your environment the best. See the table below for details.

See also Deep Security Virtual Appliance memory allocation.

OVF file vCPUs vRAM Disk space Virtual hardware version NSX type Maximum protected VMs DPDK support?
dsva.ovf 2 4 GB 20 GB 13 (ESXi 6.5+) NSX-V 10 no
dsva-small.ovf 4 8 GB 20 GB 13 (ESXi 6.5+) NSX-V 50 no
dsva-medium.ovf 6 16 GB 20 GB 13 (ESXi 6.5+) NSX-V 200 no
dsva-large.ovf 8 24 GB 20 GB 13 (ESXi 6.5+) NSX-V 300 no
dsva-<20.x.x-xxxx>-C2M4-small.ovf 2 4 GB 20 GB 13 (ESXi 6.5+) NSX-T 10 no
dsva-<20.x.x-xxxx>-C4M8-small.ovf 4 8 GB 20 GB 13 (ESXi 6.5+) NSX-T

10 with DPDK enabled

50 with DPDK disabled

yes*
dsva-<20.x.x-xxxx>-C6M16-medium.ovf 6 16 GB 20 GB 13 (ESXi 6.5+) NSX-T 200 with DPDK disabled no
dsva-<20.x.x-xxxx>-C8M16-medium.ovf 8 16 GB 20 GB 13 (ESXi 6.5+) NSX-T 150 with DPDK enabled yes*
dsva-<20.x.x-xxxx>-C8M24-large.ovf 8 24 GB 20 GB 13 (ESXi 6.5+) NSX-T 300 with DPDK disabled no
dsva-<20.x.x-xxxx>-C12M24-large.ovf 12 24 GB 20 GB 13 (ESXi 6.5+) NSX-T 300 with DPDK enabled yes*

* To enable DPDK mode, see Configure DPDK mode.

Requirements above can vary by feature:

Patch the protected computer's software before you enable Intrusion Prevention. Recommendation scans assign more IPS rules to protect a vulnerable OS. This increases the appliance's memory usage. For example, the table below shows how vRAM usage can increase by the number of IPS rules on 300 VMs (full, linked or instant clones as virtual desktop infrastructure (VDI)).

Number of Intrusion Prevention rules Appliance vRAM usage
350-400 24 GB
500-600 30 GB
600-700 40 GB
700+ 50 GB+

If the appliance is protecting a large number of VMs, and recommendation scans fail due to timeout errors, see Manage and run recommendation scans to increase timeout values.