Sizing
Sizing guidelines for Deep Security deployments vary by the scale of your network, hardware, and software.
Deep Security Manager sizing
Sizing recommendations for Deep Security Manager vary by how many agents it will have.
For best performance, it's important to allocate enough Java Virtual Machine (JVM) memory to the Deep Security Manager process. See Configure Deep Security Manager memory usage.
Recommendation scans are CPU-intensive for the Deep Security Manager. Consider the performance impact when determining how often to run recommendation scans. See Manage and run recommendation scans.
Resource spikes may occur if a large number of virtual machines are rebooted simultaneously and agents re-establish their connection with Deep Security Manager at the same time.
Multiple server nodes
For better availability and scalability, use a load balancer, and install the same version of Deep Security Manager on 2 servers ("nodes"). Connect them to the same database.
Each manager node is capable of all tasks. No node is more important than any of the others. You can log in to any node, and agents, appliances, and relays can connect with any node. If one node fails, other nodes can still provide service, and no data will be lost.
Database sizing
Database CPU, memory, and disk space required varies by:
- Number of protected computers
- Number of events (logs) recorded per second (related to which security features are enabled)
- How long events are retained
- Size of the database transaction log
Minimum disk space = (2 x Deep Security data size) + transaction log
For example, if your database plus transaction log is 40 GB, you must have 80 GB (40 x 2) of free disk space during database schema upgrades.
To free disk space, delete any unnecessary agent packages for unused platforms (see Delete a software package from the Deep Security database), transaction logs, and unnecessary event records.
Event retention is configurable. For security events, retention is configured in the policy, individual computer settings, or both. See Policies, inheritance, and overrides and Log and event storage best practices.
To minimize disk usage due to events:
-
Store events remotely, not locally. If you need to keep events longer (such as for compliance), forward them to a SIEM or Syslog server and then use pruning to delete the local copy. (See Forward Deep Security events to a Syslog or SIEM server.)
Some Application Control and Integrity Monitoring operations (Rebuild Baseline, Scan for Integrity Changes, and Scan for Inventory Changes) retain all records locally, and are never pruned or forwarded.
- Patch the protected computer's software before you enable Intrusion Prevention. Recommendation scans assign more IPS rules to protect a vulnerable OS. More security events increase local or remote disk usage.
- Disable unnecessary security features that log frequently, such as stateful Firewall for TCP, UDP, and ICMP.
High-traffic computers that use Deep Security Firewall or Intrusion Prevention features might record more events per second, requiring a database with better performance. You might also need to adjust local event retention.
If you anticipate many Firewall events, consider disabling "Out of allowed policy" events. (See Firewall settings.)
Database disk space estimates
The table below estimates database disk space with default event retention settings. If the total disk space for the protection modules you enable is more than the "2 or more modules" value, use the smaller estimate. For example, you could deploy 750 agents with Deep Security Anti-Malware, Intrusion Prevention System and Integrity Monitoring. The total of the individual recommendations is 320 GB (20 + 100 + 200) but the "2 or more modules" recommendation is less (300 GB). Therefore, you would estimate 300 GB.
Database disk space also increases with the number of separate Deep Security Agent platforms. For example, if you have 30 agents (maximum 5 versions per agent platform), this increases the database size by approximately 5 GB.
Deep Security Agent and Relay sizing
Guidance for processor, memory and disk space allocation has been moved to system requirements.
Estimated Agent resource consumption
The tables below show the estimated resource consumption for deployments using commonly used feature combinations.
Windows Agent
Modules enabled | RAM | |||||||
Anti-Malware | Web Reputation Service | Activity Monitoring | Application Control | Integrity Monitoring | Log Inspection | Firewall | Intrusion Prevention | |
✔ | 156 MB | |||||||
✔ | 148 MB | |||||||
✔ | ✔ | ✔ | 150 MB | |||||
✔ | ✔ | ✔ | ✔ | 308 MB | ||||
✔ | ✔ | ✔ | ✔ | 280 MB | ||||
✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | 390 MB | |
✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | 361 MB |
Linux Agent
Modules enabled | RAM | |||||||
Anti-Malware | Web Reputation Service | Activity Monitoring | Application Control | Integrity Monitoring | Log Inspection | Firewall | Intrusion Prevention | |
✔ | 315 MB | |||||||
✔ | ✔ | 172 MB | ||||||
✔ | ✔ | 399 MB | ||||||
✔ | ✔ | ✔ | 312 MB | |||||
✔ | ✔ | ✔ | ✔ | 448 MB | ||||
✔ | ✔ | ✔ | ✔ | 413 MB | ||||
✔ | ✔ | ✔ | ✔ | ✔ | ✔ | 492 MB | ||
✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | 538 MB |