Endpoint Security Sizing
The purpose of this document is to help you plan your Endpoint Security environment. It describes the best practices for server deployment and sizing the Endpoint Security servers.
Hardware requirements depend on:
-
The total numbers of deployed Endpoint Security clients.
-
The Endpoint Security Blades that are installed on the Endpoint Security clients.
-
The size of the portion of the Active Directory that is scanned by the Directory Scanner.
Below are tables with minimum requirements per number of Endpoint Security clients and AD size.
Notes on the sizing information:
-
All clients shown in the tables have all Endpoint Security blades (SandBlast Agent complete) installed, unless individual blades are listed.
-
The Directory Scanner does not scan all objects in the AD. It scans Users, Computers, Groups, and Organizational Units (OUs). For example, printers are not scanned.
-
You can configure the Directory Scanner to scan only relevant parts of the AD. For example, scan only one OU if all deployed Endpoint Security clients reside in the OU.
Endpoint Security Management Server
This table shows the minimum requirements per number of Endpoint Security clients and AD size for Endpoint Security servers.
Note - Between the values of "Number of Clients" and "Number of AD Objects Scanned" the higher number should dictate the required appliance.
|
Row # |
Number of Endpoint Security Clients |
AD Objects Scanned |
Endpoint Security Management Server |
Policy Servers |
|---|---|---|---|---|
|
1 |
2,500 |
12,500 |
Smart-1 410 |
none |
|
2 |
5,000 |
25,000 |
Smart-1 625 |
none |
|
3 |
10,000 |
50,000 |
Smart-1 625 |
1 Smart-1 410 |
|
4 |
20,000 |
100,000 |
Smart-1 5050 |
1 Smart-1 625 |
|
5 |
50,000 |
250,000 |
Smart-1 5050 |
2 Smart-1 625 |
|
6 |
80,000 |
400,000 |
Smart-1 5050 |
3 Smart-1 625 |
|
7 |
100,000 and more |
500,000 or more* |
Smart-1 5150 |
1 Smart-1 625 for each 25,000 clients. |
* AD objects scan are certified for 2,000,000 AD objects, however, the number of scanned AD objects is not limited.
|
|
In addition to recommended number of Endpoint Policy Servers, you can add more Endpoint Policy Servers for redundancy. If one Endpoint Policy Server is down, clients will connect to a different Endpoint Policy Server and not the Endpoint Security Management Server. For better Client to Server performance consider adding more Endpoint Policy Servers based on the geographical location of the Endpoint Security clients. |
|
Note - The maximum number of supported Endpoint Policy Servers in an environment is 25. |
Calculating minimum hardware requirements
-
Find the row that has a Number of Endpoint Security Clients that is closest to but no less than the number in your environment . For example, if you have 52,000 clients, look at row 6.
-
In the same row, look at the number of AD Objects Scanned. for more information see Active Directory Size Estimation
-
If the number of AD Objects Scanned is equal to or more than the number in your environment, the hardware requirements in that row apply to your environment.
-
If the number of AD Objects Scanned is less than the number in your environment, find the row that has the number of AD Objects Scanned that is closest to but no less than the number in your environment . The hardware requirements in that row apply to your environment.
-
For example, row 3 shows that an Endpoint Security Management Server on Smart-1 625 with one Endpoint Policy Server on Smart-1 410 supports up to 10,000 clients and up to 50,000 scanned AD objects. If you are deploying more than 10,000 clients or intend to scan more than 50,000 AD objects, then the requirements of row 3 are not enough for your environment. Look in the lower rows to find a better match.
If you have 15,000 clients but 350,000 scanned AD objects, the requirements of row 6 apply to your environment. However, each Endpoint Policy Server can handle 27,000 clients, so only 1 Smart-1 625 Endpoint Policy Server is required.
|
Note - You can configure the Directory Scanner to scan only relevant parts of the AD. For example, scan only one OU if all deployed Endpoint Security clients reside in the OU. |
Open Server Hardware Requirements
|
Component |
Smart-1 410 Equivalent |
Smart-1 625 Equivalent |
Smart-1 5050 Equivalent |
Smart-1 5150 Equivalent |
|---|---|---|---|---|
| Total CPU Cores |
4 |
6 |
16 |
24 |
| Memory |
8 |
16 GB |
32 GB |
64 GB |
|
Free Disk Space |
845 GB |
1 TB |
2 TB |
4 TB |
Best Practices for environments with 20K clients or more
In environments that include 20,000 clients or more, we recommend these configurations:
-
Do not configure the Endpoint Security Management Server as an Endpoint Policy Server. See Enabling the Management Server to be an Endpoint Policy Server in the Endpoint Security E80.30 Administration Guide.
Install external Endpoint Policy Servers to handle requests from Endpoint Security clients.
Explanation: This makes the Endpoint Security Management Server resources available for other tasks and reduces bandwidth between sites.
-
If more than 80,000 Endpoint Security clients are deployed, increase the Client Heartbeat Interval to 2 minutes.
Explanation: This reduces the database activity rate.
-
Do not configure Log forwarding (transferring logs from one Log Server to another).
Explanation: This distributes the load of log handling between the various servers.
Disk Space Requirements
The Endpoint Security Management Server contains a database that stores all rules, configurations, Endpoint Security client information, monitoring data, and Endpoint Security client logs.
The size of the database depends on these factors:
-
The size of the monitoring data and for how long the monitoring history is saved.
-
The number of endpoint events in the system and for how long they are saved.
-
The Endpoint Security Blades that are installed on the Endpoint Security clients. This affects the amount of data that is saved for each Endpoint Security client
-
The amount of AD objects that are scanned by the Directory Scanner.
Database Purging
There is a scheduled purge task that runs on the database and deletes monitoring data that is out of date. This prevents the database from growing too big and helps to reduce database response times. By default the purge task runs every 24 hours and purges monitoring data older than 30 days.
|
|
Note - It is important to pay attention to available disk space on the Endpoint Security Management Server. |
Calculating Minimum Disk Space
Minimum Disk Space for the Database
You can calculate the minimum disk requirements for the database by using the table below. The Database growth is approximately linear, so to calculate minimum disk requirements multiply the minimum disk requirement by the number of clients.
-
The Active Directory size is assumed to be 5 times the number of Endpoint Security clients.
-
All clients shown in the tables have all Endpoint Security blades (Total Security) installed.
|
Number of Clients |
Minimum disk requirements for the database |
|---|---|
|
2,500 |
1.2GB |
|
5,000 |
2.4GB |
|
10,000 |
4.2GB |
|
80,000 |
30GB |
Minimum Disk Space for Storing Logs
Endpoint Security servers are configured as Log servers by default, therefore additional disk space is required for storing logs.
On average, each Endpoint Security client sends 50 logs per hour. 200 bytes of disk space is required per log. Therefore 240KB is required to store one day of logs from one Endpoint Security client.
