Security Intelligence Sizing Tool For SSP
search cancel

Security Intelligence Sizing Tool For SSP

book

Article ID: 388027

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Customers deploying Security Intelligence (previously known as NSX Intelligence) have difficulty evaluating the number of worker nodes required for their environment. Incorrect sizing of worker nodes can result in instability - resulting in storage, memory, and CPU alarms, and improper functionality of enabled features.

This tool is used to estimate the number of worker nodes required to operate Security Intelligence smoothly.

Environment

This tool requires SSP 5.0 or above and NSX version 4.2.0 or above. This tool will not work or provide any useful output if either of the versions are below the required versions.

Cause

Security Intelligence deployment with insufficient resources and can lead to multiple issues as mentioned below.

Alerts and Alarms indicating failures
Inability to ingest incoming flows
Inability to process and store incoming flow metrics data, events and configuration updates
Failure to provide accurate recommendations

Resolution

Customers are advised to use the sizing tool referenced in this KB to estimate the number of worker nodes required for their environment. Here is the recommended workflow to install and use this tool.

1. Install the Security Services Platform and allow the system to run and collect flow stats for at least seven days.

 Intelligence Sizing Tool depends on Metrics vertical and not  NSX Intelligence vertical. Activating Intelligence to run Sizing tool not mandatory.

Note:  With Intelligence not activated/deployed, it would assume all clusters and hosts will be enabled for data collection. Incase, Intelligence already activated/deployed, then customers may choose clusters to activate/deactivate under System tab→Data Collection settings in the SSP UI, and select as per choice and run the sizing tool.

 

2. Download and install the sizing tool referenced in this KB.

a. Go to Broadcom SSP 5.0 download page and maneuver to Drivers and Tools tab.

b. Search for Security Intelligence Sizing Tool  and expand to get the download icon. Download the package to your local storage (screenshot below). 

c. Copy the security_intelligence_sizing package to SSPI nodes in the cluster using the command below.

# scp security_intelligence_sizing root@<SSPI_IP>:/root/

d. Login to SSPI as root and change the permission of the file using the command line below.

# chmod +x /root/security_intelligence_sizing

3. Run the sizing tool

a. To obtain a list of options, use the following command.

# security_intelligence_sizing –-help

b. Typical usage of the tool involves invoking it with the following command; the --verbose is optional.

# security_intelligence_sizing --manager <nsx-manager-ip> --username admin  --verbose

c. The tool will then prompt for the password for username "admin"; provide the admin password of the NSX Manager. 

d. Here is one sample output where the number of worker nodes recommended is within the supported Config Max limit.

root@sspi:~# ./security_intelligence_sizing -u admin -p <nsx-manager-admin-password> -m <nsx-manager-ip> -a -v
2025-02-07 05:14:08 - DEBUG - NSX username: admin
2025-02-07 05:14:08 - DEBUG - NSX Manager: <nsx-manager-ip>
2025-02-07 05:14:08 - DEBUG - Using percentage for internal flows --internal_flows: 70
2025-02-07 05:14:08 - DEBUG - Using percentage for unique flows per hour --unique_flows: 15
2025-02-07 05:14:08 - DEBUG - Using raw flow capacity per compute instance per second --rawflow_capacity_per_instance_per_sec: 1,000
2025-02-07 05:14:08 - DEBUG - Using over flow capacity per compute instance per second --overflow_capacity_per_instance_per_sec: 800
2025-02-07 05:14:08 - DEBUG - Using disk size in GB per storage instance --historical_disk_size: 128
2025-02-07 05:14:08 - DEBUG - Using flow size in bytes --flow_size_in_bytes: 200
2025-02-07 05:14:08 - INFO - 21 Transport Nodes detected among 3 cluster(s) and standalone host(s). This could take a while...
2025-02-07 05:14:08 - INFO - Computing size estimation for 21 activated TNs only
2025-02-07 05:14:08 - DEBUG - Extracting total flow metrics...
2025-02-07 05:14:12 - DEBUG - Extracting 5-minute interval flow metrics...
2025-02-07 05:14:14 - DEBUG - Average raw flows per hour over last 7 days: 11,496,456
2025-02-07 05:14:14 - DEBUG - Average 5-minute interval burst of raw flows over last 7 days: 1,034,331
2025-02-07 05:14:14 - DEBUG - Average 5-minute interval burst of correlated flows: 672,315
2025-02-07 05:14:14 - DEBUG - Flow compute instance(s) required: 4
2025-02-07 05:14:14 - DEBUG - Estimated number of correlated flows aggregated over 30 days: 997,604,880
2025-02-07 05:14:14 - DEBUG - Flow storage instance(s) required: 2
2025-02-07 05:14:14 - DEBUG - Minimum number of worker nodes required for this version of Security Intelligence: 4
2025-02-07 05:14:14 - DEBUG - Maximum number of worker nodes supported in this version of Security Intelligence: 10
2025-02-07 05:14:14 - INFO - Worker nodes recommended for this environment: 6

 

e. Here is another sample output where the recommended number of worker nodes exceeds the supported Config Max limit. In this case, the tool will report the flow statistics for each cluster and individual host.

root@sspi:~# ./security_intelligence_sizing -u admin -p <nsx-manager-admin-password> -m <nsx-manager-ip> -a -v
2025-02-07 07:01:31 - DEBUG - NSX username: admin
2025-02-07 07:01:31 - DEBUG - NSX Manager: <<nsx-manager-ip>
2025-02-07 07:01:31 - DEBUG - Using percentage for internal flows --internal_flows: 70
2025-02-07 07:01:31 - DEBUG - Using percentage for unique flows per hour --unique_flows: 15
2025-02-07 07:01:31 - DEBUG - Using raw flow capacity per compute instance per second --rawflow_capacity_per_instance_per_sec: 1,000
2025-02-07 07:01:31 - DEBUG - Using over flow capacity per compute instance per second --overflow_capacity_per_instance_per_sec: 800
2025-02-07 07:01:31 - DEBUG - Using disk size in GB per storage instance --historical_disk_size: 128
2025-02-07 07:01:31 - DEBUG - Using flow size in bytes --flow_size_in_bytes: 200
2025-02-07 07:01:32 - INFO - 21 Transport Nodes detected among 3 cluster(s) and standalone host(s). This could take a while...
2025-02-07 07:01:32 - INFO - Computing size estimation for 21 activated TNs only
2025-02-07 07:01:32 - DEBUG - Extracting total flow metrics...
2025-02-07 07:01:36 - DEBUG - Extracting 5-minute interval flow metrics...
2025-02-07 07:01:38 - DEBUG - Average raw flows per hour over last 7 days: 19,663,105
2025-02-07 07:01:38 - DEBUG - Average 5-minute interval burst of raw flows over last 7 days: 2,191,957
2025-02-07 07:01:38 - DEBUG - Average 5-minute interval burst of correlated flows: 1,424,772
2025-02-07 07:01:38 - DEBUG - Flow compute instance(s) required: 8
2025-02-07 07:01:38 - DEBUG - Estimated number of correlated flows aggregated over 30 days: 1,706,265,870
2025-02-07 07:01:38 - DEBUG - Flow storage instance(s) required: 4
2025-02-07 07:01:38 - DEBUG - Minimum number of worker nodes required for this version of Security Intelligence: 4
2025-02-07 07:01:38 - DEBUG - Maximum number of worker nodes supported in this version of Security Intelligence: 10
2025-02-07 07:01:38 - INFO - The volume of flows in this environment requires 2 more worker nodes than the supported limit. Below is a csv output that should help you identify a subset of clusters or standalone hosts to include in your Security Intelligence deployment
8<—------------
Cluster Name,5-minute Interval Flows,Average Flows Per Hour
Tenant-Cluster-0,9796,109458,True
Tenant-Cluster-1,9722,111858,True
SIM_Cluster,6872,56241,True


In this scenario, use the CSV snippet under 8 <------------------------, in the output above, to determine which clusters to select.
Once the clusters and stand-alone hosts are determined, use the NSX Intelligence UI to enable only select clusters. At the System tab 1 in Data Collection 2 settings, Select 3 some clusters or stand-alone hosts and toggle the Deactivate 4 button as below.

 

Next, run the tool with the --activated_only option to compute the sizing only for the enabled clusters.
      # security_intelligence_sizing --manager <nsx-manager-ip> --username admin –-verbose –-activated_only

 

4. If the number of worker nodes currently existing in the environment is less than what the sizing tool recommends, then deploy additional worker nodes as recommended by the tool. 

 STEP1: Go to the SSPI instance1 and navigate to Instance Management2 tab. Elect the Edit Deployment Size3 option scale out the SSP instance to the required number of worker nodes.

STEP2: Return to Security Services Platform UI. At the System tab1 → Platform & Services2,  choose the scale-out 3 as below.

STEP3: Select Analytics, Messaging, and Data Storage (if applicable) services and click the SCALE OUT radio button



Powered by Wolken Software