To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Managing distributed Policy Manager Server from One Server

ravi12
ravi12 Posts: 57 Security Scout

Hi to all,

In our enviorement we are managing approx 50000 clients through 06 FSPM Server located at different locations. We take each of the 06 FSPM Servers on remote and manage the clients from our central location. For that, we have to login in into all the 06 FSPM servers to see the alerts and manage the clients.

Is there any possiblity of managing all the 06 FSPM server with the One MASTER FSPM Server Console or can it be customised to meet our requirement? 

Comments

  • ravi12
    ravi12 Posts: 57 Security Scout

    As above said we are having approx thousands of clients. Please let me know how many clients can be managed by the single Policy Manager Console and what should be the server configuration for managing that number of clients.

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Hello,

     

    I think the Linux-based edition of "F-Secure Policy Manager" has higher performance than the Windows-based edition.

     

    I think there are german partners who have implemented, for very large customers, Linux-based, single-server F-Secure Policy Manager environments with 60-70 thousand centrally managed endpoints , using F-Secure Policy Manager Proxy or unconfigured FSPM instances at the branch offices to reduce bandwidth needs.

     

    Note: several years ago the official wisdom was that Windows-based FSPM can do 5000 endpoints per server, while Linux-based FSPM can do 15000 endpoints per server, with 4 CPU and a client poll period of 90 minutes instead of the deafult 10 mins. This may not be relevant any longer however, since this old information probably predates the conversion of FSPM technology from shared folder to active database based data storage.)

     

    Best Regards: Tamas Feher, Hungary.

  • A_Grinkevitch
    A_Grinkevitch Staff Posts: 169 Threat Terminator

    Hello,

    You are right, it is possible to manage several thousand endpoints from one PM instance. Even in case of high load, it is still possible to extend polling interval from default 10 minutes.

    As an option to protect master PM from high load, you can configure your network to avoid direct connections from endpoints to master PM, for instance by installing 6 Policy Manger Proxies for 6 offices, where endpoints are configured to connect master PM via Policy Manager Proxies.

    The problem here might be in Console, where first start, switching tabs or domains might take some time, depending on status size, alerts, scanning reports etc.

    As for hardware requirements, 4 CPU should be enough. Best practice is to set RAM size to fit all DB in memory (for instance h2db file size) + 2GB. If Console is running on the same host, add 2GB for it as well.

    For 50k endpoints environment it is about 8-12GB.

    Also, I'd suggest moving DB from H2 to MySQL for such heavy-loaded environments.

This discussion has been closed.

Categories