Calculations for the Sensor component
April 2, 2024
ID 211923
These calculations also apply when the application is deployed on a virtual platform.
When calculating the hardware requirements for the Sensor component, consider that the maximum traffic volume that can be processed is 10 Gbps. This maximum traffic volume can be processed on one Sensor component installed on a standalone server or on multiple Sensor components installed on standalone servers which are connected to one Central Node component. The total traffic volume from all Sensor components connected to one Central Node component may not exceed 10 Gbps.
If the network includes more than one 10 Gbps segment and you need to process traffic in these segments, you must use the distributed solution mode.
You can use a server hosting the Sensor component as a proxy server during data exchange between the Endpoint Agent components and the Central Node component to simplify configuration of network rules. For example, if Endpoint Agent components are located in a separate segment of the network, it will suffice to configure a connection between servers with the Central Node and Sensor components.
When using the Sensor as a proxy server for communication between Endpoint Agent components and the Central Node component, consider the following limitations:
- A maximum of 15,000 computers with the Endpoint Agent component can connect to a single Central Node component.
- The maximum allowed packet loss between servers hosting the Sensor and Central Node components should be 10% with a packet delay up to 100 ms.
The required bandwidth of the communication channel between servers with the Central Node and Sensor components depends on the traffic volume that must be processed and is calculated as follows:
10% SPAN port traffic at typical load or 20% of the SPAN port traffic at peak load + email traffic + ICAP traffic + requirement for the communication channel between the Central Node and Endpoint Agent components
Hardware requirements for the Sensor component
The Sensor component can be integrated with the IT infrastructure of an organization as follows:
- Receive mirrored traffic from network devices from SPAN ports.
- Connect to a mail server over the POP3 protocol.
- Connect to a mail server over the SMTP protocol.
- Receive traffic from a proxy server over the ICAP protocol.
The hardware requirements for the Sensor component are listed in the table below. The calculations are provided for a case in which the Sensor component processes email messages and mirrored traffic from SPAN ports. If the Sensor component is used as a proxy server for communication between Endpoint Agent components and the Central Node, you must also take into account the communication channel requirements.
Hardware requirements for the Sensor component depending on the volume of processed traffic from SPAN ports
Number of Endpoint Agent components | Volume of processed traffic (Mbps) | Minimum RAM (GB) | Minimum number of logical cores |
---|---|---|---|
10,000 | 100 | 16 | 4 |
15,000 | 500 | 24 | 8 |
15,000 | 1000 | 32 | 12 |
15,000 | 2000 | 64 | 20 |
15,000 | 4000 | 92 | 32 |
15,000 | 7000 | 128 | 52 |
15,000 | 10,000 | 160 | 72 |
The CPU must support the BMI2 instruction set.
If you want to process only email messages, but not mirrored traffic from SPAN ports, we recommend using a Sensor component installed on the same server as the Central Node. For more details about the hardware requirements, see the Calculations for the Central Node component section → Hardware requirements for a server with the Central Node and Sensor components.
If one Sensor component processes traffic via multiple protocols, to calculate the server hardware, you must consider that mail server or mail sensor integration requires disabling SMTP traffic processing.
Disk space requirements on a server with the Sensor component
It is recommended to use a RAID 1 disk array. The total disk space must be at least 500 GB.