Architectural and Sizing Guidelines

&
Supported Deployment Models
Sep 2020

INTELLIGENT SECURITY MANAGEMENT

FireMon Confidential Information
Sizing

INTELLIGENT SECURITY MANAGEMENT

 3

General Sizing Guidelines

Production
• 1. Number of firewalls < 50.  32 vCPU, 64GB memory, 600GB HD (recommend SSD) (all-in-one)
• 2. Number of firewalls < 50.   32 vCPU, 64-96GB memory 600GB HD (recommend SSD) (all-in-one, but running TFA
report. TFA = Traffic Flow Analysis)
• 3. 50 < Number of firewalls < 100.  AS+DB: 32 vCPU, 96GB memory, 600GB HD. 2 DCs: 16vCPU, 48GB memory,
250GB HD(recommend SSD)
• 4. 100 < Number of firewalls < 150. AS+DB: 32 vCPU, 96GB memory, 1.2TB HD. 3 DCs: 16vCPU, 48GB memory,
250GB HD(recommend SSD)
• 5. 150 < Number of firewalls < 500. AS+DB: 32 vCPU, 96GB memory, 2 TB HD. 5 DCs: 16vCPU, 64GB memory,
250GB HD(recommend SSD)         
• 6. 500 < Number of firewalls < 700. AS+DB: 48 vCPU, 96GB memory, 2 TB HD. 8 DCs: 16vCPU, 64GB memory,
250GB HD(recommend SSD)       

PoC (all-in-one VM):

• 8 vCPUs (for PoCs connecting to production FWs handling large traffic, recommend 16 vCPUs)
• 64GB of memory (32GB of memory is OK for very small PoC, say 2 FWs with little traffic)
• 500 GB of disk space

INTELLIGENT SECURITY MANAGEMENT

FireMon Confidential Information
Architectural Guidelines

INTELLIGENT SECURITY MANAGEMENT

 5

Architectural Guidelines (loose)

• All builds should have a separate DC from the AS/DB machines/VMs, unless the environment is
really small (< 10 FWs).

• On Builds with over 80 devices we should separate the AS and DB Machines/VMs.

• On Builds with over 500 devices, the DB machine should be the FM1100

• On Builds with over 500 devices, multiple AS machines should be used.

• One DC(705) can support about 200 Checkpoint firewalls

• One DC(705) can support about 150 other vendors

INTELLIGENT SECURITY MANAGEMENT
FireMon Confidential Information
 6

Architectural Guidelines - Cont.

• VM (ESXi) recommendations should generally match appliance

specs if possible
• VM FDE encryption key is based off of the machine uuid. This is to
make sure that encrypted disks can’t be moved from one machine
to another. This was a requirement to achieve Common Criteria
Certification. If the VM solution changes the machine uuid because
of clustering failover, DR etc… during the switch from one
environment to another it will fail.
• HA vs true DR, make sure the customer understands the difference
INTELLIGENT SECURITY MANAGEMENT
FireMon Confidential Information
 7

Architectural Guidelines - Cont.

• Items that impact performance (for reference)
• Legacy log considerations (i.e. Cisco 302x messages)
• VM considerations (i.e. shared disk, nic etc…)
• Add-on modules
• Average config size of monitored devices
• Frequency of change (push on demand or all at once regardless of change)
• Events per second
• Saves vs pushes (i.e. checkpoint saves cause us to pull entire config)
• Enterprise wide assessments (tied to frequency of change)
• Excessive external API calls
• Total rule & object count
• Excessive Compliance zones
• Excessive Reports
• Excessive TFA

INTELLIGENT SECURITY MANAGEMENT

FireMon Confidential Information
 8

Backup Solutions
• All options presented, should have some backup located outside of the FireMon
environment.
• Development recommends an SCP/SFTP server to house these backups. This
can be any Linux box with space and the ability to create a username and
directory permissions.
• Ensuring the SCP/SFTP server can communicate with all servers is ideal as it
lets you quickly move backups and reduces downtime.

INTELLIGENT SECURITY MANAGEMENT

FireMon Confidential Information
 9

Architectural Options (Typical)

*Note: For all options, more DCs can be catered depending on no. of remote sites). If DC redundancy is required, DC
clustering (min 3 DCs) can be set up. DCs do not require licenses.
Options Components Notes

1 1 VM/appliance containing AS,DB,DC roles
2 1 VM/appliance with AS + DB roles
1 or more VMs/appliances with DC role
3 1 VM/appliance with AS + DB roles
1 VM/appliance with AS + DB roles (cold standby)
1 or more VMs/appliances with DC role
4 1 VM/appliance with AS role
1 VM/appliance with DB role
1 or more VMs/appliances with DC role
Recommended only for smaller deployments (< 20 FWs)
Usual mode of deployment for customers in APAC. Where
possible, DC should be separate from AS+DB, even for smaller
deployments
Cold standby option, offers some form of redundancy without
committing too much resources
For bigger deployments (>150 FWs)

INTELLIGENT SECURITY MANAGEMENT

FireMon Confidential Information
 10
Architectural Options (Larger deployments or
redundancy required)
*Note: For all options, more DCs can be catered depending on no. of remote sites). If DC redundancy is required, DC
clustering (min 3 DCs) can be set up. DCs do not require licenses.
*Note 2: If customer wants full HA, they should be aware of the amount of resources/servers/VMs required to
achieve this. Since FireMon is not a mission-critical application, HA may not be required.

Options Components Notes

5 1 VM/appliance with AS role Active-standby DB (DB does not require license)

1 VM/appliance with DB1 role
1 VM/appliance with DB2 role
1 or more VM/appliances with DC role
6 1 VM/appliance with AS1 role Active-active AS – requires 2 X ASM licenses
1 VM/appliance with AS2 role
1 VM/appliance with DB role
1 or more VM/appliances with DC role
7 1 VM/appliance with AS1 role Active-active AS, Active-standby DB
1 VM/appliance with AS2 role
1 VM/appliance with DB1 role
1 VM/appliance with DB2 role
1 or more VMs/appliances with DC role

INTELLIGENT SECURITY MANAGEMENT

FireMon Confidential Information
 Distributed: Cold Standby DB Machine

DC Machine Requirements

• Nightly backup on Primary AS_DB01 is copied via a script to

the Cold AS_DB02 Standby AS/DB Machine
• Supported only for a single backup in a 24hr or 7 day period
(note 100+ GB customer backups can run for 12+ hours)
• In the event of a failover, manual DNS changes from
DC01 •
AS_DB01 to AS_DB02
Manual upkeep is needed of remote backup directory to
clean out old backups and insure space

AS/DB Machine AS/DB Machine

AS/DB01 AS/DB01

INTELLIGENT SECURITY MANAGEMENT

OPTION #3
 Distributed: Single App, Single DB

DB Machine AS Machine DC Machine

DB01 AS01 DC01

INTELLIGENT SECURITY MANAGEMENT

OPTION #4
 Distributed: Multi-DB Sync
AS Machine Requirements

• *From FMOS v9 onwards, no external NFS server

required for DB sync.
• PostGreSQL failover is a single event.
o Primary fail to secondary, primary does not

AS01 assume failover role

o Server has to be deployed back into

DB Machine DB Machine •
ecosystem
Elastic search shards between the DB’s. The closed
DB Machine answers the request
• NFSv4 is the only known supported version.
• This Setup requires the client be able to create
users on the NFS with specific names/ids and grant
the FireMon “root” user full permissions

DB01 DR_DB01

INTELLIGENT SECURITY MANAGEMENT

OPTION #5
 14

Architectural Guidelines – Load Balanced

Application Server Machines
• Load Balanced Application Server Machines means losing an AS Machine does
not cause any downtime.
• There is no manual action required. The remaining servers will simply pick up
the load.
• We generally do not want persistence settings between the AS and DCs as this
will be a stateless solution. However, you may wish to set stickiness for users
connecting to the Web UI.

INTELLIGENT SECURITY MANAGEMENT

FireMon Confidential Information
 Distributed: Load Balanced App Servers

Requirements
AS Machine
DB Machine Cluster • AS Machine Redundancy
• Same subnet for AS Machines
• DC Machines talk to VIP LB Address
• AS to DB communication based on DB FQDN
• AS to DB connectivity does not utilize LB
• LB needs to support websockets at L7 LB mode
• Persistence needed initially for ecosystem join
DB01 AS01
AS02

DC Machine
F5 Server

f5
VIP DC01

INTELLIGENT SECURITY MANAGEMENT

OPTION #6
 16

Architectural Guidelines – Multi-DB Machine Sync

• If the Primary DB Machine fails, admins manually failover to the
Secondary DB Machine. After the Primary DB Machine recovers, it
cannot be promoted again without requiring a reinstall.
• This is by no means a “High Availability” solution. Attaching “HA”
to this design creates a faulty impression and leads to hard
conversations.

INTELLIGENT SECURITY MANAGEMENT

FireMon Confidential Information
 Distributed: Multi-DB Sync + Standby AS
AS Machine AS Machine Requirements
• This is primarily for data center server redundancy
• All requirements remain same as previous slide,
with exception of an additional AS Machine in
standby environment
AS01 AS02 •
•
In this scenario, AS’s do NOT exist in same subnet
ALL traffic must traverse a SINGLE AS, there is NO
load balancing.
DB Machine DB Machine • Switching AS to standby DB is easier since
everything is part of the Ecosystem. Use fmos
*DB01 syncs to DR_DB01 commands switchover and refresh

DB01 DR_DB01

INTELLIGENT SECURITY MANAGEMENT

OPTION #7
Data Collector (DC) Clustering: v8 vs v9
• No DC Clustering (FMOS • DC Clustering (FMOS v9)
v8)

Traffic logs Traffic logs Traffic logs

Change Change Change
detection detection detection
Config Config Config
retrieval retrieval retrieval

Data Collector #1 Data Collector #2 Data Collector #3

INTELLIGENT SECURITY MANAGEMENT 18

v9: Data Collector (DC) Groups/Clusters
• DC Groups help to load balance traffic and provide additional redundancy
• Multiple data collectors share the load of collecting device config and traffic logs from the same
device and from different devices
• If a collector goes down, the devices associated with the “downed” collector will be divided among
the remaining collectors in the group
• Recommend load balancer in front of collectors to distribute traffic
• Best practice: 3, 5 or another odd no. of collectors per DC group
• Recommended:
• All collectors in a DC group to be in the same data center
• Management stations should be assigned to the same DC group as its child devices
• Steps to create a DC group are in the Administrator User’s Guide (available from User Center)

INTELLIGENT SECURITY MANAGEMENT

FireMon Confidential Information