Requirements and Best Practices
The following lists the requirements and best practices for deploying Security Analytics and Logging (OnPrem) to store your Firewall event data.
Firewall Appliances
You must deploy the following Firewall appliances:
Solution Component |
Required Version |
Licensing for Cisco Security Analytics and Logging (On Premises) |
Notes |
---|---|---|---|
Firepower Management Center (hardware or virtual) |
v7.0+ For Firepower Management Center running earlier versions, see https://cisco.com/go/sal-on-prem-docs. |
none |
|
Firepower managed devices |
v7.0+ using the wizard Firepower Threat Defense v6.4 or later using syslog NGIPS v6.4 using syslog |
none |
|
ASA devices |
v9.12+ |
none |
|
Secure Network Analytics Appliances
You have the following options for deploying Secure Network Analytics:
-
Single-node - Deploy only a Manager to ingest and store events, and review and query events
-
Multi-node - Deploy a Flow Collector to ingest events, Data Store to store events, and Manager to review and query events
Note
You cannot deploy a mix of Secure Network Analytics hardware and Secure Network Analytics VE appliances.
Solution Component |
Required Version |
Licensing for Security Analytics and Logging (OnPrem) |
Notes |
---|---|---|---|
Manager |
Secure Network Analytics v7.3.1+ |
none |
|
Security Analytics and Logging (OnPrem) app |
Security Analytics and Logging (OnPrem) app v2.0+ |
Logging and Troubleshooting Smart License, based on GB/day |
Install this app on the Manager and configure to enable event ingest |
Solution Component |
Required Version |
Licensing for Security Analytics and Logging (OnPrem) |
Notes |
---|---|---|---|
Manager |
Secure Network Analytics v7.3.2+ |
none |
|
Flow Collector |
Secure Network Analytics v7.3.2+ |
none |
|
Data Store (3 Data Nodes) |
Secure Network Analytics v7.3.2+ |
none |
|
Security Analytics and Logging (OnPrem) app |
Security Analytics and Logging (OnPrem) app v2.0+ |
Logging and Troubleshooting Smart License, based on GB/day |
Install this app on the Manager and configure to enable event ingest |
In addition to these components, you must make sure that all of the appliances can synchronize time using NTP.
If you want to remotely access the Firepower or Secure Network Analytics appliances' consoles, you can enable access over SSH.
Secure Network Analytics Licensing
You can use Security Analytics and Logging (OnPrem) for 90 days without a license in Evaluation Mode. To continue using Security Analytics and Logging (OnPrem) after the 90 day period, you must obtain a Logging and Troubleshooting Smart License for Smart Licensing, based on the GB per day you anticipate sending in syslog data from your Firewall deployment to your Secure Network Analytics appliance.
Note |
For license calculation purposes, the amount of data is reported to the nearest whole GB, truncated. For example, If you send 4.9 GB in a day, it is reported as 4 GB. |
See the Secure Network Analytics Smart Software Licensing Guide for more information on licensing your Secure Network Analytics appliances.
Secure Network Analytics Resource Allocation
Secure Network Analytics offers the following ingest rates when deployed for Security Analytics and Logging (OnPrem):
-
a hardware or virtual edition (VE) Single-node deployment can ingest up to roughly 20k events per second (EPS) on average, with short bursts of up to 35k EPS
-
a virtual edition (VE) Multi-node deployment can ingest up to roughly 50k EPS on average, with short bursts of up to 175k EPS
-
a hardware Multi-node deployment can ingest up to roughly 100k EPS on average, with short bursts of up to 350k EPS
Based on the allocated hard drive storage, you can store the data for several weeks or months. These estimates are subject to various factors, including network load, traffic spikes, and information transmitted per event.
Note |
At higher EPS ingest rates, the Security Analytics and Logging (OnPrem) app may drop data. In addition, if you send all event types, instead of only connection, intrusion, file, and malware events, the app may drop data as your overall EPS rises. Review the log files in this case; see Troubleshooting for more information. |
Single-node VE Recommendations
For optimum performance, allocate the following resources if you deploy a Manager VE:
Resource |
Recommendation |
---|---|
CPUs |
12 |
RAM |
64 GB |
Hard drive storage |
2 TB |
Based on the storage space that you allocate, you can store your data for roughly the following time frames on a Single-node deployment:
Average EPS |
Average Daily Events |
Estimated Retention Period for 1 TB Storage |
Estimated Retention Period for 2 TB Storage |
Estimated Retention Period for 4 TB Storage |
---|---|---|---|---|
1,000 |
86.5 million |
250 days |
500 days |
1000 days |
5,000 |
430 million |
50 days |
100 days |
200 days |
10,000 |
865 million |
25 days |
50 days |
100 days |
20,000 |
1.73 billion |
12.5 days |
25 days |
50 days |
When the Manager reaches maximum storage capacity, it deletes the oldest data first to make room for incoming data.
Note |
We have tested the Manager VE with these resource allocations for this estimated ingest and storage period. You may note unanticipated errors due to insufficient resource allocation if you do not assign enough CPUs or RAM to the virtual appliance. If you increase the storage allocation beyond 4 TB, you may note unanticipated errors due to insufficient resource allocation. |
Multi-node Recommendations
For optimum performance, allocate the following resources if you deploy a Manager VE, Flow Collector VE, and Data Store VE:
Resource |
Recommendation |
---|---|
CPUs |
8 Intel Xeon, minimum 2.29 GHz |
RAM |
64 GB |
Hard drive storage |
480 GB |
Resource |
Recommendation |
---|---|
CPUs |
8 Intel Xeon, minimum 2.29 GHz |
RAM |
70 GB |
Hard drive storage |
480 GB |
Resource |
Recommendation |
---|---|
CPUs |
12 Intel Xeon, minimum 2.29 GHz per Data Node |
RAM |
32 GB per Data Node |
Hard drive storage |
5 TB per Data Node VE, or 15 TB total across 3 Data Nodes |
Based on the storage space that you allocate, you can store your data for roughly the following time frames on your Multi-node deployment:
Average EPS |
Average Daily Events |
Virtual |
Hardware |
---|---|---|---|
1,000 |
86.5 million |
1,500 days |
3,000 days |
5,000 |
430 million |
300 days |
600 days |
10,000 |
865 million |
150 days |
300 days |
20,000 |
1.73 billion |
75 days |
150 days |
25,000 |
2.16 billion |
60 days |
120 days |
50,000 |
4.32 billion |
30 |
60 days |
75,000 |
6.48 billion |
Not supported |
40 days |
100,000 |
8.64 billion |
Not supported |
30 days |
When the Data Store reaches maximum storage capacity, it deletes the oldest data first to make room for incoming data.
Note |
We have tested these virtual appliances with these resource allocations for this estimated ingest and storage period. You may note unanticipated errors due to insufficient resource allocation if you do not assign enough CPUs or RAM to the virtual appliance. If you increase the storage allocation beyond 4 TB, you may note unanticipated errors due to insufficient resource allocation. |
Communication Ports
The following table lists the communication ports you must open for the Security Analytics and Logging (OnPrem) integration for a Single-node deployment.
From (Client) |
To (Server) |
Port |
Protocol or Purpose |
---|---|---|---|
External internet (NTP server) |
FMC, FTD devices, and Manager |
123/UDP |
NTP time synchronization, all to the same NTP server |
User workstations |
FMC and Manager |
443/TCP |
Logging into the appliances' web interfaces over HTTPS using a web browser |
FTD devices managed by a FMC |
Manager |
8514/UDP |
Syslog export from the FTD devices, ingest to the Manager |
FMC | Manager |
443/TCP |
remote query from FMC to the Manager |
The following table lists the communication ports you must open for the Security Analytics and Logging (OnPrem) integration for a Multi-node deployment. In addition, see the Data Store Hardware Deployment and Configuration Guide or the Data Store Virtual Edition Deployment and Configuration Guide for the ports you must open for your Secure Network Analytics deployment.
From (Client) |
To (Server) |
Port |
Protocol or Purpose |
---|---|---|---|
External internet (NTP server) |
FMC, FTD devices, Manager, Flow Collector, and Data Store |
123/UDP |
NTP time synchronization, all to the same NTP server |
user workstations |
FMC and Manager |
443/TCP |
Logging into the appliances' web interfaces over HTTPS using a web browser |
FTD devices managed by a FMC |
Flow Collector |
8514/UDP |
Syslog export from the FTD devices, ingest to Flow Collector |
ASA devices |
Flow Collector |
8514/UDP |
Syslog export from ASA devices, ingest to Flow Collector |
FMC | Manager |
443/TCP |
Remote query from the FMC to the Manager |