Reserve VM resources for ATP/SEDR VE in ESXi 6.02 or later

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

Symantec Advanced Threat Protection (ATP) 3.x and Symantec Endpoint Detection Response (SEDR) 4.x virtual edition (VE) require VM resources to be reserved for that VM alone.

If the resources are not reserved, the VM could break even on initial startup after providing the bootstrap data.
A broken VM with unreserved resources is not always recoverable, which may require that the OVA be redeployed to a new VM.
A VM could break if the block size for the datastore is not configured correctly.
- Re-installation of EDR using the OVA is required in this situation.

Environment

VMware ESXi/vSphere 6.02 to 6.5 using the vSphere client or web interface.

Resolution

By default, the ATP 3.x/SEDR 4.x OVA allocates 48GB of RAM and 12 CPUs. To reserve the VM resources, you will need to edit the VM guest and specify the amount of resources to reserve.

To edit the settings on the virtual machine in the vSphere client:

Navigate to the Virtual Machine and access the Summary tab.
Click Edit Settings:
In the settings window, click the Resources tab.
For CPU, the minimum recommended amount of reservation is 12 GHz or 12,000 MHz:
For memory, all guest memory must be reserved:

To edit the settings on the virtual machine in the ESXi web interface:

Navigate to the VM.
In the top-center menu, click Edit:
For CPU, the minimum recommended amount of reservation is 12 GHz or 12,000 MHz:
For memory, all guest memory must be reserved:

To edit the settings on the virtual machine in the vSphere Web Client:

Navigate to the VM.
Under the Actions menu in the top-center menu, click Edit Settings:
For CPU, the minimum recommended amount of reservation is 12 GHz or 12,000 MHz:
For memory, all guest memory must be reserved:

Note: The vSphere/ESXI host must have these resources physically available and not reserved by any other VMs in order to allocate to the ATP VM. If you do not have enough physical resources for the VM, the VM will be in an unsupported configuration and may not function correctly.

Important note about the virtual environment datastore block sizes:

Block size requirements for EDR virtual machines are as follows:

Use the proper block size, depending upon the VMFS version of your system and if it was upgraded from an earlier VMFS version.
1. If your VMware server datastore was upgraded from VMFS-2 to VMFS-5 than the block size should be set to 4 MB.
2. If your VMware server datastore was upgraded from VMFS-3 or later to VMFS-5 than the block size should be set to 8 MB.
3. If you did not upgrade the datastore from an earlier version of VMFS and this is a new datastore on VMFS-5 then the default 1 MB block size is supported by EDR because larger disk sizes are also supported by VMware.
If the block size is not set correctly on the datastore where EDR is installed then reinstalling EDR is required. EDR must be installed on a datastore with the correct block size.
1. See Block size and vmdk size limitation - https://communities.vmware.com/t5/vSphere-Storage-Documents/VMFS-block-size/ta-p/2784698
2. See Block size limitations of VMFS datastore (1003565) - https://kb.vmware.com/s/article/1003565

Other important considerations for the VMware datastores:

New VMware datastores using VMFS5 support the disk and partition sizes supported by EDR. This means that if it is a new VMFS5 datastore it will have a block size of 1 MB and the larger disk sizes are in fact supported on this datastore. This block size and this datastore version are supported for use with EDR.
A different block size should only be seen for datastores which have been upgraded from earlier VMFS versions to VMFS5.
Transferring a virtual machine to a new datastore is not supported. Re-installation of EDR on a datastore that is configured with the correct block size is required.