Sizing
Sizing guidelines for Deep Security deployments vary by the scale of your network, hardware, and software.
Deep Security Manager sizing
Sizing recommendations for Deep Security Manager vary by how many agents it will have.
Number of agents | Number of CPUs | RAM | JVM process memory | Number of manager nodes | Recommended disk space |
---|---|---|---|---|---|
<500 | 2 | 8 GB | 4 GB | 2 | 200 GB |
500-1000 | 4 | 8 GB | 4 GB | 2 | 200 GB |
1000-5000 | 4 | 12 GB | 8 GB | 2 | 200 GB |
5000-10000 | 8 | 16 GB | 12 GB | 2 | 200 GB |
10000-20000 | 8 | 24 GB | 16 GB | 2 | 200 GB |
For best performance, it's important to allocate enough Java Virtual Machine (JVM) memory to the Deep Security Manager process. See Configure Deep Security Manager memory usage.
Recommendation scans are CPU-intensive for the Deep Security Manager. Consider the performance impact when determining how often to run recommendation scans. See Manage and run recommendation scans.
Resource spikes may occur if a large number of virtual machines are rebooted simultaneously and agents re-establish their connection with Deep Security Manager at the same time.
Multiple server nodes
For better availability and scalability, use a load balancer, and install the same version of Deep Security Manager on 2 servers ("nodes"). Connect them to the same database.
Each manager node is capable of all tasks. No node is more important than any of the others. You can log in to any node, and agents, appliances, and relays can connect with any node. If one node fails, other nodes can still provide service, and no data will be lost.
Database sizing
Database CPU, memory, and disk space required varies by:
- Number of protected computers
- Number of platforms where you install Deep Security Agent
- Number of events (logs) recorded per second (related to which security features are enabled)
- How long events are retained
- Size of the database transaction log
Minimum disk space = (2 x Deep Security data size) + transaction log
For example, if your database plus transaction log is 40 GB, you must have 80 GB (40 x 2) of free disk space during database schema upgrades.
To free disk space, delete any unnecessary agent packages for unused platforms (see Delete a software package from the Deep Security database), transaction logs, and unnecessary event records.
Event retention is configurable. For security events, retention is configured in the policy, individual computer settings, or both. See Policies, inheritance, and overrides and Log and event storage best practices.
To minimize disk usage due to events:
-
Store events remotely, not locally. If you need to keep events longer (such as for compliance), forward them to a SIEM or Syslog server and then use pruning to delete the local copy. (See Forward Deep Security events to a Syslog or SIEM server.)
Some Application Control and Integrity Monitoring operations (Rebuild Baseline, Scan for Integrity Changes, and Scan for Inventory Changes) retain all records locally, and are never pruned or forwarded.
- Patch the protected computer's software before you enable Intrusion Prevention. Recommendation scans assign more IPS rules to protect a vulnerable OS. More security events increase local or remote disk usage.
- Disable unnecessary security features that log frequently, such as stateful Firewall for TCP, UDP, and ICMP.
High-traffic computers that use Deep Security Firewall or Intrusion Prevention features might record more events per second, requiring a database with better performance. You might also need to adjust local event retention.
If you anticipate many Firewall events, consider disabling "Out of allowed policy" events. (See Firewall settings.)
See also Deep Security Manager performance features.
Database disk space estimates
The table below estimates database disk space with default event retention settings. If the total disk space for the protection modules you enable is more than the "2 or more modules" value, use the smaller estimate. For example, you could deploy 750 agents with Deep Security Anti-Malware, Intrusion Prevention System and Integrity Monitoring. The total of the individual recommendations is 320 GB (20 + 100 + 200) but the "2 or more modules" recommendation is less (300 GB). Therefore, you would estimate 300 GB.
Number of agents |
Anti-Malware | Web Reputation Service |
Log Inspection |
Firewall | Intrusion Prevention System |
Application Control |
Integrity Monitoring |
2 or more modules |
1-99 | 10 GB | 15 GB | 20 GB | 20 GB | 40 GB | 50 GB | 50 GB | 100 GB |
100-499 | 10 GB | 15 GB | 20 GB | 20 GB | 40 GB | 100 GB | 100 GB | 200 GB |
500-999 | 20 GB | 30 GB | 50 GB | 50 GB | 100 GB | 200 GB | 200 GB | 300 GB |
1000-9999 | 50 GB | 60 GB | 100 GB | 100 GB | 200 GB | 500 GB | 400 GB | 600 GB |
10,000-20,000 | 100 GB | 120 GB | 200 GB | 200 GB | 500 GB | 750 GB | 750 GB | 1 TB |
Database disk space also increases with the number of separate Deep Security Agent platforms. For example, if you have 30 agents (maximum 5 versions per agent platform), this increases the database size by approximately 5 GB.
Deep Security Agent and Relay sizing
Platform | Features enabled | Minimum RAM | Recommended RAM | Minimum disk space |
Windows | All protection | 2 GB | 4 GB | 1 GB |
Windows | Relay only | 2 GB | 4 GB | 30 GB |
Linux | All protection | 1 GB | 5 GB | 1 GB |
Linux | Relay only | 2 GB | 4 GB | 30 GB |
Solaris | All protection. Relay not supported | 4 GB | 4 GB | 2 GB |
AIX | All protection. Relay not supported | 4 GB | 4 GB | 2 GB |
Less RAM is required for some OS versions, or if you do not enable all Deep Security features.
If protected computers use VMware vMotion, add 10 GB of disk space.
Relays require more disk space if you install Deep Security Agent on many different platforms. (Relays store update packages for each platform.) For details, see Get Deep Security Agent software.
In smaller deployments, relays can be co-located with a Deep Security Manager. If your deployment has a large number of agents (more than 10,000), however, then relays should be installed on separate, dedicated servers. Overloaded relays slow down update redistribution. See also Plan the best number and location of relays.
Deep Security Virtual Appliance sizing
By default, the Deep Security Virtual Appliance is allocated only 4 GB of memory. Appliances protect virtual machines (VMs) that are on the same ESXi server. The minimum number of vCPUs and amount of memory you should allocate to the appliance varies by the number of protected virtual machines, and how many Intrusion Prevention (IPS) rules are assigned. Requirements in the table below assume 350-400 IPS rules per VM. See also Deep Security Virtual Appliance memory allocation.
Protected virtual machines | Minimum vCPUs | Minimum vRAM | Minimum disk space |
---|---|---|---|
1-25 | 2 | 6 GB | 20 GB |
26-50 | 2 | 8 GB | 20 GB |
51-100 | 2 | 10 GB | 20 GB |
101-150 | 4 | 12 GB | 20 GB |
151-200 | 4 | 16 GB | 20 GB |
201-250 | 6 | 20 GB | 20 GB |
251-300 | 6 | 24 GB | 20 GB |
Requirements above can vary by feature:
- Integrity Monitoring: For larger VDI deployments (more than 50 VMs per ESXi host), use Deep Security Agent instead, not Deep Security Virtual Appliance.
- Anti-Malware: Requirements may vary by version of VMware Guest Introspection. Use the VMware Configuration Maximum tool.
- Firewall, Web Reputation, or Intrusion Prevention: Requirements may vary by version of VMware Network Introspection (NSX). See the VMware Configuration Maximums tool.
Patch the protected computer's software before you enable Intrusion Prevention. Recommendation scans assign more IPS rules to protect a vulnerable OS. This increases the appliance's memory usage. For example, the table below shows how vRAM usage can increase by the number of IPS rules on 300 VMs (full, linked or instant clones as virtual desktop infrastructure (VDI)).
Number of Intrusion Prevention rules | Appliance vRAM usage |
---|---|
350-400 | 24 GB |
500-600 | 30 GB |
600-700 | 40 GB |
700+ | 50 GB+ |
If the appliance is protecting a large number of VMs, and recommendation scans fail due to timeout errors, see Manage and run recommendation scans to increase timeout values.