on Sep 9, 2020Note: These recommendations can be used as a baseline for 11.5.0.0 and adjusted as needed.
This topic contains the minimum AWS instance configuration settings recommended for the RSA NetWitness
Platform virtual stack components.
-
EC2 Instance:
- Instance type adjustments -you must adjust instance types according to your ingestion rate, content and parsers, dashboard reports, scheduled reports, investigations, and active users.
-
Recommended settings - the recommended settings in the NW component instance tables below were calculated under the following conditions.
- Ingestion rates of 15,000 EPS and 1.5 Gbps were used.
- All the components were integrated.
- The Log stream includes a Log Decoder, Concentrator, and Archiver.
- The Packet stream includes a Network Decoder and Concentrator.
- The Endpoint Hybrid stream includes a Endpoint Server, Concentrator and Log Decoder.
- Respond is receiving alerts from the Reporting Engine and Event Stream Analysis.
- The background load includes reports, charts, alerts, investigation, and respond.
-
Block Storage
For more information on the required volumes and the storage allocations, see the Storage Guide for RSA NetWitness
Platform 11.x.
Archiver
| EC2 Instance | |||
|---|---|---|---|
| EPS | Instance Type | Enhanced Networking Enabled | Tenancy Type - Dedicated - Run a Dedicated Instance |
| 5,000 | m4.xlarge | No | Yes |
| 10,000 | m4.2xlarge | No | Yes |
| 15,000 | m4.4xlarge | No | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
| / (root) | /dev/sda1 | General Purpose SSD | N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
| archiver | /dev/sdg | Throughput Optimized HDD | 240 MB/s |
| workbench | /dev/sdh | Throughput Optimized HDD | N/A |
Broker
| EC2 Instance | ||
|---|---|---|
| Instance Type | Enhanced Networking Enabled | Tenancy Type - Dedicated - Run a Dedicated Instance |
| m4.xlarge | No | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
| / (root) | /dev/sda1 | General Purpose SSD | N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
| broker | /dev/sdg | General Purpose SSD | N/A |
Concentrator - Log Stream
| EC2 Instance | |||
|---|---|---|---|
| EPS | Instance Type | Enhanced Networking Enabled | Tenancy Type - Dedicated - Run a Dedicated Instance |
| 5,000 | m4.xlarge | No | Yes |
| 10,000 | m4.2xlarge | No | Yes |
| 15,000 | m4.4xlarge | No | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
| / (root) | /dev/sda1 | General Purpose SSD | N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
| index | /dev/sdg | Provisioned IOPS | 10,000 |
| session, metadb | /dev/sdh | Throughput Optimized HDD | 240 MB/s |
Packet Stream Solutions
Concentrator - Gigamon Solution
| EC2 Instance | |||
|---|---|---|---|
| Mbps/Gbps | Instance Type | Enhanced Networking Enabled | Tenancy Type - Dedicated - Run a Dedicated Instance |
| 500 Mbps | c4.4xlarge | No | Yes |
| 1,000 Mbps | c4.8xlarge | No | Yes |
| 1.5 Gbps | m4.10xlarge | No | Yes |
Concentrator - f5 BIG-IP Solution
To be updated when f5 BIG-IP performance testing is complete.
| EC2 Instance | |||
|---|---|---|---|
| Mbps/Gbps | Instance Type | Enhanced Networking Enabled | Tenancy Type - Dedicated - Run a Dedicated Instance |
| 230 Mbps | m4.4xlarge | No | No |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
| / (root) | /dev/sda1 | General Purpose SSD | N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
| index | /dev/sdg | Provisioned IOPS | 15,000 |
| session, metadb | /dev/sdh | Throughput Optimized HDD | 240 MB/s |
Decoder - Gigamon Solution
| EC2 Instance | |||
|---|---|---|---|
| Mbps/Gbps | Instance Type | Enhanced Networking Enabled | Tenancy Type - Dedicated - Run a Dedicated Instance |
| 500 Mbps | c4.2xlarge | Yes | Yes |
| 1000 Mbps | c4.4xlarge | Yes | Yes |
| 1.5 Gbps | c4.8xlarge | Yes | Yes |
Decoder - f5 BIG-IP Solution
To be updated when f5 BIG-IP performance testing is complete.
| EC2 Instance | |||
|---|---|---|---|
| Mbps/Gbps | Instance Type | Enhanced Networking Enabled | Tenancy Type - Dedicated - Run a Dedicated Instance |
| 230 Mbps | m4.4xlarge No. of CPU: 16 Memory: 64 GB | No | No |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
| / (root) | /dev/sda1 | General Purpose SSD | N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
| index,session,meta | /dev/sdg | Throughput Optimized HDD | 240 MB/s |
| packet | /dev/sdh | Throughput Optimized HDD | 240 MB/s |
ESA and Context Hub on Mongo Database
| EC2 Instance | |||
|---|---|---|---|
| EPS | Instance Type | Enhanced Networking Enabled | Tenancy Type - Dedicated - Run a Dedicated Instance |
| 9,000 | m4.2xlarge | No | Yes |
| 18,000 | r4.2xlarge | No | Yes |
| 30,000 Aggregation Rate | r4.4xlarge | No | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
| / (root) | /dev/sda1 | General Purpose SSD | N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
| apps (/opt/rsa) | /dev/sdg | General Purpose SSD | N/A |
Log Collector (Syslog, Netflow, and File Collection Protocols)
| EC2 Instance | |||
|---|---|---|---|
| EPS | Instance Type | Enhanced Networking Enabled | Tenancy Type - Dedicated - Run a Dedicated Instance |
| 30,000 NON SSL | c4.2xlarge No of CPU: 8 Memory: 15 GB | No | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
| / (root) | /dev/sda1 | General Purpose SSD | N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
| logcollector | /dev/sdg | General Purpose SSD | N/A |
Log Decoder
| EC2 Instance | |||
|---|---|---|---|
| EPS | Instance Type | Enhanced Networking Enabled | Tenancy Type - Dedicated - Run a Dedicated Instance |
| 5,000 | c4.2xlarge | Yes | Yes |
| 10,000 | c4.4xlarge | Yes | Yes |
| 15,000 | c4.8xlarge No of CPU: 36 Memory: 60GB | Yes | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
| / (root) | /dev/sda1 | General Purpose SSD | N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
| index,session,meta | /dev/sdg | Throughput Optimized HDD | 240 MB/s |
| packet | /dev/sdh | Throughput Optimized HDD | 240 MB/s |
NW Server, Reporting Engine, Respond and Health & Wellness
| EC2 Instance | ||
|---|---|---|
| Instance Type | Enhanced Networking Enabled | Tenancy Type - Dedicated - Run a Dedicated Instance |
| m4.2xlarge | No | Yes |
| m4.4xlarge | No | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
| / (root) | /dev/sda1 | General Purpose SSD | N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
| uax,ipdb | /dev/sdg | General Purpose SSD | N/A |
| redb,rehome | /dev/sdh | General Purpose SSD | N/A |
NetWitness Endpoint Hybrid
| EC2 Instance | |||
|---|---|---|---|
| Agents | Instance Type | Enhanced Networking Enabled | Tenancy Type - Dedicated - Run a Dedicated Instance |
| 15,000 agents | m4.10xlarge No of CPU: 40 Memory: 160 GB RAM | Yes | Yes |
| Cloud Provider Block Storage | |||
|---|---|---|---|
| Volumes | Device | Volume Type | IOPS/Baseline Throughput |
| / (root) | /dev/sda1 | General Purpose SSD | N/A |
| usr,var,opt,home,tmp | /dev/sdf | General Purpose SSD | N/A |
| index,session,meta (Log Decoder) | /dev/sdg | Throughput Optimized HDD | 240 MB/s |
| packet (Log Decoder) | /dev/sdh | Throughput Optimized HDD | 240 MB/s |
| index (Concentrator) | /dev/sdi | Provisioned IOPS | 10,000 |
| session,meta (Concentrator) | /dev/sdj | Throughput Optimized HDD | 240 MB/s |
| mongoDB | /dev/sdl | Throughput Optimized HDD | 240 MB/s |
