Requirements
The following lists the appliance requirements for deploying Security Analytics and Logging (OnPrem) to store your Firewall event data.
Firewall Appliances
You must deploy the following Firewall appliances:
Solution Component |
Required Version |
Licensing for Security Analytics and Logging (OnPrem) |
Notes |
---|---|---|---|
Secure Firewall Management Center (hardware or virtual) |
v7.2+ For the management center running earlier versions, see https://cisco.com/go/sal-on-prem-docs. |
none |
|
Secure Firewall managed devices |
v7.0+ using the wizard Threat Defense v6.4 or later using syslog NGIPS v6.4 using syslog |
none |
|
ASA devices |
v9.12+ |
none |
Secure Network Analytics Appliances
You have the following options for deploying Secure Network Analytics:
-
Manager only - Deploy only a Manager to ingest and store events, and review and query events
-
Data Store - Deploy Flow Collector(s) to ingest events, Data Store to store events, and Manager to review and query events
Solution Component |
Required Version |
Licensing for Security Analytics and Logging (OnPrem) |
Notes |
---|---|---|---|
Manager |
Secure Network Analytics v7.5.0 |
none |
|
Security Analytics and Logging (OnPrem) app |
Security Analytics and Logging (OnPrem) app v3.3.x |
Logging and Troubleshooting Smart License, based on GB/day |
|
Solution Component |
Required Version |
Licensing for Security Analytics and Logging (OnPrem) |
Notes |
---|---|---|---|
Manager |
Secure Network Analytics v7.5.0 |
none |
|
Flow Collector |
Secure Network Analytics v7.5.0 |
none |
|
Data Store |
Secure Network Analytics v7.5.0 |
none |
|
Security Analytics and Logging (OnPrem) app |
Security Analytics and Logging (OnPrem) app v3.3.x |
Logging and Troubleshooting Smart License, based on GB/day |
|
In addition to these components, you must make sure that all of the appliances can synchronize time using NTP.
If you want to remotely access the Secure Firewall or Secure Network Analytics appliances' consoles, you can enable access over SSH.
Secure Network Analytics Licensing
You can use Security Analytics and Logging (OnPrem) for 90 days without a license in Evaluation Mode. To continue using Security Analytics and Logging (OnPrem) after the 90 day period, you must obtain a Logging and Troubleshooting Smart License for Smart Licensing, based on the GB per day you anticipate sending in syslog data from your Firewall deployment to your Secure Network Analytics appliance.
Note |
For license calculation purposes, the amount of data is reported to the nearest whole GB, truncated. For example, If you send 4.9 GB in a day, it is reported as 4 GB. |
See the Secure Network Analytics Smart Software Licensing Guide for more information on licensing your Secure Network Analytics appliances.
Secure Network Analytics Resource Allocation
Secure Network Analytics offers the following ingest rates when deployed for Security Analytics and Logging (OnPrem):
-
a hardware or virtual edition (VE) Manager only deployment can ingest up to roughly 20k events per second (EPS) on average, with short bursts of up to 35k EPS
-
a virtual edition (VE) Data Store deployment, with 3 Data Nodes, can ingest up to roughly 50k EPS on average, with short bursts of up to 175k EPS
-
a hardware Data Store deployment, with 3 Data Nodes, can ingest up to roughly 150k EPS on average with Security Analytics and Logging (OnPrem) and
sal_to_flow_cache
ON
Based on the allocated hard drive storage, you can store the data for several weeks or months. These estimates are subject to various factors, including network load, traffic spikes, and information transmitted per event.
Note |
At higher EPS ingest rates, the Security Analytics and Logging (OnPrem) app may drop data. In addition, if you send all event types, instead of only connection, intrusion, file, and malware events, the app may drop data as your overall EPS rises. Review the log files in this case. |
Manager Only Recommendations
Manager VE Resources
For optimum performance, allocate the following resources if you deploy a Manager VE:
Resource |
Recommendation |
---|---|
CPUs |
12 |
RAM |
64 GB |
Hard drive storage |
2 TB |
Manager 2300 Specifications
For hardware specifications, see the Manager 2300 Specification Sheet.
Estimated Retention
Based on the storage space that you allocate for your Manager VE or if you have a Manager 2300, you can store your data for roughly the following time frames on a Manager only deployment:
Average EPS |
Average Daily Events |
Estimated Retention Period for 1 TB Storage |
Estimated Retention Period for 2 TB Storage |
Estimated Retention Period for 4 TB Storage (Hardware) |
---|---|---|---|---|
1,000 |
86.5 million |
250 days |
500 days |
1000 days |
5,000 |
430 million |
50 days |
100 days |
200 days |
10,000 |
865 million |
25 days |
50 days |
100 days |
20,000 |
1.73 billion |
12.5 days |
25 days |
50 days |
When the Manager reaches maximum storage capacity, it deletes the oldest data first to make room for incoming data.
Note |
We have tested the Manager VE with these resource allocations for this estimated ingest and storage period. You may note unanticipated errors due to insufficient resource allocation if you do not assign enough CPUs or RAM to the virtual appliance. If you increase the storage allocation beyond 2 TB, you may note unanticipated errors due to insufficient resource allocation. |
Data Store Recommendations
For optimum performance, allocate the following resources if you deploy a Manager VE, Flow Collector VE, and Data Store VE:
Note |
If you are using a Single Node Data Store or if you have enabled multi-telemetry in Secure Network Analytics, your resource allocation and storage capacity may be different from the following recommendations. For more information, refer to the Secure Network Analytics Appliance Installation Guide (Hardware or Virtual Edition) and the System Configuration Guide v7.5.0. |
Resource |
Recommendation |
---|---|
CPUs |
8 |
RAM |
64 GB |
Hard drive storage |
480 GB |
Resource |
Recommendation |
---|---|
CPUs |
8 |
RAM |
70 GB |
Hard drive storage |
480 GB |
Resource |
Recommendation |
---|---|
CPUs |
12 per Data Node |
RAM |
32 GB per Data Node |
Hard drive storage |
5 TB per Data Node VE, or 15 TB total across 3 Data Nodes |
Hardware Specifications
For hardware specifications, refer to the appliance specification sheets.
Estimated Retention (3 Data Nodes)
Based on the storage space that you allocate for your Data Store VE or if you have a hardware deployment, you can store your data for roughly the following time frames on your Data Store deployment:
Average EPS |
Average Daily Events |
Virtual |
Hardware |
---|---|---|---|
1,000 |
86.5 million |
1,500 days |
3,000 days |
5,000 |
430 million |
300 days |
600 days |
10,000 |
865 million |
150 days |
300 days |
20,000 |
1.73 billion |
75 days |
150 days |
25,000 |
2.16 billion |
60 days |
120 days |
50,000 |
4.32 billion |
30 days |
60 days |
75,000 |
6.48 billion |
Not supported |
40 days |
100,000 |
8.64 billion |
Not supported |
30 days |
When the Data Store reaches maximum storage capacity, it deletes the oldest data first to make room for incoming data. To increase your storage capacity, add more Data Nodes using the Secure Network Analytics System Configuration Guide.
Note |
We have tested the virtual appliances with these resource allocations for this estimated ingest and storage period. You may note unanticipated errors due to insufficient resource allocation if you do not assign enough CPUs or RAM to the virtual appliance. If you increase the Data Node storage allocation beyond 5 TB, you may note unanticipated errors due to insufficient resource allocation. |
Communication Ports
The following table lists the communication ports you must open for the Security Analytics and Logging (OnPrem) integration for a Manager only deployment.
From (Client) |
To (Server) |
Port |
Protocol or Purpose |
---|---|---|---|
Management Center, Threat Defense devices, and Manager |
External internet (NTP server) |
123/UDP |
NTP time synchronization, all to the same NTP server |
User workstations |
Management Center and Manager |
443/TCP |
Logging into the appliances' web interfaces over HTTPS using a web browser |
Threat Defense devices managed by a management center |
Manager |
8514/UDP |
Syslog export from the threat defense devices, ingest to the Manager |
Management Center | Manager |
443/TCP |
remote query from management center to the Manager |
The following table lists the communication ports you must open for the Security Analytics and Logging (OnPrem) integration for a Data Store deployment. In addition, see the x2xx Series Hardware Appliance Installation Guide or the Virtual Edition Appliance Installation Guide for the ports you must open for your Secure Network Analytics deployment.
From (Client) |
To (Server) |
Port |
Protocol or Purpose |
---|---|---|---|
Management Center, Threat Defense devices, Manager, Flow Collector, and Data Store |
External internet (NTP server) |
123/UDP |
NTP time synchronization, all to the same NTP server |
user workstations |
Management Center and Manager |
443/TCP |
Logging into the appliances' web interfaces over HTTPS using a web browser |
Threat Defense devices managed by a management center |
Flow Collector |
8514/UDP |
Syslog export from the threat defense devices, ingest to Flow Collector |
ASA devices |
Flow Collector |
8514/UDP |
Syslog export from ASA devices, ingest to Flow Collector |
Management Center | Manager |
443/TCP |
Remote query from the management center to the Manager |