This topic describes minimal system requirements for ASMS hardware, software and networking. For more details, see also ASMS system architecture.
Note: ASMS performance on VMs depends on the other, non-AlgoSec machines residing on the same VMware platform. To ensure performance, we recommend working with dedicated resources.
Hardware minimum requirements
We recommend that ASMS deployments meet or exceed the following minimum hardware requirements.
These requirements apply for both primary and secondary nodes, and on standalone systems, Central Managers, Remote Agents, or Load Units.
| Hardware | Required |
|---|---|
| CPU |
6 cores * |
| Memory |
24 GB * |
| Storage | 300 GB |
| Network | For details, see Bandwidth requirements for distributed environments |
System optimizations in version A30.10 require additional CPU and memory specifications than were required in earlier systems.
If you are upgrading, we highly recommend increasing your system specifications to match the updated requirements as needed. Systems that remain with legacy minimum specifications may have unexpected results.
Note: If your system specifications are already larger than the updated CPU and memory requirements, your system specifications can stay as they are. In such cases, there is no need to resize your entire system.
ASMS does not keep all traffic logs, and only stores usage statistics that enable ASMS to create reports for unused rules, unused objects within rules, and the Intelligent Policy Tuner. Statistics stored in ASMS are calculated and stored specifically for these reports.
Storing statistics instead of actual reports enables ASMS to maintain a longer history than would otherwise be possible, and make statements such as Rule 1234 has not been used for 18 months.
Note: Storing statistics instead of actual logs also means that ASMS log storage is not a replacement for a full log repository sometimes needed by customers. For example, the ASMS will not provide full details in forensic investigations for cyber incidents, or for identifying attacks in real-time.
Note: These minimum requirements suffice for initial demo and testing environments, such as for up to 50 simple devices. For details about final sizing calculations for production environments, contact your AlgoSec partner or sales engineer.
Differences per environment configuration
Hardware requirements will differ, depending on your environment configuration and type. Main differences and considerations include:
| Configuration | Description |
|---|---|
| NAS storage |
If you configure AFA to store all reports on a remote NAS server, this will impact where the storage space is needed. For details, see Configure NAS storage. |
| HA/DR clusters |
Each node in an HA/DR cluster must be identical, including the same type of installation (AlgoSec hardware or VM appliance), and have the same amount of disk space. For details, see Manage clusters |
| Distributed architecture |
In distributed architecture environments, consider the requirements for the Central Manager and each Remote Agent (geographic distribution) or Load Unit (load distribution). Remote Agents and Load Units do not store reports. For details, see Configure a distributed architecture. |
| AWS deployments |
If you are deploying on AWS, we recommend:
For more details, see the AWS Documentation. |
Software requirements
ASMS requires the following software, depending on your deployment method:
| AlgoSec hardware appliances |
AlgoSec hardware appliances comes pre-installed with all require software. No additional software is needed. |
| Virtual appliances |
ASMS can be deployed on virtual machines that use VMWare ESX versions 5.5 and higher. For more details, see the Support page on the AlgoSec portal. |
Networking requirements and recommendations
This section includes the following data:
- Networking requirements and recommendations
- Required port connections
- Bandwidth requirements for distributed environments
- Email and device connectivity requirements
- AFA server DNS name / IP address recommendations
- Security certificate recommendations
For more details, see Manage clusters
Deploying ASMS requires the following port connectivity between nodes:
| Type |
Port |
Central Manager <> Load Unit |
Central Manager <> Remote Agent |
Load Unit <> Load Unit |
HA |
DR |
|---|---|---|---|---|---|---|
| ICMP |
✔ |
✔ | ✖ | ✔ | ✔ | |
|
SSH |
TCP/22 | ✔ | ✔ | ✖ | ✔ | ✔ |
| HTTPS | TCP/443 | ✔ | ✔ | ✖ | ✔ | ✔ |
| syslog | UDP/514 |
✖ |
✖ | ✖ |
✔ |
✖ |
| hazelcast | TCP/5701 | ✔ | ✖ | ✔ | ✔ | ✖ |
| activemq | TCP/61616 | ✔ | ✖ | ✖ | ✔ | ✖ |
| postgrsql | TCP/5432 | ✔ | ✖ | ✖ | ✔ | ✔ |
| postgrsql additional port | TCP/5433 | ✖ | ✖ | ✖ |
✔ |
✖ |
| HA/DR | TCP/9595 | ✖ | ✖ | ✖ | ✔ | ✔ |
Bandwidth requirements for distributed environments
Distributed environments must work with the following minimum bandwidths between nodes:
| Central Manager and load distribution agents | 1 Gb/s |
| Between High Availability nodes | 1 Gb/s |
| Central Manager and geographic distribution agents | 100 Mb/s |
| Between Disaster Recovery nodes | 100 Mb/s |
Tip: The faster your network speed, the faster your clusters will be completely synched.
Email and device connectivity requirements
Enable the following connectivity for AFA and FireFlow:
| Requirement | Description |
|---|---|
| Email address |
Define an e-mail address to be used by AFA and FireFlow, such as [email protected], on a mail server that supports SMTP and POP3/IMAP4. Alternatively, emails can be forwarded to AFA and FireFlow as an MTA (message transfer agent). |
| Email access | Enable access from AFA and FireFlow to the mail server via SMTP and POP3/IMAP4 |
| Device access |
Enable access from the Central Manager, any high availability secondary nodes, and Remote Agents to devices via SSH, OPSEC, REST, or SNMP (as needed) |
This connectivity configuration includes configuring the necessary passwords for FireFlow.
AFA server DNS name / IP address recommendations
The AFA server must have a fixed DNS name or IP address that can be used to access the AFA user interface.
We recommend that you do not configure the server to obtain an IP address automatically or to use DHCP.
Security certificate recommendations
To prevent warnings from appearing about security certificates, install a certificate signed by a CA instead of a self-signed certificate.
For more details, see the Centos documentation.
Note: AlgoSec recommends using a 2048-bit certificate instead of the 1024-bit certificate recommended by the Centos documentation.
Supported deployments per architecture structure
The following table lists the supported deployment models for each architecture structure.
| Deployment | Standalone ASMS | High Availability | Disaster Recovery | Load Distribution | Geographic Distribution | NAS |
|---|---|---|---|---|---|---|
|
AlgoSec Physical Appliance (2XXX series) |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
Virtual Appliance (VMWare) |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
ASMS on AWS (AMI) |
✔ |
✖ |
✔ |
✔ * |
✔ |
✖ |
|
ASMS on Azure |
✔ |
✖ |
✖ |
✖ |
✖ |
✖ |
Note: When deployed on AWS, any Load Units must also be located in AWS, in the same subnet as the Central Manager.
â See also:
Yes 
No 
